SmartHawk

4.0

中危

54 个模型检测该样本为恶意！

重新分析

下载样本

bfd8ccba405dc5a5cd9a36cff3043cb8ceb98eb3ef764fa8afffb32bcb6a139c

9e34acb7ad22cc3d5316f6ce7994ffa5.exe

分析耗时

42s

最近分析

文件大小

173.0KB

静态报毒动态报毒 AGEN AI SCORE=97 AIDETECT BUNITU CLOUD COINMINER COINMINERX ELDORADO ELQV GANDCRAB GDSDA GENKRYPTIK HDGH HIGH CONFIDENCE HUZC HWOCLFWA IROLCO KQ0@A8O6YPJ KQ0@J8O6YPJ KRYPTIK MALPE MALWARE1 MALWARE@#3LYRX5APUIDSR MINT PAYMEN45 RACK S + MAL SAVE SCORE STATIC AI SUSGEN SUSPICIOUS PE TITIREZ UNSAFE VIRRANSOM WANNACRY X2065 ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Packed-GBE!9E34ACB7AD22	20210404	6.0.6.653
Alibaba	Ransom:Win32/Gandcrab.9f63dabe	20190527	0.3.0.5
CrowdStrike		20210203	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:CoinminerX-gen [Trj]	20210404	21.1.5827.0
Tencent	Win32.Trojan.Rack.Huzc	20210404	1.0.0.1

This executable has a PDB path (1 个事件)

pdb_path

C:\zanusup38\mocefiv.pdbruntime\crypt\tmp_625656427\bin\gunol.pdbà%hPgþÿÿÿ

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

AFX_DIALOG_LAYOUT

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781472.718375 NtProtectVirtualMemory	process_identifier: 1056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00a2a000	success	0	0
1619781472.734375 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00300000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.554503021337058

section

{'size_of_data': '0x0000fa00', 'virtual_address': '0x00001000', 'entropy': 7.554503021337058, 'name': '.text', 'virtual_size': '0x0000f8b0'}

description

A section with a high entropy has been found

entropy

0.3633720930232558

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Titirez.kq0@J8O6ypJ
FireEye	Generic.mg.9e34acb7ad22cc3d
McAfee	Packed-GBE!9E34ACB7AD22
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2035346
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Ransom:Win32/Gandcrab.9f63dabe
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Mint.Titirez.ED4926
Cyren	W32/GandCrab.BD.gen!Eldorado
Symantec	Ransom.Wannacry
ESET-NOD32	a variant of Win32/Kryptik.HDGH
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
ClamAV	Win.Dropper.Bunitu-7867941-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.Mint.Titirez.kq0@J8O6ypJ
NANO-Antivirus	Trojan.Win32.Encoder.irolco
Paloalto	generic.ml
Tencent	Win32.Trojan.Rack.Huzc
Ad-Aware	Gen:Heur.Mint.Titirez.kq0@J8O6ypJ
Emsisoft	Gen:Heur.Mint.Titirez.kq0@J8O6ypJ (B)
Comodo	Malware@#3lyrx5apuidsr
DrWeb	Trojan.Encoder.31788
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.ct
Sophos	Mal/Generic-S + Mal/GandCrab-G
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_96%
Avira	HEUR/AGEN.1134391
Gridinsoft	Trojan.Win32.CoinMiner.vb
Microsoft	Ransom:Win32/Gandcrab.AHB!MTB
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Heur.Mint.Titirez.kq0@J8O6ypJ
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPe.X2065
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34670.kq0@a8O6ypJ
ALYac	Trojan.Ransom.Paymen45
MAX	malware (ai score=97)
VBA32	TrojanRansom.Rack
Malwarebytes	Trojan.MalPack.GS
Rising	Trojan.Kryptik!1.C65B (CLOUD)
Ikarus	Trojan.Win32.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.ELQV!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-07-16 06:38:23

Imports

Library KERNEL32.dll:

• 0x411008 SetCommTimeouts

• 0x41100c GetCurrencyFormatW

• 0x411010 GlobalAlloc

• 0x411014 GetExitCodeProcess

• 0x411018 GetFileAttributesW

• 0x41101c ReadFile

• 0x411020 lstrlenW

• 0x411024 IsBadStringPtrA

• 0x411028 WritePrivateProfileStringW

• 0x41102c FormatMessageA

• 0x411030 LCMapStringA

• 0x411034 FindFirstFileExA

• 0x411038 GetLastError

• 0x41103c GetProcAddress

• 0x411040 RemoveDirectoryA

• 0x411044 OpenWaitableTimerA

• 0x411048 GetPrivateProfileSectionA

• 0x41104c GetCurrentProcessId

• 0x411050 GetModuleHandleW

• 0x411054 SleepEx

• 0x411058 CreateHardLinkA

• 0x41105c HeapAlloc

• 0x411060 GetDriveTypeW

• 0x411064 GetLocaleInfoA

• 0x411068 FindResourceA

• 0x41106c GetNamedPipeHandleStateW

• 0x411070 CreateFileA

• 0x411074 GetStartupInfoW

• 0x411078 TerminateProcess

• 0x41107c GetCurrentProcess

• 0x411080 UnhandledExceptionFilter

• 0x411084 SetUnhandledExceptionFilter

• 0x411088 IsDebuggerPresent

• 0x41108c Sleep

• 0x411090 ExitProcess

• 0x411094 WriteFile

• 0x411098 GetStdHandle

• 0x41109c GetModuleFileNameA

• 0x4110a0 GetModuleFileNameW

• 0x4110a4 FreeEnvironmentStringsW

• 0x4110a8 GetEnvironmentStringsW

• 0x4110ac GetCommandLineW

• 0x4110b0 SetHandleCount

• 0x4110b4 GetFileType

• 0x4110b8 GetStartupInfoA

• 0x4110bc DeleteCriticalSection

• 0x4110c0 TlsGetValue

• 0x4110c4 TlsAlloc

• 0x4110c8 TlsSetValue

• 0x4110cc TlsFree

• 0x4110d0 InterlockedIncrement

• 0x4110d4 SetLastError

• 0x4110d8 GetCurrentThreadId

• 0x4110dc InterlockedDecrement

• 0x4110e0 HeapCreate

• 0x4110e4 VirtualFree

• 0x4110e8 HeapFree

• 0x4110ec QueryPerformanceCounter

• 0x4110f0 GetTickCount

• 0x4110f4 GetSystemTimeAsFileTime

• 0x4110f8 LeaveCriticalSection

• 0x4110fc EnterCriticalSection

• 0x411100 LoadLibraryA

• 0x411104 InitializeCriticalSectionAndSpinCount

• 0x411108 GetCPInfo

• 0x41110c GetACP

• 0x411110 GetOEMCP

• 0x411114 IsValidCodePage

• 0x411118 VirtualAlloc

• 0x41111c HeapReAlloc

• 0x411120 RtlUnwind

• 0x411124 HeapSize

• 0x411128 WideCharToMultiByte

• 0x41112c GetStringTypeA

• 0x411130 MultiByteToWideChar

• 0x411134 GetStringTypeW

• 0x411138 LCMapStringW

Library ADVAPI32.dll:

• 0x411000 LookupAccountNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	56809	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	60124	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.