SmartHawk

9.0

极危

55 个模型检测该样本为恶意！

重新分析

下载样本

5b113b08d25005c3195b8144e422bdd1a2f866fc3cf9d6bc641f006539e97e07

993f7bb4f9158420f2a9e3de0d7edc6c.exe

分析耗时

80s

最近分析

文件大小

3.1MB

静态报毒动态报毒 AI SCORE=100 ARTEMIS ATTRIBUTE BSCOPE CAMELOT CCMW CONFIDENCE F2UJ6 HIGH CONFIDENCE HIGHCONFIDENCE HTCH IF0@AO5CEZLK KCLOUD MALWARE@#1UML8WICPQ6O6 OCCAMY PSZ0A QQPASS QQROB QWLIV RACCOONSTEALER RACEALER RAZY REDCAP SAVE SCORE SIGGEN9 STATIC AI SUSGEN SUSPICIOUS PE THEMIDA TROJANPSW UNSAFE YMACCO ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanPSW:Win32/Racealer.ba953354	20190527	0.3.0.5
Avast	Win32:Trojan-gen	20210301	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)	20210301	2017.9.26.565
McAfee	Artemis!993F7BB4F915	20210301	6.0.6.653
Tencent	Win32.Trojan-qqpass.Qqrob.Htch	20210301	1.0.0.1
CrowdStrike	win/malicious_confidence_60% (D)	20210203	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section
section	.imports
section	.themida

One or more processes crashed (4 个事件)

Time & API	Arguments	Status
1619781067.414103 __exception__	stacktrace: 993f7bb4f9158420f2a9e3de0d7edc6c+0x2c5b73 @ 0x1485b73 993f7bb4f9158420f2a9e3de0d7edc6c+0x2c5c10 @ 0x1485c10 registers.esp: 4259128 registers.edi: 19869696 registers.eax: 4259128 registers.ebp: 4259208 registers.edx: 2130566132 registers.ebx: 4194347 registers.esi: 2010805291 registers.ecx: 3263758336 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x778eb727	success
1619781067.742103 __exception__	stacktrace: registers.esp: 4259248 registers.edi: 8334858 registers.eax: 1750617430 registers.ebp: 19869696 registers.edx: 2130532438 registers.ebx: 2147483650 registers.esi: 20638237 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 11 38 ef ff exception.symbol: 993f7bb4f9158420f2a9e3de0d7edc6c+0x2f2e38 exception.instruction: in eax, dx exception.module: 993f7bb4f9158420f2a9e3de0d7edc6c.exe exception.exception_code: 0xc0000096 exception.offset: 3092024 exception.address: 0x14b2e38	success
1619781067.742103 __exception__	stacktrace: registers.esp: 4259248 registers.edi: 8334858 registers.eax: 1447909480 registers.ebp: 19869696 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20638237 registers.ecx: 10 exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: 993f7bb4f9158420f2a9e3de0d7edc6c+0x2f2eac exception.instruction: in eax, dx exception.module: 993f7bb4f9158420f2a9e3de0d7edc6c.exe exception.exception_code: 0xc0000096 exception.offset: 3092140 exception.address: 0x14b2eac	success
1619781127.898103 __exception__	stacktrace: 993f7bb4f9158420f2a9e3de0d7edc6c+0x1a27 @ 0x11c1a27 0x40fdf8 registers.esp: 4256672 registers.edi: 2001955598 registers.eax: 0 registers.ebp: 4257780 registers.edx: 71 registers.ebx: 1024 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: 88 14 08 41 3b ce 72 f1 8b 45 e8 89 45 f4 6a 00 exception.symbol: 993f7bb4f9158420f2a9e3de0d7edc6c+0x1302 exception.instruction: mov byte ptr [eax + ecx], dl exception.module: 993f7bb4f9158420f2a9e3de0d7edc6c.exe exception.exception_code: 0xc0000005 exception.offset: 4866 exception.address: 0x11c1302	success

