SmartHawk

2.6

中危

61 个模型检测该样本为恶意！

重新分析

下载样本

e0c82d351dda53014e0de79f9b425cb79d248fd0ee36241838052a304d728d29

8d44e7edefc72af138b4c3903d65242d.exe

分析耗时

75s

最近分析

文件大小

533.0KB

静态报毒动态报毒 A + W32 AI SCORE=85 AUTOINFECTOR BANLOAD CLASSIC CONFIDENCE CSTQAJ DARKSHELL DUMPMODULEINFECTIOUSNME FAMVT FILEINFECTOR HIGH CONFIDENCE INFECTED JADTRE KA@558NXG KCLOUD KUDJ LOADER M1R5 MALICIOUS PE MIKCER NIMNUL OTWYCAL PATCHLOAD PCARRIER RAMNIT ROUE SCORE SMALL STATIC AI TRIUSOR UNSAFE VJADTRE WALI WAPOMI 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/Kudj	20201211	6.0.6.653
Alibaba	Virus:Win32/Nimnul.0f4b334c	20190527	0.3.0.5
Baidu	Win32.Virus.Otwycal.d	20190318	1.0.0.2
Avast	Other:Malware-gen [Trj]	20201210	21.1.5827.0
Tencent	Virus.Win32.Loader.aab	20201211	1.0.0.1
Kingsoft	Win32.Infected.AutoInfector.a.(kcloud)	20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

D:\derek\dr\build_package\build_drmemory-release-32\dynamorio\bin32\drconfig.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

\xc4 I\xe0\xa3u\xb2

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

6.934724324964739

section

{'size_of_data': '0x00004200', 'virtual_address': '0x00087000', 'entropy': 6.934724324964739, 'name': '\\xc4\tI\\xe0\\xa3u\\xb2', 'virtual_size': '0x00005000'}

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.VJadtre.3
FireEye	Generic.mg.8d44e7edefc72af1
McAfee	W32/Kudj
Zillya	Virus.Nimnul.Win32.5
K7AntiVirus	Virus ( 0040f7441 )
Alibaba	Virus:Win32/Nimnul.0f4b334c
K7GW	Virus ( 0040f7441 )
Cybereason	malicious.defc72
Arcabit	Win32.VJadtre.3
Baidu	Win32.Virus.Otwycal.d
Cyren	W32/PatchLoad.E
Symantec	W32.Wapomi.C!inf
TotalDefense	Win32/Nimnul.A
APEX	Malicious
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Malware.Triusor-6802609-0
Kaspersky	Virus.Win32.Nimnul.f
BitDefender	Win32.VJadtre.3
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
Paloalto	generic.ml
ViRobot	Win32.Ramnit.F
Tencent	Virus.Win32.Loader.aab
Ad-Aware	Win32.VJadtre.3
Emsisoft	Win32.VJadtre.3 (B)
Comodo	Virus.Win32.Wali.KA@558nxg
F-Secure	Malware.W32/Jadtre.B
DrWeb	BackDoor.Darkshell.246
VIPRE	Virus.Win32.Small.acea (v)
TrendMicro	PE_WAPOMI.BM
McAfee-GW-Edition	BehavesLike.Win32.Kudj.hm
Sophos	ML/PE-A + W32/Nimnul-A
Ikarus	Trojan-Downloader.Win32.Small
Jiangmin	Win32/Nimnul.f
Avira	W32/Jadtre.B
MAX	malware (ai score=85)
Antiy-AVL	Virus/Win32.Nimnul.f
Kingsoft	Win32.Infected.AutoInfector.a.(kcloud)
Gridinsoft	Trojan.Heur!.03002201
Microsoft	Virus:Win32/Mikcer.B
AegisLab	Virus.Win32.Nimnul.m1R5
ZoneAlarm	Virus.Win32.Nimnul.f
GData	Win32.Virus.Wapomi.A
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/VJadtre.Gen
BitDefenderTheta	AI:FileInfector.991137D00F
TACHYON	Virus/W32.Ramnit.C
VBA32	Virus.Nimnul.19209
Cylance	Unsafe

