SmartHawk

4.0

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

bd27fe96b334c81e8b62bda3121306619ca317dad8a971daf0639cb896953006

9eae0b7cdeee4c07443f80b8bae7e56c.exe

分析耗时

152s

最近分析

文件大小

217.5KB

静态报毒动态报毒 100% AIDETECTVM BQCO CLASSIC CONFIDENCE DANABOT ELDORADO FSEY GDSDA GOZI HCVW HIGH CONFIDENCE HJEKHJ HPDF KRYPTIK MALICIOUS PE MALPE MALWARE1 MINT NQW@A4V1 OBSCURE QVM10 RACEALER SCORE STATIC AI TIABOEEQ TITIREZ TOFSEE TROJANPSW UNSAFE URSINF URSNIF WACATAC X2062 ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Ursinf.72fda040	20190527	0.3.0.5
Avast	Win32:Trojan-gen	20201229	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft		20201229	2017.9.26.565
McAfee	Trojan-FSEY!9EAE0B7CDEEE	20201229	6.0.6.653
Tencent		20201229	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619785215.813751 NtProtectVirtualMemory	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x002dc000	success	0	0
1619785215.828751 NtAllocateVirtualMemory	process_identifier: 2740 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00590000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.370561578439506

section

{'size_of_data': '0x0001d000', 'virtual_address': '0x00001000', 'entropy': 7.370561578439506, 'name': '.text', 'virtual_size': '0x0001cee6'}

description

A section with a high entropy has been found

entropy

0.535796766743649

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.40.98
host	203.208.41.33

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Titirez.1.22
FireEye	Generic.mg.9eae0b7cdeee4c07
CAT-QuickHeal	Trojan.Generic
ALYac	Spyware.Ursnif
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 005653e41 )
Alibaba	Trojan:Win32/Ursinf.72fda040
K7GW	Trojan ( 005653e41 )
Cybereason	malicious.cdeee4
Arcabit	Trojan.Mint.Titirez.1.22
BitDefenderTheta	Gen:NN.ZexaF.34700.nqW@a4v1!UpG
Cyren	W32/Agent.BTA.gen!Eldorado
Symantec	Packed.Generic.525
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Generic-7688662-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.Mint.Titirez.1.22
NANO-Antivirus	Trojan.Win32.Gozi.hjekhj
SUPERAntiSpyware	Trojan.Agent/Generic
Avast	Win32:Trojan-gen
Rising	Malware.Obscure/Heur!1.9E03 (CLASSIC)
Ad-Aware	Gen:Heur.Mint.Titirez.1.22
Emsisoft	Gen:Heur.Mint.Titirez.1.22 (B)
F-Secure	Trojan.TR/AD.Ursnif.bqco
DrWeb	Trojan.Gozi.660
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.URSNIF.TIABOEEQ
McAfee-GW-Edition	BehavesLike.Win32.Worm.dh
Sophos	Mal/Generic-S
Ikarus	Trojan-Dropper.Win32.Danabot
Jiangmin	Backdoor.Tofsee.bws
eGambit	Unsafe.AI_Score_97%
Avira	TR/AD.Ursnif.bqco
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Trojan.Win32.Kryptik.ba
Microsoft	Trojan:Win32/Ursinf.MK!MSR
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Heur.Mint.Titirez.1.22
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPe.X2062
Acronis	suspicious
McAfee	Trojan-FSEY!9EAE0B7CDEEE
VBA32	TrojanPSW.Racealer
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/Kryptik.HCVW
TrendMicro-HouseCall	TrojanSpy.Win32.URSNIF.TIABOEEQ

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-03-29 12:02:57

Imports

Library KERNEL32.dll:

