3.4
中危
63 个模型检测该样本为恶意!
重新分析
更多

11065b412136c549ee8944ee85eddaee903039fd5f09e502caf5ab50234fc2fd

af2c8b85835314fcfcda1e166aea9153.exe

分析耗时

19s

最近分析

文件大小

164.5KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM BEHAVIOR BRQMH CLASSIC CONFIDENCE DROPPERX GENERICKD GENETIC HFSZ HFTR HIGH CONFIDENCE HSYXVH HYNAMER ICEDID KCLOUD KRYPTIK LNYA MALICIOUS PE MALWARE1 MALWARE@#WAVTP0GMUNQA QAKBOT QVM10 R349164 SCORE SMOKELOADER STATIC AI SUSGEN THIOIBO UNSAFE WCSHYGNSU8Q XVWR 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Packed-GCZ!AF2C8B858353 20201213 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Backdoor:Win32/Qakbot.e3cb91ce 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:DropperX-gen [Drp] 20201213 21.1.5827.0
Tencent Win32.Backdoor.Agent.Lnya 20201213 1.0.0.1
Kingsoft Win32.Hack.Undef.(kcloud) 20201213 2017.9.26.565
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620897713.3693
NtProtectVirtualMemory
process_identifier: 2988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0349a000
success 0 0
1620897713.4003
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00300000
success 0 0
Foreign language identified in PE resource (14 个事件)
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_ICON language LANG_GEORGIAN offset 0x02f15ee0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT size 0x00000468
name RT_GROUP_ICON language LANG_GEORGIAN offset 0x02f16348 filetype data sublanguage SUBLANG_DEFAULT size 0x0000003e
name RT_GROUP_ICON language LANG_GEORGIAN offset 0x02f16348 filetype data sublanguage SUBLANG_DEFAULT size 0x0000003e
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.287358363197429 section {'size_of_data': '0x00018400', 'virtual_address': '0x00001000', 'entropy': 7.287358363197429, 'name': '.text', 'virtual_size': '0x000183f0'} description A section with a high entropy has been found
entropy 0.5932721712538226 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
CAT-QuickHeal Trojan.Inject.22252
McAfee Packed-GCZ!AF2C8B858353
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:Win32/Qakbot.e3cb91ce
K7GW Trojan ( 0056d5021 )
K7AntiVirus Trojan ( 0056d5021 )
Cyren W32/Trojan.XVWR-7312
Symantec Packed.Generic.525
APEX Malicious
Avast Win32:DropperX-gen [Drp]
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Agent.pef
BitDefender Trojan.GenericKD.34423471
NANO-Antivirus Trojan.Win32.Behavior.hsyxvh
Paloalto generic.ml
ViRobot Trojan.Win32.Z.Malpack.168448
MicroWorld-eScan Trojan.GenericKD.34423471
Tencent Win32.Backdoor.Agent.Lnya
Ad-Aware Trojan.GenericKD.34423471
Emsisoft Trojan.Agent (A)
Comodo Malware@#wavtp0gmunqa
F-Secure Trojan.TR/AD.Behavior.brqmh
DrWeb Trojan.Encoder.3953
Zillya Backdoor.Agent.Win32.77461
TrendMicro Backdoor.Win32.QAKBOT.THIOIBO
McAfee-GW-Edition BehavesLike.Win32.Generic.ch
FireEye Generic.mg.af2c8b85835314fc
Sophos Mal/Generic-S
Ikarus Trojan-Banker.IcedID
GData Trojan.GenericKD.34423471
Jiangmin Backdoor.Agent.iio
Webroot W32.Trojan.Gen
Avira TR/AD.Behavior.brqmh
eGambit Unsafe.AI_Score_64%
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Hack.Undef.(kcloud)
Gridinsoft Trojan.Win32.Packed.vb
Arcabit Trojan.Generic.D20D42AF
AegisLab Trojan.Win32.Agent.4!c
ZoneAlarm HEUR:Trojan.Win32.Agent.pef
Microsoft Trojan:Win32/Qakbot.DHE!rfn
AhnLab-V3 Trojan/Win32.Kryptik.R349164
Acronis suspicious
VBA32 Trojan.Hynamer
ALYac Trojan.SmokeLoader
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-12-29 19:18:39

Imports

Library KERNEL32.dll:
0x401018 FindResourceExW
0x401024 ReadConsoleA
0x401028 WaitNamedPipeA
0x40102c GetCurrentProcess
0x401030 ZombifyActCtx
0x40103c SetEvent
0x401040 GetModuleHandleW
0x401044 GetConsoleTitleA
0x40104c GetConsoleCP
0x401050 GlobalAlloc
0x401054 SetConsoleCP
0x401058 lstrcpynA
0x40105c LocalReAlloc
0x401060 GetAtomNameW
0x401064 ReadFile
0x401068 GetDevicePowerState
0x40106c VerifyVersionInfoW
0x401070 InterlockedExchange
0x401074 ReleaseActCtx
0x40107c GetProcAddress
0x401080 AttachConsole
0x401084 GetTapeStatus
0x401088 HeapUnlock
0x401090 HeapLock
0x401094 GetTapeParameters
0x401098 FoldStringW
0x40109c GetCPInfoExA
0x4010a0 ReadConsoleInputW
0x4010a4 lstrcpyA
0x4010a8 CommConfigDialogA
0x4010ac AllocConsole
0x4010b4 CreateMutexW
0x4010b8 GetFileAttributesA
0x4010bc HeapReAlloc
0x4010c8 Sleep
0x4010dc EncodePointer
0x4010e0 DecodePointer
0x4010e4 GetCommandLineW
0x4010e8 HeapSetInformation
0x4010ec GetStartupInfoW
0x4010f0 RaiseException
0x4010f4 GetLastError
0x4010f8 HeapFree
0x4010fc RtlUnwind
0x401100 HeapAlloc
0x401104 ExitProcess
0x401110 IsDebuggerPresent
0x401114 TerminateProcess
0x40111c SetFilePointer
0x401120 CloseHandle
0x401124 WriteFile
0x401128 GetStdHandle
0x40112c GetModuleFileNameW
0x401138 SetHandleCount
0x401140 GetFileType
0x401144 TlsAlloc
0x401148 TlsGetValue
0x40114c TlsSetValue
0x401150 TlsFree
0x401154 SetLastError
0x401158 GetCurrentThreadId
0x40115c HeapCreate
0x401164 GetTickCount
0x401168 GetCurrentProcessId
0x401170 HeapSize
0x401174 GetCPInfo
0x401178 GetACP
0x40117c GetOEMCP
0x401180 IsValidCodePage
0x401184 GetStringTypeW
0x401188 MultiByteToWideChar
0x40118c LoadLibraryW
0x401190 WideCharToMultiByte
0x401194 GetConsoleMode
0x401198 SetStdHandle
0x40119c FlushFileBuffers
0x4011a0 LCMapStringW
0x4011a4 WriteConsoleW
0x4011a8 CreateFileW
Library ADVAPI32.dll:
0x401000 BackupEventLogW
0x401004 BackupEventLogA
0x40100c RegQueryValueExA
0x401010 CloseEventLog

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 60124 239.255.255.250 3702
192.168.56.101 62194 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.