Allocates read-write-execute memory (usually to unpack itself) (5 个事件)

Time & API	Arguments	Status
1619781067.398103 NtProtectVirtualMemory	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1619781067.398103 NtProtectVirtualMemory	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619781067.789103 NtProtectVirtualMemory	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x011c2000	success
1619781067.789103 NtProtectVirtualMemory	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x011c2000	success
1619781067.789103 NtProtectVirtualMemory	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x011c2000	success

A process attempted to delay the analysis task. (1 个事件)

description

993f7bb4f9158420f2a9e3de0d7edc6c.exe tried to sleep 124 seconds, actually delayed analysis time by 124 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781068.867103 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (5 个事件)

entropy

7.910253976631279

section

{'size_of_data': '0x00000811', 'virtual_address': '0x00001000', 'entropy': 7.910253976631279, 'name': ' ', 'virtual_size': '0x00000b4a'}

description

A section with a high entropy has been found

entropy

7.232565281367795

section

{'size_of_data': '0x00000147', 'virtual_address': '0x00002000', 'entropy': 7.232565281367795, 'name': ' ', 'virtual_size': '0x00000680'}

description

A section with a high entropy has been found

entropy

6.8304088571484645

section

{'size_of_data': '0x000000b6', 'virtual_address': '0x00004000', 'entropy': 6.8304088571484645, 'name': ' ', 'virtual_size': '0x0000012c'}

description

A section with a high entropy has been found

entropy

7.304989737143038

section

{'size_of_data': '0x0012d000', 'virtual_address': '0x00005000', 'entropy': 7.304989737143038, 'name': '.rsrc', 'virtual_size': '0x0012cf5a'}

description

A section with a high entropy has been found

entropy

0.37621095365321733

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	162.0.231.190
host	172.217.24.14

Checks for the presence of known windows from debuggers and forensic tools (50 out of 93 个事件)

Time & API	Arguments	Status
1619781067.585103 FindWindowA	class_name: RegmonClass window_name:	failed
1619781067.585103 FindWindowA	class_name: RegmonClass window_name:	failed
1619781067.585103 FindWindowA	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:	failed
1619781067.585103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781067.742103 FindWindowA	class_name: FilemonClass window_name:	failed
1619781067.742103 FindWindowA	class_name: FilemonClass window_name:	failed
1619781067.742103 FindWindowA	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:	failed
1619781067.742103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781067.742103 FindWindowA	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:	failed
1619781071.789103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781071.789103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781072.101103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781072.414103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781072.414103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781072.414103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781076.414103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781076.414103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781076.726103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781077.039103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781077.039103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781077.039103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781081.039103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781081.039103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781081.351103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781081.664103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781081.664103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781081.664103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781085.664103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781085.664103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781085.976103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781086.289103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781086.289103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781086.289103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781090.289103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781090.289103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781090.601103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781090.914103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781090.914103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781090.914103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781094.914103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781094.914103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781095.226103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781095.539103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781095.539103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781095.539103 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781099.539103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781099.539103 FindWindowA	class_name: Regmonclass window_name:	failed
1619781099.851103 FindWindowA	class_name: 18467-41 window_name:	failed
1619781100.164103 FindWindowA	class_name: Filemonclass window_name:	failed
1619781100.164103 FindWindowA	class_name: Filemonclass window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619781071.476103 RegSetValueExA	key_handle: 0x00000334 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619781071.476103 RegSetValueExA	key_handle: 0x00000334 value: `7Õ=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619781071.476103 RegSetValueExA	key_handle: 0x00000334 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619781071.476103 RegSetValueExW	key_handle: 0x00000334 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619781071.476103 RegSetValueExA	key_handle: 0x00000348 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619781071.476103 RegSetValueExA	key_handle: 0x00000348 value: `7Õ=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619781071.476103 RegSetValueExA	key_handle: 0x00000348 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619781071.523103 RegSetValueExW	key_handle: 0x00000330 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781067.789103 NtQuerySystemInformation	information_class: 76 (SystemFirmwareTableInformation)	failed	3221225507	0