• 0x41e018 HeapAlloc

• 0x41e01c ClearCommError

• 0x41e020 GetConsoleAliasA

• 0x41e024 SetConsoleScreenBufferSize

• 0x41e028 FindFirstFileExW

• 0x41e02c _lclose

• 0x41e030 GetProcessPriorityBoost

• 0x41e034 GetModuleHandleW

• 0x41e038 GetTickCount

• 0x41e03c GetWindowsDirectoryA

• 0x41e040 GetPriorityClass

• 0x41e044 GetVolumePathNameW

• 0x41e048 OpenProcess

• 0x41e04c EnumSystemCodePagesA

• 0x41e050 EnumResourceLanguagesA

• 0x41e054 MultiByteToWideChar

• 0x41e058 DisconnectNamedPipe

• 0x41e05c GetLongPathNameA

• 0x41e060 PeekConsoleInputW

• 0x41e064 BuildCommDCBAndTimeoutsA

• 0x41e068 GetAtomNameA

• 0x41e06c ProcessIdToSessionId

• 0x41e070 LocalAlloc

• 0x41e074 IsWow64Process

• 0x41e078 SetConsoleCtrlHandler

• 0x41e07c SetConsoleOutputCP

• 0x41e080 SetProcessWorkingSetSize

• 0x41e084 GetCommMask

• 0x41e088 FindFirstVolumeMountPointA

• 0x41e08c CreateMailslotA

• 0x41e090 VirtualProtect

• 0x41e094 EnumDateFormatsW

• 0x41e098 FatalAppExitA

• 0x41e09c SetCalendarInfoA

• 0x41e0a0 FindAtomW

• 0x41e0a4 FindNextVolumeA

• 0x41e0a8 lstrcpyA

• 0x41e0ac WriteConsoleW

• 0x41e0b0 LoadLibraryW

• 0x41e0b4 GetDefaultCommConfigW

• 0x41e0b8 lstrlenA

• 0x41e0bc WriteConsoleOutputCharacterW

• 0x41e0c0 SetVolumeLabelA

• 0x41e0c4 SetFileApisToOEM

• 0x41e0c8 GetVolumeNameForVolumeMountPointA

• 0x41e0cc InterlockedIncrement

• 0x41e0d0 InterlockedDecrement

• 0x41e0d4 EncodePointer

• 0x41e0d8 DecodePointer

• 0x41e0dc Sleep

• 0x41e0e0 InitializeCriticalSection

• 0x41e0e4 DeleteCriticalSection

• 0x41e0e8 EnterCriticalSection

• 0x41e0ec LeaveCriticalSection

• 0x41e0f0 GetLastError

• 0x41e0f4 HeapFree

• 0x41e0f8 GetCommandLineW

• 0x41e0fc HeapSetInformation

• 0x41e100 GetStartupInfoW

• 0x41e104 RaiseException

• 0x41e108 RtlUnwind

• 0x41e10c WideCharToMultiByte

• 0x41e110 LCMapStringW

• 0x41e114 GetCPInfo

• 0x41e118 TerminateProcess

• 0x41e11c GetCurrentProcess

• 0x41e120 UnhandledExceptionFilter

• 0x41e124 SetUnhandledExceptionFilter

• 0x41e128 IsDebuggerPresent

• 0x41e12c IsProcessorFeaturePresent

• 0x41e130 HeapCreate

• 0x41e134 SetHandleCount

• 0x41e138 GetStdHandle

• 0x41e13c InitializeCriticalSectionAndSpinCount

• 0x41e140 GetFileType

• 0x41e144 SetFilePointer

• 0x41e148 CloseHandle

• 0x41e14c GetProcAddress

• 0x41e150 ExitProcess

• 0x41e154 WriteFile

• 0x41e158 GetModuleFileNameW

• 0x41e15c FreeEnvironmentStringsW

• 0x41e160 GetEnvironmentStringsW

• 0x41e164 TlsAlloc

• 0x41e168 TlsGetValue

• 0x41e16c TlsSetValue

• 0x41e170 TlsFree

• 0x41e174 SetLastError

• 0x41e178 GetCurrentThreadId

• 0x41e17c QueryPerformanceCounter

• 0x41e180 GetCurrentProcessId

• 0x41e184 GetSystemTimeAsFileTime

• 0x41e188 GetLocaleInfoW

• 0x41e18c HeapSize

• 0x41e190 GetACP

• 0x41e194 GetOEMCP

• 0x41e198 IsValidCodePage

• 0x41e19c GetUserDefaultLCID

• 0x41e1a0 GetLocaleInfoA

• 0x41e1a4 EnumSystemLocalesA

• 0x41e1a8 IsValidLocale

• 0x41e1ac GetStringTypeW

• 0x41e1b0 HeapReAlloc

• 0x41e1b4 SetStdHandle

• 0x41e1b8 GetConsoleCP

• 0x41e1bc GetConsoleMode

• 0x41e1c0 FlushFileBuffers

• 0x41e1c4 CreateFileW

Library USER32.dll:

• 0x41e1cc GetCaretPos

Library ADVAPI32.dll:

• 0x41e000 RevertToSelf

• 0x41e004 EnumServicesStatusW

• 0x41e008 BackupEventLogA

• 0x41e00c RegQueryMultipleValuesW

• 0x41e010 QueryServiceLockStatusW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62191	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.