SmartHawk

3.2

中危

55 个模型检测该样本为恶意！

重新分析

下载样本

2c408154210b1fd0b9e9266e9e3b961ecce0f5beefa1cd200c0f5224ccf8512c

b03c703724c85f26390852f3649e264b.exe

分析耗时

74s

最近分析

文件大小

3.0MB

静态报毒动态报毒 100% AAMCZ AGOC AI SCORE=81 ATTRIBUTE BSCOPE CLASSIC CONFIDENCE DANGEROUSSIG EHLS ELDORADO ENCPK GENCBL GENERICKD GENERICKDZ GRAYWARE HACKTOOL HFYH HIGH CONFIDENCE HIGHCONFIDENCE HUCHMG INJECT3 KRAP KRYPTIK LKMC MALCERT MALICIOUS PE MALWARE@#3L84S6P88I8FZ MUQEP PINKSBOT QAKBOT QVM19 R06EC0PI620 R350780 S + MAL SCORE UNSAFE XPACK YAKES 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/PinkSbot-HA!B03C703724C8	20201022	6.0.6.653
Alibaba	Trojan:Win32/Yakes.c5d75f08	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:DangerousSig [Trj]	20201022	18.4.3895.0
Kingsoft		20201022	2013.8.14.323

This executable is signed

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.ra71
section	.ra7

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

MAD

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620897715.670372 NtAllocateVirtualMemory	process_identifier: 2740 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success	0	0

Foreign language identified in PE resource (8 个事件)

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

name

RT_VERSION

language

LANG_PORTUGUESE

offset

0x002f9ddc

filetype

data

sublanguage

SUBLANG_PORTUGUESE

size

0x00000314

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.b03c703724c85f26
McAfee	W32/PinkSbot-HA!B03C703724C8
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2517258
Sangfor	Malware
K7AntiVirus	Trojan ( 0056dbf31 )
Alibaba	Trojan:Win32/Yakes.c5d75f08
K7GW	Trojan ( 0056dbf31 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D29C1415
TrendMicro	TROJ_GEN.R06EC0PI620
Cyren	W32/Kryptik.BWQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DangerousSig [Trj]
ClamAV	Win.Packed.Generickdz-9764486-0
Kaspersky	Trojan.Win32.Yakes.aamcz
BitDefender	Trojan.GenericKD.43783189
NANO-Antivirus	Trojan.Win32.Yakes.huchmg
Paloalto	generic.ml
AegisLab	Hacktool.Win32.Krap.lKMc
MicroWorld-eScan	Trojan.GenericKD.43783189
Ad-Aware	Trojan.GenericKD.43783189
Sophos	Mal/EncPk-APV
Comodo	Malware@#3l84s6p88i8fz
F-Secure	Trojan.TR/Crypt.XPACK.muqep
DrWeb	Trojan.Inject3.54432
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-S + Mal/EncPk-APV
McAfee-GW-Edition	W32/PinkSbot-HA!B03C703724C8
Emsisoft	MalCert.A (A)
Ikarus	Trojan-Banker.QakBot
Jiangmin	Trojan.Yakes.agoc
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.XPACK.muqep
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Microsoft	Trojan:Win32/Qakbot.SD!MTB
ZoneAlarm	Trojan.Win32.Yakes.aamcz
GData	Trojan.GenericKD.43783189
AhnLab-V3	Trojan/Win32.Kryptik.R350780
ALYac	Trojan.Agent.QakBot
MAX	malware (ai score=81)
VBA32	BScope.Trojan.Inject
Malwarebytes	Trojan.Crypt
ESET-NOD32	a variant of Win32/Kryptik.HFYH
TrendMicro-HouseCall	TROJ_GEN.R06EC0PI620
Rising	Trojan.MalCert!1.CBD2 (CLASSIC)
SentinelOne	DFI - Malicious PE

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2097-10-18 04:01:18

Imports

Library KERNEL32.dll:

• 0x403324 GetLastError

• 0x403328 Sleep

• 0x40332c GetModuleHandleW

• 0x403330 VirtualAllocEx

Library USER32.dll:

• 0x403338 LoadIconA

• 0x40333c PeekMessageA

• 0x403340 KillTimer

• 0x403344 DefWindowProcA

• 0x403348 LoadCursorA

• 0x40334c IsDialogMessageA

• 0x403350 GetFocus

• 0x403354 BeginPaint

• 0x403358 EndPaint

• 0x40335c ScreenToClient

• 0x403360 SetRect

• 0x403364 FillRect

• 0x403368 IntersectRect

• 0x40336c CopyRect

• 0x403370 SetWindowLongA

• 0x403374 MoveWindow

• 0x403378 DestroyWindow

• 0x40337c CheckMenuItem

• 0x403380 SetRectEmpty

• 0x403384 RemoveMenu

• 0x403388 GetSubMenu

• 0x40338c CreateMenu

• 0x403390 EnableMenuItem

• 0x403394 GetMenuStringA

• 0x403398 ModifyMenuA

• 0x40339c InsertMenuA

• 0x4033a0 GetParent

• 0x4033a4 TranslateMessage

• 0x4033a8 SetForegroundWindow

• 0x4033ac SetFocus

• 0x4033b0 PostQuitMessage

• 0x4033b4 PostMessageA

• 0x4033b8 CreateWindowExA

• 0x4033bc RegisterClassA

• 0x4033c0 GetDC

• 0x4033c4 LoadMenuA

• 0x4033c8 IsIconic

• 0x4033cc GetWindowLongA

• 0x4033d0 ClientToScreen

• 0x4033d4 GetWindowRect

• 0x4033d8 GetClassNameA

• 0x4033dc DestroyMenu

• 0x4033e0 IsRectEmpty

• 0x4033e4 IsWindow

• 0x4033e8 ShowWindow

• 0x4033ec LoadBitmapA

• 0x4033f0 GetSysColor

• 0x4033f4 GetDlgItem

• 0x4033f8 GetClientRect

• 0x4033fc DrawTextA

• 0x403400 wsprintfA

• 0x403404 GetSystemMetrics

• 0x403408 GetWindowDC

• 0x40340c ReleaseDC

• 0x403410 EndDialog

• 0x403414 InflateRect

• 0x403418 GetCursorPos

• 0x40341c GetActiveWindow

Library GDI32.dll:

• 0x403424 GetStockObject

• 0x403428 GetEnhMetaFileBits

Library ADVAPI32.dll:

• 0x403430 RegOpenKeyA

• 0x403434 RegQueryValueExA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	50005	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.