SmartHawk

4.6

中危

52 个模型检测该样本为恶意！

重新分析

下载样本

1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604

90f75c6fa4a613f9ab2c27e4d4bc4871.exe

分析耗时

74s

最近分析

文件大小

312.0KB

静态报毒动态报毒 100% ABWK AI SCORE=100 AIDETECTVM ATTRIBUTE BSCOPE CHINAD CHINDO CONFIDENCE DNOPER ESMA GDSDA GENERICRXKG HIGH CONFIDENCE HIGHCONFIDENCE HIUHXZ JOHNNIE KCLOUD MALWARE1 MALWARE@#2XARITG2J96CR OCCAMY R + MAL R066C0PHK20 SCORE SIGGEN9 SWIFTG TRHN UNSAFE ZOBAW ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKG-ZS!90F75C6FA4A6	20201228	6.0.6.653
Alibaba	TrojanDownloader:Win32/Chindo.01869129	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201228	21.1.5827.0
Tencent		20201228	1.0.0.1
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)	20201228	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

C:\Users\yiruirui\Desktop\duote\DTPageSet\xiugai1205\Release\DTPageSet.pdb

Foreign language identified in PE resource (3 个事件)

name

RT_ICON

language

LANG_CHINESE

offset

0x0004f130

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x0004f418

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

offset

0x0004f42c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000001f8

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.41.34
host	203.208.41.65

Generates some ICMP traffic

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.304210
FireEye	Generic.mg.90f75c6fa4a613f9
McAfee	GenericRXKG-ZS!90F75C6FA4A6
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDownloader:Win32/Chindo.01869129
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.fa4a61
Arcabit	Trojan.Zusy.D4A452
Cyren	W32/Trojan.ESMA-5336
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan-Downloader.Win32.Chindo.dgj
BitDefender	Gen:Variant.Zusy.304210
NANO-Antivirus	Trojan.Win32.Johnnie.hiuhxz
Paloalto	generic.ml
AegisLab	Trojan.Win32.Chindo.trhn
Ad-Aware	Gen:Variant.Zusy.304210
Emsisoft	Gen:Variant.Zusy.304210 (B)
Comodo	Malware@#2xaritg2j96cr
F-Secure	Trojan.TR/Dldr.Chindo.zobaw
DrWeb	Trojan.Siggen9.36524
TrendMicro	TROJ_GEN.R066C0PHK20
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
Sophos	Mal/Generic-R + Mal/SwiftG-X
Jiangmin	TrojanDownloader.Chindo.ct
Avira	TR/Dldr.Chindo.zobaw
Antiy-AVL	Trojan[Downloader]/Win32.Chindo
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Chindo.cc
Microsoft	Trojan:Win32/Occamy.C
ViRobot	Trojan.Win32.S.Agent.319488.AIL
ZoneAlarm	Trojan-Downloader.Win32.Chindo.dgj
GData	Gen:Variant.Zusy.304210
Cynet	Malicious (score: 85)
ALYac	Gen:Variant.Zusy.304210
MAX	malware (ai score=100)
VBA32	BScope.Trojan.MSIL.Dnoper
Malwarebytes	Trojan.ChinAd
ESET-NOD32	a variant of Win32/Agent.ABWK
TrendMicro-HouseCall	TROJ_GEN.R066C0PHK20
Ikarus	Trojan.Win32.Agent
Fortinet	W32/Chindo.DGJ!tr.dldr
Webroot	W32.Chindo
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	203.208.41.65:80
dead_host	192.168.56.101:49299

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-14 15:27:49

Imports

Library KERNEL32.dll:

