SmartHawk

8.8

极危

55 个模型检测该样本为恶意！

重新分析

下载样本

39d56c869cad92d68f32de4587211860f3a5c03079340351a80f2bfbee3dd547

9ed447849633a03774b6661cd8f53339.exe

分析耗时

102s

最近分析

文件大小

1.2MB

静态报毒动态报毒 AI SCORE=81 AIDETECTVM ATTRIBUTE CLOUD CONFIDENCE DANGEROUSSIG DEYMA DRIDEX ELDORADO EMVOJ ENCPK GDSDA GENCIRC GENERICKD GENERICRXLM HFHM HIGH CONFIDENCE HIGHCONFIDENCE HPGRGI KRYPTIK MALWARE1 PR1@AM5HAEFI QAKBOT QVM20 R049C0DGP20 R347342 RACCOONSTEALER RACEALER SCORE SGENERIC SIGGEN2 SUSGEN TRRV UNSAFE YMME ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanDownloader:Win32/Deyma.bbbe9138	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:DangerousSig [Trj]	20200818	18.4.3895.0
Kingsoft		20200818	2013.8.14.323
McAfee	GenericRXLM-RX!9ED447849633	20200817	6.0.6.653
Tencent	Malware.Win32.Gencirc.10cde496	20200818	1.0.0.1
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619804703.584501 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619804702.897124 WriteConsoleW	buffer: 操作成功完成。 console_handle: 0x00000007	success	1	0
1619804710.318501 WriteConsoleW	buffer: 成功: 成功创建计划任务 "a174c1ef10e2077451f5b6dda83242a1"。 console_handle: 0x00000007	success	1	0

This executable is signed

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.rdata7

Allocates read-write-execute memory (usually to unpack itself) (6 个事件)

Time & API	Arguments	Status
1619804640.381374 NtAllocateVirtualMemory	process_identifier: 1396 region_size: 741376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01de0000	success
1619804641.131374 NtAllocateVirtualMemory	process_identifier: 1396 region_size: 737280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ea0000	success
1619804641.131374 NtProtectVirtualMemory	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619804641.662249 NtAllocateVirtualMemory	process_identifier: 2008 region_size: 741376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ea0000	success
1619804642.068249 NtAllocateVirtualMemory	process_identifier: 2008 region_size: 737280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f60000	success
1619804642.068249 NtProtectVirtualMemory	process_identifier: 2008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

A process attempted to delay the analysis task. (1 个事件)

description

bdif.exe tried to sleep 126 seconds, actually delayed analysis time by 126 seconds

Creates executable files on the filesystem (2 个事件)

file	c:\programdata\1321ba6d1f\bdif.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cred.dll

Creates a suspicious process (2 个事件)

cmdline	SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
cmdline	cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe

A process created a hidden window (3 个事件)

Time & API	Arguments	Status	Return
1619804641.459374 CreateProcessInternalW	thread_identifier: 1056 thread_handle: 0x0000008c process_identifier: 2008 current_directory: filepath: track: 1 command_line: c:\programdata\1321ba6d1f\bdif.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000088 inherit_handles: 0	success	1
1619804702.287249 CreateProcessInternalW	thread_identifier: 1304 thread_handle: 0x000003f0 process_identifier: 1928 current_directory: filepath: track: 1 command_line: cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000003f4 inherit_handles: 0	success	1
1619804702.475249 CreateProcessInternalW	thread_identifier: 3064 thread_handle: 0x000003fc process_identifier: 2012 current_directory: filepath: track: 1 command_line: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000003f8 inherit_handles: 0	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619804647.787249 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Uses Windows utilities for basic Windows functionality (3 个事件)

cmdline	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f
cmdline	SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
cmdline	cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	217.8.117.52

Attempts to identify installed AV products by installation directory (7 个事件)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 个事件)

