SmartHawk

2.4

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

3987a758b4ba5aa5a7a88370559abb4468b8fed89b98bf341761a94c6fedb8ab

b407925c15c4e45eeaa76dd72b6b559a.exe

分析耗时

78s

最近分析

文件大小

3.4MB

静态报毒动态报毒 AAIPM AI SCORE=89 ATTRIBUTE CERT CLASSIC CONFIDENCE DANGEROUSSIG EHBISUJ EHLS ELDORADO ENCPK EOMNR@0 EPACK F2XJCJ GEN2 GENERICKD GENERIK GENETIC GRAYWARE HACKTOOL HFMH HIGH CONFIDENCE HIGHCONFIDENCE HRPXLL INJECT3 KRAP KRYPTIK LKMC PINKSBOT QAKBOT QBOT R + MAL R347713 SCORE SUSPICIOUS PE THHABBO UNSAFE XPX@AEKTM4P YAKES ZENPAK ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Yakes.45fd1311	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20200905	2013.8.14.323
McAfee	W32/PinkSbot-GZ!B407925C15C4	20200905	6.0.6.653
Tencent		20200905	1.0.0.1
CrowdStrike	win/malicious_confidence_70% (D)	20190702	1.0

This executable is signed

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861131.084269 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00a60000	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43644578
FireEye	Generic.mg.b407925c15c4e45e
CAT-QuickHeal	Trojan.Yakes
ALYac	Trojan.Agent.QakBot
Cylance	Unsafe
Zillya	Trojan.Yakes.Win32.80342
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c68d1 )
Alibaba	Trojan:Win32/Yakes.45fd1311
K7GW	Trojan ( 0056c68d1 )
Cybereason	malicious.b75e5a
Arcabit	Trojan.Generic.D299F6A2
Invincea	Mal/Generic-R + Mal/EncPk-APV
Cyren	W32/Qbot.Q.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Qakbot-9514843-0
Kaspersky	Trojan.Win32.Yakes.aaipm
BitDefender	Trojan.GenericKD.43644578
NANO-Antivirus	Trojan.Win32.Zenpak.hrpxll
ViRobot	Trojan.Win32.Z.Agent.3535864
Rising	Trojan.Kryptik!1.CA76 (CLASSIC)
Ad-Aware	Trojan.GenericKD.43644578
Comodo	TrojWare.Win32.Agent.eomnr@0
F-Secure	Trojan.TR/Crypt.EPACK.Gen2
DrWeb	Trojan.Inject3.50194
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Backdoor.Win32.QAKBOT.THHABBO
Sophos	Mal/EncPk-APV
SentinelOne	DFI - Suspicious PE
Jiangmin	Trojan.Zenpak.ctx
Avira	TR/Crypt.EPACK.Gen2
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Microsoft	Trojan:Win32/Qakbot.VD!Cert
AegisLab	Hacktool.Win32.Krap.lKMc
ZoneAlarm	Trojan.Win32.Yakes.aaipm
GData	Win32.Trojan.PSE.F2XJCJ
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Qakbot.R347713
Acronis	suspicious
McAfee	W32/PinkSbot-GZ!B407925C15C4
MAX	malware (ai score=89)
VBA32	Trojan.Inject
Malwarebytes	Backdoor.Qbot
ESET-NOD32	a variant of Win32/Kryptik.HFMH
TrendMicro-HouseCall	Backdoor.Win32.QAKBOT.SMF
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_94%

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1983-02-08 03:46:07

Imports

Library KERNEL32.dll:

• 0x75e42c GetModuleHandleA

• 0x75e430 GetModuleFileNameA

• 0x75e434 QueryPerformanceCounter

• 0x75e438 GetProcAddress

• 0x75e43c QueryPerformanceFrequency

• 0x75e440 LoadLibraryA

• 0x75e444 EnumSystemLocalesW

• 0x75e448 lstrcat

• 0x75e44c ReadFile

• 0x75e450 WritePrivateProfileStructA

• 0x75e454 InitializeCriticalSectionAndSpinCount

• 0x75e458 GetModuleHandleW

• 0x75e45c VirtualAllocEx

• 0x75e460 GetLastError

• 0x75e464 Sleep

Library USER32.dll:

