SmartHawk

2.8

中危

58 个模型检测该样本为恶意！

重新分析

下载样本

b71c29cd178d5fd288e4e6e886eb52dcbb051e52835956496f99eeb6a33fc4cb

8c06d3053dbaf7de39073966805ca95c.exe

分析耗时

76s

最近分析

文件大小

327.0KB

静态报毒动态报毒 100% A + MAL AI SCORE=83 AIDETECTVM BSCOPE CONFIDENCE EHLS ELKD ENCPK FGIT GENCIRC GENERICRXKR GENETIC GENKRYPTIK GOZI GRAYWARE HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE1 MALWARE@#3LNHP0PIQIC54 MINT QAKBOT QVM20 R337622 REGOTET SCORE SMTHA SQABPK54RZP STATIC AI TROJANBANKER UNSAFE URSNIF YKCXT ZL5CIBWF9TO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKR-BC!8C06D3053DBA	20201211	6.0.6.653
Alibaba	TrojanSpy:Win32/Ursnif.79382899	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
Tencent	Malware.Win32.Gencirc.10cdcb98	20201211	1.0.0.1

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686147.0494 GetComputerNameW	computer_name:	failed	0	0
1619686147.0494 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

IBC

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619686135.8314 NtAllocateVirtualMemory	process_identifier: 2456 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00500000	success
1619686146.7994 NtAllocateVirtualMemory	process_identifier: 2456 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00560000	success
1619686146.7994 NtProtectVirtualMemory	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Regotet.1
FireEye	Generic.mg.8c06d3053dbaf7de
McAfee	GenericRXKR-BC!8C06D3053DBA
Cylance	Unsafe
Zillya	Trojan.Ursnif.Win32.11382
Sangfor	Malware
K7AntiVirus	Trojan ( 005673821 )
Alibaba	TrojanSpy:Win32/Ursnif.79382899
K7GW	Trojan ( 005673821 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Mint.Regotet.1
Cyren	W32/Trojan.FGIT-7475
Symantec	Trojan.Ursnif
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Packed.Regotet-7869380-0
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
BitDefender	Gen:Heur.Mint.Regotet.1
Paloalto	generic.ml
Rising	Trojan.Kryptik!8.8 (TFE:3:sqabpk54rzP)
Ad-Aware	Gen:Heur.Mint.Regotet.1
Emsisoft	Trojan-Spy.Ursnif (A)
Comodo	Malware@#3lnhp0piqic54
F-Secure	Trojan.TR/Spy.Ursnif.ykcxt
DrWeb	Trojan.Gozi.683
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.QAKBOT.SMTHA.hp
McAfee-GW-Edition	GenericRXKR-BC!8C06D3053DBA
Sophos	ML/PE-A + Mal/EncPk-APV
Ikarus	Trojan-Spy.Agent
Jiangmin	Trojan.Banker.Gozi.ant
Avira	TR/Spy.Ursnif.ykcxt
MAX	malware (ai score=83)
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Gridinsoft	Trojan.Win32.Kryptik.dd!s1
Microsoft	Trojan:Win32/Ursnif.MK!MSR
AegisLab	Trojan.Win32.Mint.4!c
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
GData	Gen:Heur.Mint.Regotet.1
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Ursnif.R337622
BitDefenderTheta	AI:Packer.630236191F
ALYac	Gen:Heur.Mint.Regotet.1
VBA32	BScope.TrojanBanker.Gozi
Malwarebytes	Trojan.Injector
ESET-NOD32	Win32/Spy.Ursnif.CZ
TrendMicro-HouseCall	TrojanSpy.Win32.QAKBOT.SMTHA.hp
Tencent	Malware.Win32.Gencirc.10cdcb98

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-21 01:22:27

Imports

Library KERNEL32.dll:

• 0x44d320 GetModuleHandleA

• 0x44d324 VirtualAllocEx

• 0x44d328 LoadLibraryA

• 0x44d32c GetProcAddress

Library USER32.dll:

• 0x44d334 LoadIconA

• 0x44d338 IsWindowUnicode

• 0x44d33c GetDesktopWindow

• 0x44d340 GetMenu

• 0x44d344 GetWindowTextLengthA

• 0x44d348 DestroyWindow

• 0x44d34c GetKBCodePage

• 0x44d350 GetActiveWindow

• 0x44d354 CharNextA

• 0x44d358 EndMenu

• 0x44d35c DestroyCursor

• 0x44d360 CharNextW

• 0x44d364 IsCharLowerW

• 0x44d368 IsCharAlphaNumericW

• 0x44d36c IsMenu

• 0x44d370 GetDlgCtrlID

• 0x44d374 GetListBoxInfo

• 0x44d378 GetDoubleClickTime

• 0x44d37c IsClipboardFormatAvailable

• 0x44d380 GetCursor

• 0x44d384 GetMenuContextHelpId

• 0x44d388 GetKeyboardLayout

• 0x44d38c IsWindowEnabled

• 0x44d390 IsWindow

• 0x44d394 GetTopWindow

• 0x44d398 InSendMessage

• 0x44d39c GetClipboardSequenceNumber

• 0x44d3a0 CountClipboardFormats

• 0x44d3a4 CloseWindowStation

• 0x44d3a8 CharUpperW

• 0x44d3ac GetInputState

Library GDI32.dll:

• 0x44d3b4 EndPage

• 0x44d3b8 GetObjectType

• 0x44d3bc WidenPath

• 0x44d3c0 UnrealizeObject

• 0x44d3c4 GetTextCharacterExtra

• 0x44d3c8 EndDoc

• 0x44d3cc GetColorSpace

• 0x44d3d0 CancelDC

• 0x44d3d4 EndPath

• 0x44d3d8 SwapBuffers

• 0x44d3dc FillPath

• 0x44d3e0 CreateMetaFileA

• 0x44d3e4 CloseMetaFile

• 0x44d3e8 PathToRegion

• 0x44d3ec AddFontResourceW

Library COMDLG32.dll:

• 0x44d3f4 GetFileTitleA

Library ADVAPI32.dll:

• 0x44d3fc RegOpenKeyA

• 0x44d400 RegQueryValueExA

• 0x44d404 GetUserNameA

• 0x44d408 RegSetValueW

• 0x44d40c RegQueryValueExW

• 0x44d410 RegOpenKeyW

• 0x44d414 RegDeleteKeyW

• 0x44d418 RegCloseKey

Library ole32.dll:

• 0x44d420 OleUninitialize

• 0x44d424 OleInitialize

• 0x44d428 CoTaskMemFree

• 0x44d42c StringFromCLSID

Library MSVCRT.dll:

• 0x44d434 __p__commode

• 0x44d438 __p__fmode

• 0x44d43c __set_app_type

• 0x44d440 _controlfp

• 0x44d444 _adjust_fdiv

• 0x44d448 __setusermatherr

• 0x44d44c _initterm

• 0x44d450 __getmainargs

• 0x44d454 __initenv

• 0x44d458 exit

• 0x44d45c _cexit

• 0x44d460 _XcptFilter

• 0x44d464 _exit

• 0x44d468 _c_exit

• 0x44d46c _wcsnicmp

• 0x44d470 printf

• 0x44d474 _except_handler3

• 0x44d478 wcscpy

• 0x44d47c wcscat

• 0x44d480 fgetws

• 0x44d484 towupper

• 0x44d488 _iob

• 0x44d48c _putws

• 0x44d490 wcscmp

• 0x44d494 swprintf

• 0x44d498 malloc

• 0x44d49c free

• 0x44d4a0 _wcsicmp

• 0x44d4a4 wcschr

• 0x44d4a8 wcslen

• 0x44d4ac _get_osfhandle

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.