SmartHawk

5.0

中危

52 个模型检测该样本为恶意！

重新分析

下载样本

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2

a41429f7dbecfb76e6b7534afbeb4f74.exe

分析耗时

103s

最近分析

文件大小

332.7KB

静态报毒动态报毒 100% 9QKGB+7L+IG AI SCORE=82 ARTEMIS BAZALOADER BAZAR BAZARLOADER CERTIFICATE CLASSIC CONFIDENCE EMOTET GENERICKD HIGH CONFIDENCE HWLLJR JREB KCLOUD KLMYU MALCERT MALWARE@#1SVVMJ7KYU54I MALWAREX MANSABO POSSIBLE POSSIBLETHREAT R350953 SIGGEN10 THREAT TRICKBOT TRICKSTER UNSAFE UNTRUSTED YAAJ 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!A41429F7DBEC	20201119	6.0.6.653
Alibaba	Trojan:Win32/Mansabo.0dd3f9bc	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win64:MalwareX-gen [Trj]	20201119	20.10.5736.0
Kingsoft	Win32.Troj.Mansabo.f.(kcloud)	20201119	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620825299.413395 IsDebuggerPresent		failed	0	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620825314.616395 NtAllocateVirtualMemory	process_identifier: 1940 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000001d60000	success	0	0
1620825314.663395 NtAllocateVirtualMemory	process_identifier: 1940 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000001ef0000	success	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620825314.710395 NtProtectVirtualMemory	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffffffffffff base_address: 0x0000000180001000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.628399355687919

section

{'size_of_data': '0x00032e00', 'virtual_address': '0x00023000', 'entropy': 7.628399355687919, 'name': '.rsrc', 'virtual_size': '0x00032ca0'}

description

A section with a high entropy has been found

entropy

0.6223241590214067

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34503164
FireEye	Trojan.GenericKD.34503164
CAT-QuickHeal	Trojan.Mansabo
McAfee	Artemis!A41429F7DBEC
Cylance	Unsafe
Zillya	Trojan.Agent.Win64.6310
K7AntiVirus	Trojan ( 00569e701 )
Alibaba	Trojan:Win32/Mansabo.0dd3f9bc
K7GW	Trojan ( 00569e701 )
Arcabit	Trojan.Generic.D20E79FC
Invincea	Mal/Generic-S
Cyren	W64/Trojan.JREB-7299
Symantec	Trojan.Gen.MBT
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.Mansabo.fro
BitDefender	Trojan.GenericKD.34503164
NANO-Antivirus	Trojan.Win64.Mansabo.hwlljr
Paloalto	generic.ml
ViRobot	Trojan.Win64.S.Agent.340664
Ad-Aware	Trojan.GenericKD.34503164
Sophos	Mal/Generic-S
Comodo	Malware@#1svvmj7kyu54i
F-Secure	Trojan.TR/AD.Bazar.klmyu
DrWeb	Trojan.Siggen10.16353
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win64.BAZALOADER.YAAJ-A
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	MalCert-S.CC (A)
Ikarus	possible-Threat.Untrusted.Certificate
Webroot	W32.Trojan.Gen
Avira	TR/AD.Bazar.klmyu
Kingsoft	Win32.Troj.Mansabo.f.(kcloud)
Gridinsoft	Trojan.Win64.Agent.oa
Microsoft	Trojan:Win64/bazarLoader.A!MTB
AegisLab	Trojan.Win32.Mansabo.4!c
ZoneAlarm	Trojan.Win32.Mansabo.fro
GData	Trojan.GenericKD.34503164
AhnLab-V3	Trojan/Win32.Emotet.R350953
ALYac	Trojan.Trickster.Gen
MAX	malware (ai score=82)
VBA32	Backdoor.Win64.Bazar
Malwarebytes	Trojan.TrickBot
ESET-NOD32	Win64/Bazar.Q
TrendMicro-HouseCall	Trojan.Win64.BAZALOADER.YAAJ-A
Rising	Trojan.MalCert!1.CC23 (CLASSIC)
Yandex	Trojan.Agent!9QKgB+7L+ig
Fortinet	PossibleThreat.MU
AVG	Win64:MalwareX-gen [Trj]
Panda	Trj/CI.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-09 18:12:05

Imports

Library KERNEL32.dll:

