SmartHawk

3.0

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

5ec9956ab6d2da1c6f438b4fc01bba575aa3bd3f4c0811a11dd9579c06e42f4d

b43c58247983f3a5b214159b2ddb0dad.exe

分析耗时

17s

最近分析

文件大小

441.5KB

静态报毒动态报毒 AI SCORE=81 AIDETECTVM APVOD ARTEMIS AZORULT BSCOPE BUW@AUXZGBCG CLOUD GANDCRAB GDSDA GENERICKD HBSU HBVP HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALPE MODERATE NEMTY PDCE PWSX QQPASS QQROB R002C0DCC20 R328248 RACEALER RYPACK SCORE SIGGEN9 STELLARSTEALER SUSGEN TROJANPSW UNSAFE WACATAC YMIL ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!B43C58247983	20200315	6.0.6.653
Alibaba	TrojanPSW:Win32/Racealer.e0a0e21d	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20200316	2013.8.14.323
Tencent	Win32.Trojan-qqpass.Qqrob.Pdce	20200316	1.0.0.1
Avast	Win32:PWSX-gen [Trj]	20200316	18.4.3895.0
CrowdStrike		20180202	1.0

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861118.230865 NtProtectVirtualMemory	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 315392 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0029c000	success	0	0
1619861118.261865 NtAllocateVirtualMemory	process_identifier: 2868 region_size: 557056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02330000	success	0	0

Foreign language identified in PE resource (14 个事件)

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

offset

0x0071c2a0

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

size

0x00000468

name

RT_ACCELERATOR

language

LANG_JAPANESE

offset

0x0071c780

filetype

data

sublanguage

SUBLANG_DEFAULT

size

0x00000018

name

RT_GROUP_ICON

language

LANG_JAPANESE

offset

0x0071c708

filetype

data

sublanguage

SUBLANG_DEFAULT

size

0x00000076

name

RT_GROUP_ICON

language

LANG_JAPANESE

offset

0x0071c708

filetype

data

sublanguage

SUBLANG_DEFAULT

size

0x00000076

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.93001922425513

section

{'size_of_data': '0x0005cc00', 'virtual_address': '0x00001000', 'entropy': 7.93001922425513, 'name': '.text', 'virtual_size': '0x0005cb90'}

description

A section with a high entropy has been found

entropy

0.8422247446083996

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware
DrWeb	Trojan.Siggen9.19437
MicroWorld-eScan	Trojan.GenericKD.33533615
FireEye	Generic.mg.b43c58247983f3a5
CAT-QuickHeal	Trojan.Wacatac
McAfee	Artemis!B43C58247983
Cylance	Unsafe
SUPERAntiSpyware	Ransom.GandCrab/Variant
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanPSW:Win32/Racealer.e0a0e21d
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.8df6d1
Arcabit	Trojan.Generic.D1FFAEAF
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZexaF.34100.BuW@auXZgbcG
Symantec	Ransom.Nemty
ESET-NOD32	a variant of Win32/Kryptik.HBVP
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Racealer.dua
BitDefender	Trojan.GenericKD.33533615
AegisLab	Trojan.Win32.Malicious.4!c
Rising	Trojan.Kryptik!8.8 (CLOUD)
Endgame	malicious (high confidence)
Emsisoft	Trojan.GenericKD.33533615 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DCC20
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/RyPack-A
Ikarus	Trojan.Win32.Crypt
Cyren	W32/Trojan.YMIL-4035
Jiangmin	Trojan.PSW.Racealer.adq
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/AD.StellarStealer.apvod
Antiy-AVL	Trojan[PSW]/Win32.Racealer
Microsoft	Trojan:Win32/Azorult.VSD!MTB
ViRobot	Trojan.Win32.Z.Rypack.452096.A
ZoneAlarm	Trojan-PSW.Win32.Racealer.dua
GData	Trojan.GenericKD.33533615
AhnLab-V3	Trojan/Win32.MalPe.R328248
Acronis	suspicious
VBA32	BScope.Trojan.AET.281105
ALYac	Trojan.GenericKD.33533615
MAX	malware (ai score=81)
Ad-Aware	Trojan.GenericKD.33533615
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DCC20

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-03-16 23:17:26

Imports

Library KERNEL32.dll:

• 0x45e000 GetVolumeNameForVolumeMountPointA

• 0x45e004 GetFullPathNameA

• 0x45e008 HeapReAlloc

• 0x45e00c GetNumaNodeProcessorMask

• 0x45e010 SetPriorityClass

• 0x45e014 lstrlenA

• 0x45e018 EnumDateFormatsExW

• 0x45e01c MapViewOfFile

• 0x45e020 WriteConsoleOutputCharacterA

• 0x45e024 ClearCommError

• 0x45e028 GetQueuedCompletionStatus

• 0x45e02c SetMailslotInfo

• 0x45e030 SetConsoleScreenBufferSize

• 0x45e034 FindFirstFileExW

• 0x45e038 GetTickCount

• 0x45e03c GetThreadSelectorEntry

• 0x45e040 EnumSystemCodePagesA

• 0x45e044 GetWriteWatch

• 0x45e048 GetAtomNameW

• 0x45e04c IsDBCSLeadByte

• 0x45e050 GetModuleFileNameW

• 0x45e054 GetEnvironmentVariableA

• 0x45e058 CompareStringW

• 0x45e05c MultiByteToWideChar

• 0x45e060 DisconnectNamedPipe

• 0x45e064 GetLastError

• 0x45e068 GetLongPathNameW

• 0x45e06c GetProcAddress

• 0x45e070 _hwrite

• 0x45e074 LoadLibraryA

• 0x45e078 LocalAlloc

• 0x45e07c SetCalendarInfoW

• 0x45e080 GetExitCodeThread

• 0x45e084 SetFileApisToANSI

• 0x45e088 SetProcessWorkingSetSize

• 0x45e08c CreatePipe

• 0x45e090 GetDefaultCommConfigA

• 0x45e094 FindFirstVolumeMountPointA

• 0x45e098 WTSGetActiveConsoleSessionId

• 0x45e09c _lread

• 0x45e0a0 GetWindowsDirectoryW

• 0x45e0a4 GetCurrentProcessId

• 0x45e0a8 FindNextVolumeA

• 0x45e0ac GetCommandLineA

• 0x45e0b0 GetStartupInfoA

• 0x45e0b4 TerminateProcess

• 0x45e0b8 GetCurrentProcess

• 0x45e0bc UnhandledExceptionFilter

• 0x45e0c0 SetUnhandledExceptionFilter

• 0x45e0c4 IsDebuggerPresent

• 0x45e0c8 EnterCriticalSection

• 0x45e0cc LeaveCriticalSection

• 0x45e0d0 RtlUnwind

• 0x45e0d4 HeapFree

• 0x45e0d8 SetFilePointer

• 0x45e0dc GetModuleHandleW

• 0x45e0e0 Sleep

• 0x45e0e4 ExitProcess

• 0x45e0e8 WriteFile

• 0x45e0ec GetStdHandle

• 0x45e0f0 GetModuleFileNameA

• 0x45e0f4 FreeEnvironmentStringsA

• 0x45e0f8 GetEnvironmentStrings

• 0x45e0fc FreeEnvironmentStringsW

• 0x45e100 WideCharToMultiByte

• 0x45e104 GetEnvironmentStringsW

• 0x45e108 SetHandleCount

• 0x45e10c GetFileType

• 0x45e110 DeleteCriticalSection

• 0x45e114 TlsGetValue

• 0x45e118 TlsAlloc

• 0x45e11c TlsSetValue

• 0x45e120 TlsFree

• 0x45e124 InterlockedIncrement

• 0x45e128 SetLastError

• 0x45e12c GetCurrentThreadId

• 0x45e130 InterlockedDecrement

• 0x45e134 HeapCreate

• 0x45e138 VirtualFree

• 0x45e13c QueryPerformanceCounter

• 0x45e140 GetSystemTimeAsFileTime

• 0x45e144 RaiseException

• 0x45e148 GetConsoleCP

• 0x45e14c GetConsoleMode

• 0x45e150 GetCPInfo

• 0x45e154 GetACP

• 0x45e158 GetOEMCP

• 0x45e15c IsValidCodePage

• 0x45e160 CloseHandle

• 0x45e164 CreateFileA

• 0x45e168 InitializeCriticalSectionAndSpinCount

• 0x45e16c HeapAlloc

• 0x45e170 VirtualAlloc

• 0x45e174 SetStdHandle

• 0x45e178 FlushFileBuffers

• 0x45e17c GetModuleHandleA

• 0x45e180 WriteConsoleA

• 0x45e184 GetConsoleOutputCP

• 0x45e188 WriteConsoleW

• 0x45e18c LCMapStringA

• 0x45e190 LCMapStringW

• 0x45e194 GetStringTypeA

• 0x45e198 GetStringTypeW

• 0x45e19c GetLocaleInfoA

• 0x45e1a0 SetEndOfFile

• 0x45e1a4 GetProcessHeap

• 0x45e1a8 ReadFile

• 0x45e1ac HeapSize

Library USER32.dll:

• 0x45e1b4 GetCaretPos

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.