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781067.742103 __exception__	stacktrace: registers.esp: 4259248 registers.edi: 8334858 registers.eax: 1447909480 registers.ebp: 19869696 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20638237 registers.ecx: 10 exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: 993f7bb4f9158420f2a9e3de0d7edc6c+0x2f2eac exception.instruction: in eax, dx exception.module: 993f7bb4f9158420f2a9e3de0d7edc6c.exe exception.exception_code: 0xc0000096 exception.offset: 3092140 exception.address: 0x14b2eac	success	0	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen9.52632
MicroWorld-eScan	Gen:Variant.Razy.682729
FireEye	Generic.mg.993f7bb4f9158420
ALYac	Gen:Variant.Razy.682729
Cylance	Unsafe
Zillya	Trojan.Racealer.Win32.655
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056864a1 )
Alibaba	TrojanPSW:Win32/Racealer.ba953354
K7GW	Trojan ( 0056864a1 )
Cybereason	malicious.4f9158
Arcabit	Trojan.Razy.DA6AE9
BitDefenderTheta	Gen:NN.ZexaF.34590.iF0@aO5CeZlk
Cyren	AU3/Injector.A.gen!Camelot
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HMW
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan-PSW.Win32.Racealer.gdc
BitDefender	Gen:Variant.Razy.682729
NANO-Antivirus	Virus.Win32.Gen.ccmw
Paloalto	generic.ml
AegisLab	Trojan.Win32.Malicious.4!c
Ad-Aware	Gen:Variant.Razy.682729
Sophos	Mal/Generic-S
Comodo	Malware@#1uml8wicpq6o6
F-Secure	Trojan.TR/Redcap.qwliv
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.wh
Emsisoft	Gen:Variant.Razy.682729 (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.PSW.Racealer.asv
Avira	TR/Redcap.qwliv
Antiy-AVL	Trojan[PSW]/Win32.Racealer
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Packed.ba
Microsoft	Trojan:Win32/Ymacco.AA5B
ZoneAlarm	Trojan-PSW.Win32.Racealer.gdc
GData	Gen:Variant.Razy.682729
Cynet	Malicious (score: 85)
Acronis	suspicious
McAfee	Artemis!993F7BB4F915
MAX	malware (ai score=100)
VBA32	BScope.Trojan.Occamy
Malwarebytes	Spyware.RaccoonStealer
Tencent	Win32.Trojan-qqpass.Qqrob.Htch
Yandex	Trojan.Themida!F2Uj6/PSZ0A
Ikarus	Trojan.Win32.Themida
MaxSecure	Trojan.Malware.102061314.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (26 个事件)

dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49198
dead_host	192.168.56.101:49200
dead_host	192.168.56.101:49178
dead_host	162.0.231.190:80
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49195
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49199
dead_host	192.168.56.101:49201
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49187
dead_host	192.168.56.101:49183

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-05 19:39:26

Imports

Library kernel32.dll:

• 0x532170 GetModuleHandleA

Library WININET.dll:

• 0x532178 InternetQueryDataAvailable

Library WS2_32.dll:

• 0x532180 closesocket

Library WINHTTP.dll:

• 0x532188 WinHttpOpenRequest

Library SHLWAPI.dll:

• 0x532190 PathFindExtensionW

Library USER32.dll:

• 0x532198 wsprintfW

Library ADVAPI32.dll:

• 0x5321a0 GetTokenInformation

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
iplogger.org	A 88.99.66.31	88.99.66.31
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49204	88.99.66.31 iplogger.org	443
192.168.56.101	49206	88.99.66.31 iplogger.org	443
192.168.56.101	49207	88.99.66.31 iplogger.org	443
192.168.56.101	49208	88.99.66.31 iplogger.org	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	55369	239.255.255.250	3702
192.168.56.101	57875	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://iplogger.org:443/1veVa7	GET /1veVa7 HTTP/1.1 Host: iplogger.org

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.