cmdline	SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
cmdline	cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619804650.553249 RegSetValueExA	key_handle: 0x000003cc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619804650.553249 RegSetValueExA	key_handle: 0x000003cc value: ítà=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619804650.553249 RegSetValueExA	key_handle: 0x000003cc value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619804650.553249 RegSetValueExW	key_handle: 0x000003cc value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619804650.553249 RegSetValueExA	key_handle: 0x000003e0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619804650.553249 RegSetValueExA	key_handle: 0x000003e0 value: ítà=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619804650.553249 RegSetValueExA	key_handle: 0x000003e0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619804650.568249 RegSetValueExW	key_handle: 0x000003c8 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34232827
FireEye	Generic.mg.9ed447849633a037
ALYac	Trojan.GenericKD.34232827
Malwarebytes	Spyware.RaccoonStealer
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDownloader:Win32/Deyma.bbbe9138
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.9515cf
TrendMicro	TROJ_GEN.R049C0DGP20
F-Prot	W32/Kryptik.BRN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
GData	Trojan.GenericKD.34232827
Kaspersky	Trojan-Downloader.Win32.Deyma.bne
BitDefender	Trojan.GenericKD.34232827
NANO-Antivirus	Trojan.Win32.Deyma.hpgrgi
ViRobot	Trojan.Win32.Z.Raccoonstealer.1297984.J
Avast	Win32:DangerousSig [Trj]
Rising	Trojan.Kryptik!1.C974 (CLOUD)
Ad-Aware	Trojan.GenericKD.34232827
F-Secure	Trojan.TR/Kryptik.emvoj
DrWeb	Trojan.PWS.Siggen2.51569
Zillya	Trojan.Racealer.Win32.797
Invincea	heuristic
Sophos	Mal/EncPk-APV
Cyren	W32/Trojan.YMME-7088
Avira	TR/Kryptik.emvoj
Antiy-AVL	Trojan/Win32.SGeneric
Arcabit	Trojan.Generic.D20A59FB
AegisLab	Trojan.Win32.Racealer.trrV
ZoneAlarm	Trojan-Downloader.Win32.Deyma.bne
Microsoft	Trojan:Win32/Raccoonstealer.VD!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Qakbot.R347342
Acronis	suspicious
McAfee	GenericRXLM-RX!9ED447849633
MAX	malware (ai score=81)
VBA32	Trojan.Raccoonstealer
Cylance	Unsafe
ESET-NOD32	a variant of Win32/Kryptik.HFHM
TrendMicro-HouseCall	Backdoor.Win32.QAKBOT.SMF
Tencent	Malware.Win32.Gencirc.10cde496
Ikarus	Trojan-Spy.Agent
MaxSecure	Trojan.Malware.104306654.susgen
Fortinet	W32/Dridex.TWY!tr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	217.8.117.52:80
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-25 06:44:35

Imports

Library KERNEL32.dll:

• 0x53cd0c LoadLibraryA

• 0x53cd10 GetProcAddress

• 0x53cd14 GetModuleHandleA

Library USER32.dll:

• 0x53cd1c LoadIconW

• 0x53cd20 GetActiveWindow

• 0x53cd24 GetDialogBaseUnits

• 0x53cd28 GetKBCodePage

• 0x53cd2c GetOpenClipboardWindow

• 0x53cd30 GetMessageTime

• 0x53cd34 GetForegroundWindow

• 0x53cd38 GetInputState

• 0x53cd3c GetMessagePos

• 0x53cd40 GetDoubleClickTime

• 0x53cd44 GetFocus

Library GDI32.dll:

• 0x53cd4c GetStockObject

• 0x53cd50 GetEnhMetaFileA

• 0x53cd54 AddFontResourceA

• 0x53cd58 AbortDoc

• 0x53cd5c GdiFlush

• 0x53cd60 GdiGetBatchLimit

• 0x53cd64 AbortPath

Library ADVAPI32.dll:

• 0x53cd6c CopySid

• 0x53cd70 EqualSid

• 0x53cd74 GetLengthSid

• 0x53cd78 RegCloseKey

• 0x53cd7c RegEnumKeyA

• 0x53cd80 RegOpenKeyA

• 0x53cd84 AllocateAndInitializeSid

• 0x53cd88 SystemFunction036

• 0x53cd8c RegOpenKeyW

• 0x53cd90 RegQueryValueExA

Library MSVCRT.dll:

• 0x53cd98 _controlfp

• 0x53cd9c __p__fmode

• 0x53cda0 __p__commode

• 0x53cda4 _adjust_fdiv

• 0x53cda8 __setusermatherr

• 0x53cdac _initterm

• 0x53cdb0 _except_handler3

• 0x53cdb4 __set_app_type

• 0x53cdb8 __getmainargs

• 0x53cdbc _acmdln

• 0x53cdc0 exit

• 0x53cdc4 _cexit

• 0x53cdc8 _XcptFilter

• 0x53cdcc _exit

• 0x53cdd0 _c_exit

• 0x53cdd4 wcslen

• 0x53cdd8 wcscpy

• 0x53cddc swscanf

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.