SmartHawk

4.2

中危

44 个模型检测该样本为恶意！

重新分析

下载样本

fd11c4dfe3ec12ae0c668e7ac0896e356acbeb91b55899a15420b1510841f34e

b19e1724a2a129acc3aa58cb9c47b026.exe

分析耗时

98s

最近分析

文件大小

128.5KB

静态报毒动态报毒 100% 836TKKNTS54TK1GU6YSYKQ A VARIANT OF GENERIK AGENERIC AI SCORE=99 AIDETECTVM ATTRIBUTE CJFR CONFIDENCE EASQRRP GENERIC@ML GXVFBU HIGH CONFIDENCE HIGHCONFIDENCE IUW@AM6UORBI KILLPROC MALWARE2 MULDROP7 PEFU POSSIBLETHREAT QVM41 RDML S219381 SCORE SKEEYAH SUSGEN SUSPICIOUS PE TNSH UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic.tfr	20200915	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Alibaba	Trojan:Win32/Skeeyah.75344abd	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20200917	2013.8.14.323
Tencent	Win32.Trojan.Agent.Pefu	20200917	1.0.0.1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985520.2185 IsDebuggerPresent		failed	0	0

Command line console output was observed (17 个事件)

Time & API	Arguments	Status	Return
1620985094.253271 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x0000000000000007	success	1
1620985094.269271 WriteConsoleW	buffer: reg console_handle: 0x0000000000000007	success	1
1620985094.284271 WriteConsoleW	buffer: add "HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight" /v "AllowElevatedTrustAppsInBrowser" /t reg_dword /d 00000001 /f console_handle: 0x0000000000000007	success	1
1620985099.534271 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x0000000000000007	success	1
1620985099.534271 WriteConsoleW	buffer: reg console_handle: 0x0000000000000007	success	1
1620985099.550271 WriteConsoleW	buffer: add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Silverlight" /v "AllowElevatedTrustAppsInBrowser" /t reg_dword /d 00000001 /f console_handle: 0x0000000000000007	success	1
1620985101.972271 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x0000000000000007	success	1
1620985101.972271 WriteConsoleW	buffer: rem console_handle: 0x0000000000000007	success	1
1620985101.972271 WriteConsoleW	buffer: echo C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ console_handle: 0x0000000000000007	success	1
1620985102.019271 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x0000000000000007	success	1
1620985102.019271 WriteConsoleW	buffer: echo console_handle: 0x0000000000000007	success	1
1620985102.034271 WriteConsoleW	buffer: 安装证书 console_handle: 0x0000000000000007	success	1
1620985102.081271 WriteConsoleW	buffer: 安装证书 console_handle: 0x0000000000000007	success	1
1620985102.206271 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x0000000000000007	success	1
1620985102.206271 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\installCert.exe" console_handle: 0x0000000000000007	success	1
1621009892.22027 WriteConsoleW	buffer: 操作成功完成。 console_handle: 0x0000000000000007	success	1
1621009896.906895 WriteConsoleW	buffer: 操作成功完成。 console_handle: 0x0000000000000007	success	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.code

The executable uses a known packer (1 个事件)

packer

PureBasic 4.x -> Neil Hodgson

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\InstallCert.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6FDB.tmp\7367.bat

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\InstallCert.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\InstallCert.exe

Uses Windows utilities for basic Windows functionality (3 个事件)

cmdline	"C:\Windows\sysnative\cmd" /c "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6FDB.tmp\7367.bat C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b19e1724a2a129acc3aa58cb9c47b026.exe"
cmdline	reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Silverlight" /v "AllowElevatedTrustAppsInBrowser" /t reg_dword /d 00000001 /f
cmdline	reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight" /v "AllowElevatedTrustAppsInBrowser" /t reg_dword /d 00000001 /f

