SmartHawk

5.4

中危

43 个模型检测该样本为恶意！

重新分析

下载样本

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

968e9faa49c57145eb9aa1d88147980a.exe

分析耗时

45s

最近分析

文件大小

2.3MB

静态报毒动态报毒 AI SCORE=86 AIDETECTVM APJNQ ARTEMIS ATTRIBUTE BSCOPE CONFIDENCE CRYPTBOT HIGH CONFIDENCE HIGHCONFIDENCE HSICJZ HTVY MALICIOUS PE MALWARE1 R002H0CHK20 R349178 RE2@A0OPO4LJ SCORE SIGGEN10 STRICTOR TROJANX UNSAFE WACATAC YMACCO ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Alibaba	TrojanDownloader:Win32/apjnq.c7a3297b	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20200828	18.4.3895.0
Kingsoft		20200828	2013.8.14.323
McAfee	Artemis!968E9FAA49C5	20200828	6.0.6.653
Tencent	Win32.Trojan-downloader.Agent.Htvy	20200828	1.0.0.1

This executable is signed

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.vmp0
section	.vmp1

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620840568.491374 NtProtectVirtualMemory	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00cb1000	success	0	0

Foreign language identified in PE resource (14 个事件)

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0045c860

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x0045ccc8

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000084

name

RT_VERSION

language

LANG_CHINESE

offset

0x0045d154

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000040c

name

RT_VERSION

language

LANG_CHINESE

offset

0x0045d154

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000040c

name

RT_MANIFEST

language

LANG_CHINESE

offset

0x0045d6e0

filetype

ASCII text, with very long lines, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000437

name

RT_MANIFEST

language

LANG_CHINESE

offset

0x0045d6e0

filetype

ASCII text, with very long lines, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000437

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.842375288078742

section

{'size_of_data': '0x00236200', 'virtual_address': '0x0021a000', 'entropy': 7.842375288078742, 'name': '.vmp1', 'virtual_size': '0x00236110'}

description

A section with a high entropy has been found

entropy

0.979455017301038

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 个事件)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.40.34
host	203.208.41.65

Attempts to identify installed AV products by installation directory (2 个事件)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.78:443

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Strictor.248534
CAT-QuickHeal	Trojan.Wacatac
ALYac	Gen:Variant.Strictor.248534
Cylance	Unsafe
Zillya	Downloader.Agent.Win32.415168
K7AntiVirus	Trojan-Downloader ( 0056b5271 )
BitDefender	Gen:Variant.Strictor.248534
K7GW	Trojan-Downloader ( 0056b5271 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Strictor.D3CAD6
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Alibaba	TrojanDownloader:Win32/apjnq.c7a3297b
NANO-Antivirus	Trojan.Win32.Strictor.hsicjz
Avast	Win32:TrojanX-gen [Trj]
Ad-Aware	Gen:Variant.Strictor.248534
F-Secure	Trojan.TR/Dldr.Agent.apjnq
DrWeb	Trojan.Siggen10.6107
VIPRE	Trojan.Win32.Generic!BT
FireEye	Generic.mg.968e9faa49c57145
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Avira	TR/Dldr.Agent.apjnq
Microsoft	Trojan:Win32/Ymacco.AAD6
GData	Gen:Variant.Strictor.248534
Cynet	Malicious (score: 85)
AhnLab-V3	PUP/Win32.Agent.R349178
McAfee	Artemis!968E9FAA49C5
MAX	malware (ai score=86)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Spyware.CryptBot
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FGF
TrendMicro-HouseCall	TROJ_GEN.R002H0CHK20
Tencent	Win32.Trojan-downloader.Agent.Htvy
SentinelOne	DFI - Malicious PE
Fortinet	W32/Agent.FGF!tr.dldr
BitDefenderTheta	Gen:NN.ZexaF.34196.rE2@a0OPO4lj
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.ac2180
Panda	Trj/CI.A
Qihoo-360	Win32/Trojan.fc8

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-19 16:43:12

Imports

Library KERNEL32.dll:

• 0x840000 ExpandEnvironmentStringsW

Library USER32.dll:

• 0x840008 MessageBoxW

Library ADVAPI32.dll:

• 0x840010 RegOpenKeyExW

Library SHELL32.dll:

• 0x840018 ShellExecuteW

Library urlmon.dll:

• 0x840020 URLDownloadToFileW

Library KERNEL32.dll:

• 0x840028 GetModuleFileNameW

Library KERNEL32.dll:

• 0x840030 GetModuleHandleA

• 0x840034 LoadLibraryA

• 0x840038 LocalAlloc

• 0x84003c LocalFree

• 0x840040 GetModuleFileNameA

• 0x840044 ExitProcess

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	142.250.66.110
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.