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-08-29 15:12:10

Imports

Library ADVAPI32.dll:

• 0x480410 AdjustTokenPrivileges

• 0x480414 LookupPrivilegeValueW

• 0x480418 OpenProcessToken

• 0x48041c OpenThreadToken

• 0x480420 InitiateSystemShutdownW

• 0x480424 SetNamedSecurityInfoW

• 0x480428 GetNamedSecurityInfoW

• 0x48042c RegDeleteKeyW

• 0x480430 RegCloseKey

• 0x480434 RegCreateKeyExW

• 0x480438 FreeSid

• 0x48043c SetEntriesInAclW

• 0x480440 AllocateAndInitializeSid

• 0x480444 LookupAccountNameW

• 0x480448 AddAccessAllowedAce

• 0x48044c InitializeAcl

• 0x480450 GetLengthSid

• 0x480454 RegSetKeySecurity

• 0x480458 IsValidSecurityDescriptor

• 0x48045c SetSecurityDescriptorDacl

• 0x480460 SetSecurityDescriptorOwner

• 0x480464 InitializeSecurityDescriptor

• 0x480468 RegOpenKeyExW

• 0x48046c RegEnumKeyExW

• 0x480470 RegEnumValueW

• 0x480474 RegDeleteValueW

• 0x480478 RegQueryValueExW

• 0x48047c RegSetValueExW

• 0x480480 RegOpenKeyW

• 0x480484 CloseEventLog

• 0x480488 ReadEventLogW

• 0x48048c GetOldestEventLogRecord

• 0x480490 GetNumberOfEventLogRecords

• 0x480494 NotifyChangeEventLog

• 0x480498 OpenEventLogW

• 0x48049c ClearEventLogW

• 0x4804a0 GetSecurityInfo

Library drconfiglib.dll:

• 0x480744 dr_nudge_all

• 0x480748 dr_nudge_pid

• 0x48074c dr_nudge_process

• 0x480750 dr_syswide_is_on

• 0x480754 dr_registered_process_iterator_start

• 0x480758 dr_registered_process_iterator_hasnext

• 0x48075c dr_registered_process_iterator_stop

• 0x480760 dr_register_syswide

• 0x480764 dr_unregister_syswide

• 0x480768 dr_registered_process_iterator_next

• 0x48076c dr_client_iterator_start

• 0x480770 dr_client_iterator_hasnext

• 0x480774 dr_client_iterator_next

• 0x480778 dr_client_iterator_stop

• 0x48077c dr_num_registered_clients

• 0x480780 dr_register_client

• 0x480784 dr_process_is_registered

• 0x480788 dr_register_process

• 0x48078c dr_get_config_dir

• 0x480790 dr_unregister_process

Library KERNEL32.dll:

• 0x4804ec GetDriveTypeW

• 0x4804f0 SetCurrentDirectoryW

• 0x4804f4 GetCurrentDirectoryW

• 0x4804f8 CompareStringW

• 0x4804fc IsValidLocale

• 0x480500 EnumSystemLocalesA

• 0x480504 GetLocaleInfoA

• 0x480508 GetUserDefaultLCID

• 0x48050c HeapReAlloc

• 0x480510 HeapSize

• 0x480514 SetEndOfFile

• 0x480518 SetStdHandle

• 0x48051c LCMapStringW

• 0x480520 GetSystemTimeAsFileTime

• 0x480524 GetTickCount

• 0x480528 QueryPerformanceCounter

• 0x48052c HeapDestroy

• 0x480530 HeapCreate

• 0x480534 GetEnvironmentStringsW

• 0x480538 FreeEnvironmentStringsW

• 0x48053c IsValidCodePage

• 0x480540 GetCurrentProcess

• 0x480544 GetLastError

• 0x480548 GetCurrentThread

• 0x48054c FindClose

• 0x480550 FindFirstFileW

• 0x480554 MoveFileExW

• 0x480558 MoveFileW

• 0x48055c DeleteFileW

• 0x480560 LocalFree

• 0x480564 GetProcAddress

• 0x480568 GetModuleHandleW

• 0x48056c GetShortPathNameW

• 0x480570 GetSystemDirectoryW

• 0x480574 CloseHandle

• 0x480578 CreateDirectoryW

• 0x48057c RemoveDirectoryW

• 0x480580 FindNextFileW

• 0x480584 LocalAlloc

• 0x480588 GetExitCodeProcess

• 0x48058c WaitForSingleObject

• 0x480590 CreateProcessW

• 0x480594 CopyFileW

• 0x480598 ExpandEnvironmentStringsW

• 0x48059c FormatMessageW

• 0x4805a0 LoadLibraryExW

• 0x4805a4 CreateEventW

• 0x4805a8 CreateThread

• 0x4805ac ReadProcessMemory

• 0x4805b0 OpenProcess

• 0x4805b4 TerminateProcess

• 0x4805b8 SleepEx

• 0x4805bc ResumeThread

• 0x4805c0 GetThreadContext

• 0x4805c4 VirtualFreeEx

• 0x4805c8 WriteProcessMemory

• 0x4805cc VirtualProtectEx

• 0x4805d0 VirtualAllocEx

• 0x4805d4 CreateRemoteThread

• 0x4805d8 CreateFileW

• 0x4805dc GetCurrentProcessId

• 0x4805e0 HeapFree

• 0x4805e4 HeapAlloc

• 0x4805e8 GetProcessHeap

• 0x4805ec WideCharToMultiByte

• 0x4805f0 MultiByteToWideChar

• 0x4805f4 GetEnvironmentVariableW

• 0x4805f8 GetFullPathNameW

• 0x4805fc LoadLibraryW

• 0x480600 FreeLibrary

• 0x480604 SetFilePointer

• 0x480608 ReadFile

• 0x48060c GetFileAttributesW

• 0x480610 SetEnvironmentVariableW

• 0x480614 ExitProcess

• 0x480618 DecodePointer

• 0x48061c EnterCriticalSection

• 0x480620 LeaveCriticalSection

• 0x480624 WriteConsoleW

• 0x480628 GetFileType

• 0x48062c GetStdHandle

• 0x480630 GetModuleFileNameW

• 0x480634 GetCommandLineW

• 0x480638 HeapSetInformation

• 0x48063c GetStringTypeW

• 0x480640 InitializeCriticalSectionAndSpinCount

• 0x480644 DeleteCriticalSection

• 0x480648 FatalAppExitA

• 0x48064c EncodePointer

• 0x480650 SetConsoleCtrlHandler

• 0x480654 InterlockedExchange

• 0x480658 GetLocaleInfoW

• 0x48065c UnhandledExceptionFilter

• 0x480660 SetUnhandledExceptionFilter

• 0x480664 IsDebuggerPresent

• 0x480668 TlsAlloc

• 0x48066c TlsGetValue

• 0x480670 TlsSetValue

• 0x480674 TlsFree

• 0x480678 InterlockedIncrement

• 0x48067c SetLastError

• 0x480680 GetCurrentThreadId

• 0x480684 InterlockedDecrement

• 0x480688 WriteFile

• 0x48068c GetConsoleCP

• 0x480690 GetConsoleMode

• 0x480694 FlushFileBuffers

• 0x480698 SetHandleCount

• 0x48069c GetStartupInfoW

• 0x4806a0 Sleep

• 0x4806a4 RtlUnwind

• 0x4806a8 IsProcessorFeaturePresent

• 0x4806ac GetCPInfo

• 0x4806b0 GetACP

• 0x4806b4 GetOEMCP

• 0x4806b8 GetFullPathNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	51964	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.