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	52.218.91.60

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Generic.21758474
FireEye	Generic.mg.b19e1724a2a129ac
CAT-QuickHeal	Trojan.KillProc.S219381
McAfee	RDN/Generic.tfr
Cylance	Unsafe
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Skeeyah.75344abd
Arcabit	Trojan.Generic.D14C020A
Invincea	Mal/Generic-S
BitDefenderTheta	Gen:NN.ZexaF.34252.iuW@am6UoRbi
Cyren	W32/Trojan.CJFR-5972
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
BitDefender	Trojan.Generic.21758474
NANO-Antivirus	Trojan.Win32.Drop.gxvfbu
Rising	Trojan.Generic@ML.92 (RDML:836tKKnTs54Tk1gU6ySykQ)
Ad-Aware	Trojan.Generic.21758474
Emsisoft	Trojan.Generic.21758474 (B)
DrWeb	Trojan.MulDrop7.63872
VIPRE	Trojan.Win32.Generic!BT
Sophos	Mal/Generic-S
SentinelOne	DFI - Suspicious PE
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan/Win32.AGeneric
Microsoft	Trojan:Win32/Skeeyah.A!bit
AegisLab	Trojan.BAT.Agent.tnsH
GData	Trojan.Generic.21758474
Acronis	suspicious
VBA32	Trojan.KillProc
ALYac	Trojan.Generic.21758474
MAX	malware (ai score=99)
ESET-NOD32	a variant of Generik.EASQRRP
Tencent	Win32.Trojan.Agent.Pefu
Ikarus	Trojan.Win32.Skeeyah
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
Qihoo-360	HEUR/QVM41.2.3444.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-10-17 21:02:05

Imports

Library MSVCRT.dll:

• 0x4126dc memset

• 0x4126e0 strncmp

• 0x4126e4 memmove

• 0x4126e8 strncpy

• 0x4126ec strstr

• 0x4126f0 _strnicmp

• 0x4126f4 _stricmp

• 0x4126f8 strlen

• 0x4126fc strcmp

• 0x412700 strcpy

• 0x412704 strcat

• 0x412708 memcpy

• 0x41270c sprintf

• 0x412710 fabs

• 0x412714 ceil

• 0x412718 malloc

• 0x41271c floor

• 0x412720 free

• 0x412724 fclose

• 0x412728 tolower

Library KERNEL32.dll:

• 0x412730 GetModuleHandleA

• 0x412734 HeapCreate

• 0x412738 SetConsoleCtrlHandler

• 0x41273c GetCommandLineA

• 0x412740 RemoveDirectoryA

• 0x412744 GetTempFileNameA

• 0x412748 GetShortPathNameA

• 0x41274c GetWindowsDirectoryA

• 0x412750 GetSystemDirectoryA

• 0x412754 HeapDestroy

• 0x412758 ExitProcess

• 0x41275c GetNativeSystemInfo

• 0x412760 FindResourceA

• 0x412764 LoadResource

• 0x412768 SizeofResource

• 0x41276c HeapAlloc

• 0x412770 HeapFree

• 0x412774 Sleep

• 0x412778 LoadLibraryA

• 0x41277c GetProcAddress

• 0x412780 FreeLibrary

• 0x412784 GetCurrentThreadId

• 0x412788 GetCurrentProcessId

• 0x41278c CloseHandle

• 0x412790 InitializeCriticalSection

• 0x412794 GetModuleFileNameA

• 0x412798 GetEnvironmentVariableA

• 0x41279c SetEnvironmentVariableA

• 0x4127a0 GetCurrentProcess

• 0x4127a4 DuplicateHandle

• 0x4127a8 CreatePipe

• 0x4127ac GetStdHandle

• 0x4127b0 CreateProcessA

• 0x4127b4 WaitForSingleObject

• 0x4127b8 EnterCriticalSection

• 0x4127bc LeaveCriticalSection

• 0x4127c0 TerminateProcess

• 0x4127c4 GetExitCodeProcess

• 0x4127c8 CreateFileA

• 0x4127cc ReadFile

• 0x4127d0 WriteFile

• 0x4127d4 SetFilePointer

• 0x4127d8 DeleteFileA

• 0x4127dc GetFileSize

• 0x4127e0 HeapReAlloc

• 0x4127e4 SetUnhandledExceptionFilter

• 0x4127e8 GetVersionExA

• 0x4127ec SetLastError

• 0x4127f0 HeapSize

• 0x4127f4 TlsAlloc

• 0x4127f8 GetCurrentDirectoryA

• 0x4127fc SetCurrentDirectoryA

• 0x412800 GetTempPathA

• 0x412804 SetFileAttributesA

• 0x412808 CreateDirectoryA

• 0x41280c DeleteCriticalSection

• 0x412810 MultiByteToWideChar

• 0x412814 WideCharToMultiByte

Library USER32.DLL:

• 0x41281c CharUpperA

• 0x412820 CharLowerA

• 0x412824 MessageBoxA

• 0x412828 SendMessageA

• 0x41282c PostMessageA

• 0x412830 GetWindowThreadProcessId

• 0x412834 IsWindowVisible

• 0x412838 GetWindowLongA

• 0x41283c GetForegroundWindow

• 0x412840 IsWindowEnabled

• 0x412844 EnableWindow

• 0x412848 EnumWindows

• 0x41284c SetWindowPos

• 0x412850 DestroyWindow

• 0x412854 GetDC

• 0x412858 GetWindowTextLengthA

• 0x41285c GetWindowTextA

• 0x412860 SetRect

• 0x412864 DrawTextA

• 0x412868 GetSystemMetrics

• 0x41286c ReleaseDC

• 0x412870 GetSysColor

• 0x412874 GetSysColorBrush

• 0x412878 CreateWindowExA

• 0x41287c CallWindowProcA

• 0x412880 SetWindowLongA

• 0x412884 SetFocus

• 0x412888 RedrawWindow

• 0x41288c RemovePropA

• 0x412890 DefWindowProcA

• 0x412894 SetPropA

• 0x412898 GetParent

• 0x41289c GetPropA

• 0x4128a0 GetWindow

• 0x4128a4 SetActiveWindow

• 0x4128a8 UnregisterClassA

• 0x4128ac DestroyAcceleratorTable

• 0x4128b0 LoadIconA

• 0x4128b4 LoadCursorA

• 0x4128b8 RegisterClassA

• 0x4128bc AdjustWindowRectEx

• 0x4128c0 ShowWindow

• 0x4128c4 CreateAcceleratorTableA

• 0x4128c8 PeekMessageA

• 0x4128cc MsgWaitForMultipleObjects

• 0x4128d0 GetMessageA

• 0x4128d4 GetActiveWindow

• 0x4128d8 TranslateAcceleratorA

• 0x4128dc TranslateMessage

• 0x4128e0 DispatchMessageA

• 0x4128e4 GetFocus

• 0x4128e8 GetClientRect

• 0x4128ec FillRect

• 0x4128f0 EnumChildWindows

• 0x4128f4 DefFrameProcA

• 0x4128f8 GetWindowRect

• 0x4128fc IsChild

• 0x412900 GetClassNameA

• 0x412904 GetKeyState

• 0x412908 DestroyIcon

• 0x41290c RegisterWindowMessageA

Library GDI32.DLL:

• 0x412914 GetStockObject

• 0x412918 SelectObject

• 0x41291c SetBkColor

• 0x412920 SetTextColor

• 0x412924 GetTextExtentPoint32A

• 0x412928 CreateSolidBrush

• 0x41292c DeleteObject

• 0x412930 GetObjectA

• 0x412934 CreateCompatibleDC

• 0x412938 GetDIBits

• 0x41293c DeleteDC

• 0x412940 GetObjectType

• 0x412944 CreateDIBSection

• 0x412948 BitBlt

• 0x41294c CreateBitmap

• 0x412950 SetPixel

Library COMCTL32.DLL:

• 0x412958 InitCommonControlsEx

Library OLE32.DLL:

• 0x412960 CoInitialize

• 0x412964 CoTaskMemFree

• 0x412968 RevokeDragDrop

Library SHELL32.DLL:

• 0x412970 ShellExecuteExA

Library SHLWAPI.DLL:

• 0x412978 PathQuoteSpacesA

• 0x41297c PathGetArgsA

• 0x412980 PathAddBackslashA

• 0x412984 PathRenameExtensionA

• 0x412988 PathUnquoteSpacesA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
52.218.91.60	80	192.168.56.101	49192

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62194	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.