SmartHawk

4.6

中危

41 个模型检测该样本为恶意！

27ca6ccbcc93569c1b776a5a40367a723c7115f8a7f15eb6b45181c22c4f48c3

94e8171870377d3186c8dbf61b5325aa.exe

分析耗时

31s

最近分析

文件大小

6.4MB

静态报毒动态报毒 AI SCORE=82 ARTEMIS AYQD BEREB GENERICKD MALICIOUS MALWARE@#2PQQ19OPVED30 ROZENA SCORE SHELMA TFESD UNSAFE YMACCO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Shelma.627fb643	20190527	0.3.0.5
CrowdStrike		20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win64:Malware-gen	20201008	18.4.3895.0
Kingsoft		20201008	2013.8.14.323
McAfee	Artemis!94E817187037	20201008	6.0.6.653

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620965511.193875 WriteConsoleW	buffer: Get http://47.105.143.181/code.txt: dial tcp 47.105.143.181:80: connectex: No connection could be made because the target machine actively refused it. console_handle: 0x0000000000000007	success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.symtab

The binary likely contains encrypted or compressed data indicative of a packer (8 个事件)

entropy

7.996700180511057

section

{'size_of_data': '0x00047400', 'virtual_address': '0x004e4000', 'entropy': 7.996700180511057, 'name': '/19', 'virtual_size': '0x0004723e'}

description

A section with a high entropy has been found

entropy

7.939980186137494

section

{'size_of_data': '0x00012600', 'virtual_address': '0x0052c000', 'entropy': 7.939980186137494, 'name': '/32', 'virtual_size': '0x000124bd'}

description

A section with a high entropy has been found

entropy

7.9722198853991815

section

{'size_of_data': '0x00003800', 'virtual_address': '0x0053f000', 'entropy': 7.9722198853991815, 'name': '/46', 'virtual_size': '0x000037e2'}

description

A section with a high entropy has been found

entropy

7.982989088613195

section

{'size_of_data': '0x00009400', 'virtual_address': '0x00543000', 'entropy': 7.982989088613195, 'name': '/63', 'virtual_size': '0x00009283'}

description

A section with a high entropy has been found

entropy

7.997239928297627

section

{'size_of_data': '0x0007d200', 'virtual_address': '0x0054e000', 'entropy': 7.997239928297627, 'name': '/99', 'virtual_size': '0x0007d14b'}

description

A section with a high entropy has been found

entropy

7.996040061105142

section

{'size_of_data': '0x00052000', 'virtual_address': '0x005cc000', 'entropy': 7.996040061105142, 'name': '/112', 'virtual_size': '0x00051f40'}

description

A section with a high entropy has been found

entropy

7.7992888936087255

section

{'size_of_data': '0x0001b000', 'virtual_address': '0x0061e000', 'entropy': 7.7992888936087255, 'name': '/124', 'virtual_size': '0x0001afda'}

description

A section with a high entropy has been found

entropy

0.2056531703590527

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	47.105.143.181

Detects the presence of Wine emulator (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620965508.256875 LdrGetProcedureAddress	ordinal: 0 module: ntdll module_address: 0x0000000077b50000 function_address: 0x000007feff3b7a50 function_name: wine_get_version	failed	-1073741511	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 个事件)

MicroWorld-eScan	Trojan.GenericKD.34508130
FireEye	Trojan.GenericKD.34508130
CAT-QuickHeal	Trojan.Shelma
ALYac	Trojan.Agent.Rozena
Cylance	Unsafe
Zillya	Trojan.Rozena.Win64.4399
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Shelma.627fb643
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D20E8D62
Invincea	Mal/Generic-S
Symantec	Trojan.Gen.MBT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Shelma.ayqd
BitDefender	Trojan.GenericKD.34508130
AegisLab	Trojan.Win32.Shelma.4!c
Avast	Win64:Malware-gen
Ad-Aware	Trojan.GenericKD.34508130
Emsisoft	Trojan.GenericKD.34508130 (B)
Comodo	Malware@#2pqq19opved30
F-Secure	Trojan.TR/Shelma.tfesd
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win64.SHELMA.H
McAfee-GW-Edition	BehavesLike.Win64.Backdoor.vh
Sophos	Mal/Generic-S
Jiangmin	Worm.Bereb.i
Webroot	W32.Trojan.Gen
Avira	TR/Shelma.tfesd
Microsoft	Trojan:Win32/Ymacco.AA27
ZoneAlarm	Trojan.Win32.Shelma.ayqd
GData	Trojan.GenericKD.34508130
Cynet	Malicious (score: 85)
McAfee	Artemis!94E817187037
MAX	malware (ai score=82)
ESET-NOD32	a variant of Win64/Rozena.FO
TrendMicro-HouseCall	Trojan.Win64.SHELMA.H
Ikarus	Trojan-Downloader.Win64.Agent
Fortinet	W64/Rozena.FO!tr
AVG	Win64:Malware-gen
Qihoo-360	Win32/Trojan.377

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	47.105.143.181:80
dead_host	192.168.56.101:49176

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1970-01-01 08:00:00

Imports

Library kernel32.dll:

• 0x881020 WriteFile

• 0x881028 WriteConsoleW

• 0x881030 WaitForMultipleObjects

• 0x881038 WaitForSingleObject

• 0x881040 VirtualQuery

• 0x881048 VirtualFree

• 0x881050 VirtualAlloc

• 0x881058 SwitchToThread

• 0x881060 SetWaitableTimer

• 0x881068 SetUnhandledExceptionFilter

• 0x881070 SetProcessPriorityBoost

• 0x881078 SetEvent

• 0x881080 SetErrorMode

• 0x881088 SetConsoleCtrlHandler

• 0x881090 LoadLibraryA

• 0x881098 LoadLibraryW

• 0x8810a0 GetSystemInfo

• 0x8810a8 GetSystemDirectoryA

• 0x8810b0 GetStdHandle

• 0x8810b8 GetQueuedCompletionStatus

• 0x8810c0 GetProcessAffinityMask

• 0x8810c8 GetProcAddress

• 0x8810d0 GetEnvironmentStringsW

• 0x8810d8 GetConsoleMode

• 0x8810e0 FreeEnvironmentStringsW

• 0x8810e8 ExitProcess

• 0x8810f0 DuplicateHandle

• 0x8810f8 CreateThread

• 0x881100 CreateIoCompletionPort

• 0x881108 CreateEventA

• 0x881110 CloseHandle

• 0x881118 AddVectoredExceptionHandler

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49240	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.