• 0x75e46c HideCaret

• 0x75e470 InsertMenuItemW

• 0x75e474 GetCursor

• 0x75e478 IMPGetIMEW

• 0x75e47c BroadcastSystemMessageA

• 0x75e480 RemoveMenu

• 0x75e484 DrawIcon

• 0x75e488 LoadIconA

• 0x75e48c GetAsyncKeyState

• 0x75e490 WindowFromDC

• 0x75e494 GetClipboardData

• 0x75e498 ReleaseCapture

• 0x75e49c IsCharLowerA

• 0x75e4a0 GetInputState

• 0x75e4a4 GetThreadDesktop

• 0x75e4a8 DestroyWindow

• 0x75e4ac GetListBoxInfo

• 0x75e4b0 GetTopWindow

• 0x75e4b4 CharNextA

• 0x75e4b8 EndMenu

• 0x75e4bc CloseDesktop

• 0x75e4c0 GetDlgCtrlID

Library GDI32.dll:

• 0x75e4c8 GetCharABCWidthsFloatA

• 0x75e4cc EngDeleteSurface

• 0x75e4d0 GdiEntry15

• 0x75e4d4 XLATEOBJ_piVector

• 0x75e4d8 EnumFontFamiliesA

• 0x75e4dc CreateMetaFileA

• 0x75e4e0 FONTOBJ_pxoGetXform

• 0x75e4e4 GetGlyphOutlineWow

• 0x75e4e8 DrawEscape

• 0x75e4ec PATHOBJ_bEnum

• 0x75e4f0 ChoosePixelFormat

• 0x75e4f4 GetWindowExtEx

• 0x75e4f8 GdiDllInitialize

• 0x75e4fc GetStockObject

• 0x75e500 GetEnhMetaFileW

• 0x75e504 GetDCBrushColor

• 0x75e508 GetDCPenColor

• 0x75e50c CloseFigure

• 0x75e510 CreateCompatibleDC

• 0x75e514 GetMapMode

• 0x75e518 PathToRegion

• 0x75e51c SetMetaRgn

• 0x75e520 GetTextCharacterExtra

• 0x75e524 GetStretchBltMode

• 0x75e528 GetPixelFormat

• 0x75e52c GetSystemPaletteUse

• 0x75e530 DeleteMetaFile

Library ADVAPI32.dll:

• 0x75e538 RegOpenKeyExA

• 0x75e53c RegQueryValueExA

• 0x75e540 RegCloseKey

• 0x75e544 RegOpenKeyW

• 0x75e548 GetUserNameA

Library SHELL32.dll:

• 0x75e550 ShellExecuteEx

• 0x75e554 SHGetSpecialFolderPathA

• 0x75e558 SHFreeNameMappings

• 0x75e55c DuplicateIcon

• 0x75e560 ShellExecuteW

• 0x75e564 DragQueryFileW

• 0x75e568 ExtractAssociatedIconExW

• 0x75e56c SHBrowseForFolderA

• 0x75e570 SHFileOperationA

• 0x75e574 CommandLineToArgvW

• 0x75e578 ShellAboutW

• 0x75e57c ShellHookProc

• 0x75e580 CheckEscapesW

• 0x75e584 SHQueryRecycleBinW

• 0x75e588 SHFileOperationW

• 0x75e58c SHBrowseForFolder

• 0x75e590 ShellExecuteExA

• 0x75e594 Shell_NotifyIcon

• 0x75e598 DragQueryFileAorW

• 0x75e59c SHGetFileInfoA

• 0x75e5a0 SHGetFileInfoW

• 0x75e5a4 SHCreateDirectoryExW

• 0x75e5a8 SHGetFolderLocation

• 0x75e5ac SHQueryRecycleBinA

• 0x75e5b0 SHInvokePrinterCommandW

• 0x75e5b4 SHBindToParent

• 0x75e5b8 SHGetPathFromIDListA

• 0x75e5bc DoEnvironmentSubstA

Library SHLWAPI.dll:

• 0x75e5c4 StrChrIW

• 0x75e5c8 StrStrA

• 0x75e5cc StrChrA

• 0x75e5d0 StrStrIW

• 0x75e5d4 StrChrIA

• 0x75e5d8 StrCmpNA

• 0x75e5dc StrRChrA

• 0x75e5e0 StrRChrIA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.