• 0x43e028 CreateToolhelp32Snapshot

• 0x43e02c DeleteFileW

• 0x43e030 lstrcpyW

• 0x43e034 FreeLibrary

• 0x43e038 HeapAlloc

• 0x43e03c lstrcatW

• 0x43e040 VirtualFree

• 0x43e044 GetProcessHeap

• 0x43e048 IsBadReadPtr

• 0x43e04c GetProcAddress

• 0x43e050 VirtualAlloc

• 0x43e054 LoadLibraryA

• 0x43e058 VirtualProtect

• 0x43e05c lstrcmpiW

• 0x43e060 Process32NextW

• 0x43e064 Process32FirstW

• 0x43e068 GetTempPathW

• 0x43e06c lstrlenW

• 0x43e070 WideCharToMultiByte

• 0x43e074 HeapFree

• 0x43e078 IsProcessorFeaturePresent

• 0x43e07c GetSystemTimeAsFileTime

• 0x43e080 GetCurrentProcessId

• 0x43e084 GetCurrentThreadId

• 0x43e088 QueryPerformanceCounter

• 0x43e08c IsDebuggerPresent

• 0x43e090 SetUnhandledExceptionFilter

• 0x43e094 UnhandledExceptionFilter

• 0x43e098 GetCurrentProcess

• 0x43e09c TerminateProcess

• 0x43e0a0 GetStartupInfoW

• 0x43e0a4 HeapSetInformation

• 0x43e0a8 InterlockedCompareExchange

• 0x43e0ac ExpandEnvironmentStringsA

• 0x43e0b0 GetStdHandle

• 0x43e0b4 GetFileType

• 0x43e0b8 WaitForMultipleObjects

• 0x43e0bc PeekNamedPipe

• 0x43e0c0 ReadFile

• 0x43e0c4 FormatMessageA

• 0x43e0c8 WaitForSingleObject

• 0x43e0cc CloseHandle

• 0x43e0d0 VerSetConditionMask

• 0x43e0d4 VerifyVersionInfoA

• 0x43e0d8 SleepEx

• 0x43e0dc GetTickCount

• 0x43e0e0 GetLastError

• 0x43e0e4 SetLastError

• 0x43e0e8 LeaveCriticalSection

• 0x43e0ec EnterCriticalSection

• 0x43e0f0 DeleteCriticalSection

• 0x43e0f4 InitializeCriticalSection

• 0x43e0f8 InterlockedExchange

• 0x43e0fc Sleep

• 0x43e100 DecodePointer

• 0x43e104 EncodePointer

• 0x43e108 InterlockedDecrement

• 0x43e10c InterlockedIncrement

Library WS2_32.dll:

• 0x43e330 gethostname

• 0x43e334 ioctlsocket

• 0x43e338 listen

• 0x43e33c accept

• 0x43e340 recvfrom

• 0x43e344 getaddrinfo

• 0x43e348 freeaddrinfo

• 0x43e34c connect

• 0x43e350 socket

• 0x43e354 closesocket

• 0x43e358 getpeername

• 0x43e35c getsockopt

• 0x43e360 htons

• 0x43e364 bind

• 0x43e368 ntohs

• 0x43e36c getsockname

• 0x43e370 setsockopt

• 0x43e374 WSAIoctl

• 0x43e378 send

• 0x43e37c recv

• 0x43e380 select

• 0x43e384 WSAGetLastError

• 0x43e388 __WSAFDIsSet

• 0x43e38c WSASetLastError

• 0x43e390 WSAStartup

• 0x43e394 WSACleanup

• 0x43e398 sendto

Library WLDAP32.dll:

• 0x43e2ec

• 0x43e2f0

• 0x43e2f4

• 0x43e2f8

• 0x43e2fc

• 0x43e300

• 0x43e304

• 0x43e308

• 0x43e30c

• 0x43e310

• 0x43e314

• 0x43e318

• 0x43e31c

• 0x43e320

• 0x43e324

• 0x43e328

Library WININET.dll:

• 0x43e2e4 DeleteUrlCacheEntryW

Library urlmon.dll:

• 0x43e3a0 URLDownloadToFileW

Library MSVCR100.dll:

• 0x43e114 toupper

• 0x43e118 _controlfp_s

• 0x43e11c _invoke_watson

• 0x43e120 ?_type_info_dtor_internal_method@type_info@@QAEXXZ

• 0x43e124 ??3@YAXPAX@Z

• 0x43e128 fputc

• 0x43e12c ??1bad_cast@std@@UAE@XZ

• 0x43e130 ??0bad_cast@std@@QAE@PBD@Z

• 0x43e134 ??0bad_cast@std@@QAE@ABV01@@Z

• 0x43e138 ?what@exception@std@@UBEPBDXZ

• 0x43e13c ??1exception@std@@UAE@XZ

• 0x43e140 ??0exception@std@@QAE@ABQBD@Z

• 0x43e144 ??0exception@std@@QAE@ABV01@@Z

• 0x43e148 memmove

• 0x43e14c free

• 0x43e150 _unlock_file

• 0x43e154 ungetc

• 0x43e158 strstr

• 0x43e15c fgetpos

• 0x43e160 _fseeki64

• 0x43e164 fflush

• 0x43e168 fgetc

• 0x43e16c fsetpos

• 0x43e170 setvbuf

• 0x43e174 _lock_file

• 0x43e178 ??_V@YAXPAX@Z

• 0x43e17c memcpy_s

• 0x43e180 fwrite

• 0x43e184 fclose

• 0x43e188 ??2@YAPAXI@Z

• 0x43e18c realloc

• 0x43e190 _purecall

• 0x43e194 strlen

• 0x43e198 memcpy

• 0x43e19c _CxxThrowException

• 0x43e1a0 __CxxFrameHandler3

• 0x43e1a4 strerror

• 0x43e1a8 setlocale

• 0x43e1ac malloc

• 0x43e1b0 _fsopen

• 0x43e1b4 fseek

• 0x43e1b8 __crtLCMapStringA

• 0x43e1bc __pctype_func

• 0x43e1c0 isupper

• 0x43e1c4 ___lc_codepage_func

• 0x43e1c8 ___lc_handle_func

• 0x43e1cc ?terminate@@YAXXZ

• 0x43e1d0 islower

• 0x43e1d4 abort

• 0x43e1d8 calloc

• 0x43e1dc memset

• 0x43e1e0 _errno

• 0x43e1e4 _time64

• 0x43e1e8 tolower

• 0x43e1ec sscanf

• 0x43e1f0 fread

• 0x43e1f4 __iob_func

• 0x43e1f8 strchr

• 0x43e1fc strncpy

• 0x43e200 strtol

• 0x43e204 strrchr

• 0x43e208 isalpha

• 0x43e20c strncmp

• 0x43e210 isxdigit

• 0x43e214 strtoul

• 0x43e218 strpbrk

• 0x43e21c _strtoi64

• 0x43e220 qsort

• 0x43e224 fputs

• 0x43e228 fopen

• 0x43e22c fgets

• 0x43e230 isdigit

• 0x43e234 sprintf

• 0x43e238 _beginthreadex

• 0x43e23c __sys_nerr

• 0x43e240 isalnum

• 0x43e244 isspace

• 0x43e248 _getpid

• 0x43e24c memchr

• 0x43e250 _fstat64

• 0x43e254 _lseeki64

• 0x43e258 atoi

• 0x43e25c getenv

• 0x43e260 _gmtime64

• 0x43e264 _calloc_crt

• 0x43e268 _stat64

• 0x43e26c isprint

• 0x43e270 isgraph

• 0x43e274 _stricmp

• 0x43e278 _strdup

• 0x43e27c _close

• 0x43e280 _open

• 0x43e284 _read

• 0x43e288 _write

• 0x43e28c _strnicmp

• 0x43e290 _unlock

• 0x43e294 __dllonexit

• 0x43e298 _lock

• 0x43e29c _onexit

• 0x43e2a0 _amsg_exit

• 0x43e2a4 __wgetmainargs

• 0x43e2a8 _cexit

• 0x43e2ac _exit

• 0x43e2b0 _XcptFilter

• 0x43e2b4 exit

• 0x43e2b8 _wcmdln

• 0x43e2bc _initterm

• 0x43e2c0 _initterm_e

• 0x43e2c4 _configthreadlocale

• 0x43e2c8 __setusermatherr

• 0x43e2cc _commode

• 0x43e2d0 _fmode

• 0x43e2d4 __set_app_type

• 0x43e2d8 _crt_debugger_hook

• 0x43e2dc _except_handler4_common

Library ADVAPI32.dll:

• 0x43e000 CryptEncrypt

• 0x43e004 CryptReleaseContext

• 0x43e008 CryptImportKey

• 0x43e00c CryptAcquireContextA

• 0x43e010 CryptDestroyHash

• 0x43e014 CryptGetHashParam

• 0x43e018 CryptHashData

• 0x43e01c CryptCreateHash

• 0x43e020 CryptDestroyKey

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.