• 0x14001e050 CreateThread

• 0x14001e058 TerminateThread

• 0x14001e060 GetExitCodeThread

• 0x14001e068 GetProcAddress

• 0x14001e070 VirtualAlloc

• 0x14001e078 CreateDirectoryW

• 0x14001e080 ReadFile

• 0x14001e088 SetFilePointerEx

• 0x14001e090 WriteFile

• 0x14001e098 GetCurrentProcessId

• 0x14001e0a0 ExitProcess

• 0x14001e0a8 GetTickCount

• 0x14001e0b0 QueryPerformanceCounter

• 0x14001e0b8 RtlCaptureContext

• 0x14001e0c0 RtlLookupFunctionEntry

• 0x14001e0c8 RtlVirtualUnwind

• 0x14001e0d0 IsDebuggerPresent

• 0x14001e0d8 SetUnhandledExceptionFilter

• 0x14001e0e0 UnhandledExceptionFilter

• 0x14001e0e8 GetCurrentProcess

• 0x14001e0f0 TerminateProcess

• 0x14001e0f8 GetStartupInfoA

• 0x14001e100 Sleep

• 0x14001e108 FindResourceA

• 0x14001e110 LoadResource

• 0x14001e118 SizeofResource

• 0x14001e120 CreateFileW

• 0x14001e128 CloseHandle

• 0x14001e130 GlobalAlloc

• 0x14001e138 GetModuleHandleW

• 0x14001e140 lstrcpynW

• 0x14001e148 GetCurrentThreadId

• 0x14001e150 GlobalFree

• 0x14001e158 GetSystemTimeAsFileTime

Library USER32.dll:

• 0x14001e298 ClientToScreen

• 0x14001e2a0 ReleaseCapture

• 0x14001e2a8 SetCapture

• 0x14001e2b0 SetFocus

• 0x14001e2b8 SetCursor

• 0x14001e2c0 LoadCursorW

• 0x14001e2c8 CallWindowProcW

• 0x14001e2d0 EndPaint

• 0x14001e2d8 BeginPaint

• 0x14001e2e0 DestroyCursor

• 0x14001e2e8 SendDlgItemMessageW

• 0x14001e2f0 SetDlgItemTextW

• 0x14001e2f8 EndDialog

• 0x14001e300 GetDlgItemTextW

• 0x14001e308 MessageBoxW

• 0x14001e310 EnableWindow

• 0x14001e318 ShowWindow

• 0x14001e320 LoadIconW

• 0x14001e328 DialogBoxParamW

• 0x14001e330 wsprintfW

• 0x14001e338 GetParent

• 0x14001e340 GetDlgItem

• 0x14001e348 SetWindowTextW

• 0x14001e350 IsWindow

• 0x14001e358 GetWindowLongW

• 0x14001e360 CreateCursor

• 0x14001e368 GetWindowRect

• 0x14001e370 PtInRect

• 0x14001e378 InvalidateRect

• 0x14001e380 UpdateWindow

• 0x14001e388 GetDC

• 0x14001e390 ReleaseDC

• 0x14001e398 SetWindowPos

• 0x14001e3a0 GetWindowLongPtrW

• 0x14001e3a8 SendMessageW

• 0x14001e3b0 GetClientRect

• 0x14001e3b8 FillRect

• 0x14001e3c0 GetFocus

• 0x14001e3c8 DrawFocusRect

• 0x14001e3d0 DrawTextW

• 0x14001e3d8 SetWindowLongPtrW

Library GDI32.dll:

• 0x14001e010 GetObjectW

• 0x14001e018 GetStockObject

• 0x14001e020 DeleteObject

• 0x14001e028 CreateFontIndirectW

• 0x14001e030 SetTextColor

• 0x14001e038 SelectObject

• 0x14001e040 SetBkMode

Library COMDLG32.dll:

• 0x14001e000 GetOpenFileNameW

Library SHELL32.dll:

• 0x14001e288 ShellExecuteW

Library MSVCR90.dll:

• 0x14001e168 _decode_pointer

• 0x14001e170 _onexit

• 0x14001e178 _lock

• 0x14001e180 __dllonexit

• 0x14001e188 _unlock

• 0x14001e190 ?terminate@@YAXXZ

• 0x14001e198 __crt_debugger_hook

• 0x14001e1a0 __set_app_type

• 0x14001e1a8 _encode_pointer

• 0x14001e1b0 _fmode

• 0x14001e1b8 _commode

• 0x14001e1c0 __setusermatherr

• 0x14001e1c8 _configthreadlocale

• 0x14001e1d0 _initterm_e

• 0x14001e1d8 _initterm

• 0x14001e1e0 _acmdln

• 0x14001e1e8 exit

• 0x14001e1f0 _cexit

• 0x14001e1f8 _ismbblead

• 0x14001e200 _exit

• 0x14001e208 _XcptFilter

• 0x14001e210 __C_specific_handler

• 0x14001e218 __getmainargs

• 0x14001e220 _amsg_exit

• 0x14001e228 __CxxFrameHandler3

• 0x14001e230 _byteswap_ulong

• 0x14001e238 _byteswap_uint64

• 0x14001e240 ??_U@YAPEAX_K@Z

• 0x14001e248 memset

• 0x14001e250 malloc

• 0x14001e258 wcslen

• 0x14001e260 ??2@YAPEAX_K@Z

• 0x14001e268 ??3@YAXPEAX@Z

• 0x14001e270 free

• 0x14001e278 ??_V@YAXPEAX@Z

Exports

Ordinal	Address	Name
1	0x140002380	ERWQSDASQWAFASASWW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	142.250.66.110
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.