SmartHawk

6.2

高危

54 个模型检测该样本为恶意！

重新分析

下载样本

22a5872ba6adfe449e46d9a223cb7567697e30f89d6d42095e48de3033359de3

b862ebc24355186667a05fddc9acee34.exe

分析耗时

30s

最近分析

文件大小

69.0KB

静态报毒动态报毒 100% AGEN AI SCORE=100 AIDETECT BSCOPE CMRTAZQRPSI4CLMBM+VWBUNLDEUG CONFIDENCE CRYPMOD DELSHAD ELDORADO FILECODER GENCIRC HIGH CONFIDENCE HJROUC HXQBQV8A MAILTO MALWARE1 MULTIPLUG NETW NETWALK NETWALKER R + TROJ R374144 RANSOMWARE RANSOMX RDMK SCORE SD@8RQQOE STATIC AI SUSGEN SUSPICIOUS PE TROJANPSW W6C4UTZR3JE ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Ransom-NetW!B862EBC24355	20210404	6.0.6.653
Alibaba	Ransom:Win32/NetWalker.cccfc520	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:RansomX-gen [Ransom]	20210404	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10b9c422	20210404	1.0.0.1
Kingsoft		20210404	2017.9.26.565

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861117.564408 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619872574.70627 WriteConsoleW	buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp. console_handle: 0x0000000000000007	success	1	0

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

Creates (office) documents on the filesystem (4 个事件)

file	C:\Users\Administrator.Oskar-PC\Documents\rgBOkuCZvFwbYTdJq.docm
file	C:\Users\Administrator.Oskar-PC\Documents\kPrwkXbJuXz.pptx
file	C:\Users\Administrator.Oskar-PC\Documents\VpQWAkzsyCmvJRAK.doc
file	C:\Users\Administrator.Oskar-PC\Documents\pzyWglTgTXwWI.doc

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.912880380302016

section

{'size_of_data': '0x00001600', 'virtual_address': '0x00012000', 'entropy': 7.912880380302016, 'name': '.rsrc', 'virtual_size': '0x00002000'}

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861117.548408 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619872574.62827 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to detect Cuckoo Sandbox through the presence of a file (2 个事件)

file	C:\Python27\agent.pyw
file	C:\tmpsij43m\analyzer.py

Writes a potential ransom message to disk (4 个事件)

Time & API	Arguments	Status
1619861118.033408 NtWriteFile	file_handle: 0x000002e0 filepath: C:\tmpsij43m\B42FEB-Readme.txt buffer: Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .b42feb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_b42feb: 6SkMpLKyqfyd5EekjLNRKf+o8R/WDyY32C423aZOg7WaqKGyj8 zas9Z330v6t8Uy7/pbO9zrV0Vvu0GUIh3yCxkcRFxIRaoSQzaM 0nu5PtAqr1XnCRrTTSt6I+5ny4y46MERoczVVcOwjsDh8H7qzT gJ11Q0JAp2srwzNM8eb6r1d2EVinSQWFDShHSjyqY2CpxmGg4W ltsftL+DkupSAkYv1R3FnaS+ozdW3X1w7Gk6AQwv8gZXM2uICo cUl62lAv+KFgdMsolo+PxmG8A2zWWdI46eU5aDqA==} offset: 0	success
1619861121.579408 NtWriteFile	file_handle: 0x00000e18 filepath: C:\Python27\B42FEB-Readme.txt buffer: Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .b42feb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_b42feb: 6SkMpLKyqfyd5EekjLNRKf+o8R/WDyY32C423aZOg7WaqKGyj8 zas9Z330v6t8Uy7/pbO9zrV0Vvu0GUIh3yCxkcRFxIRaoSQzaM 0nu5PtAqr1XnCRrTTSt6I+5ny4y46MERoczVVcOwjsDh8H7qzT gJ11Q0JAp2srwzNM8eb6r1d2EVinSQWFDShHSjyqY2CpxmGg4W ltsftL+DkupSAkYv1R3FnaS+ozdW3X1w7Gk6AQwv8gZXM2uICo cUl62lAv+KFgdMsolo+PxmG8A2zWWdI46eU5aDqA==} offset: 0	success
1619861124.361408 NtWriteFile	file_handle: 0x000002d8 filepath: C:\tmpsij43m\bin\B42FEB-Readme.txt buffer: Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .b42feb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_b42feb: 6SkMpLKyqfyd5EekjLNRKf+o8R/WDyY32C423aZOg7WaqKGyj8 zas9Z330v6t8Uy7/pbO9zrV0Vvu0GUIh3yCxkcRFxIRaoSQzaM 0nu5PtAqr1XnCRrTTSt6I+5ny4y46MERoczVVcOwjsDh8H7qzT gJ11Q0JAp2srwzNM8eb6r1d2EVinSQWFDShHSjyqY2CpxmGg4W ltsftL+DkupSAkYv1R3FnaS+ozdW3X1w7Gk6AQwv8gZXM2uICo cUl62lAv+KFgdMsolo+PxmG8A2zWWdI46eU5aDqA==} offset: 0	success
1619861125.908408 NtWriteFile	file_handle: 0x00001cb8 filepath: C:\ProgramData\Microsoft\User Account Pictures\B42FEB-Readme.txt buffer: Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .b42feb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_b42feb: 6SkMpLKyqfyd5EekjLNRKf+o8R/WDyY32C423aZOg7WaqKGyj8 zas9Z330v6t8Uy7/pbO9zrV0Vvu0GUIh3yCxkcRFxIRaoSQzaM 0nu5PtAqr1XnCRrTTSt6I+5ny4y46MERoczVVcOwjsDh8H7qzT gJ11Q0JAp2srwzNM8eb6r1d2EVinSQWFDShHSjyqY2CpxmGg4W ltsftL+DkupSAkYv1R3FnaS+ozdW3X1w7Gk6AQwv8gZXM2uICo cUl62lAv+KFgdMsolo+PxmG8A2zWWdI46eU5aDqA==} offset: 0	success

Uses suspicious command line tools or Windows utilities (1 个事件)

cmdline

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Detects VirtualBox through the presence of a file (3 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.303374
FireEye	Generic.mg.b862ebc243551866
McAfee	Ransom-NetW!B862EBC24355
Malwarebytes	Ransom.NetWalker
Sangfor	Ransom.Win32.Crypmod.gen
K7AntiVirus	Trojan ( 0056b6ab1 )
Alibaba	Ransom:Win32/NetWalker.cccfc520
K7GW	Trojan ( 0056b6ab1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D4A10E
BitDefenderTheta	AI:Packer.277DB83B1E
Cyren	W32/Netwalker.A.gen!Eldorado
ESET-NOD32	a variant of Win32/Filecoder.NetWalker.D
APEX	Malicious
Avast	Win32:RansomX-gen [Ransom]
ClamAV	Win.Ransomware.Netwalker-7671868-0
Kaspersky	HEUR:Trojan-Ransom.Win32.Mailto.gen
BitDefender	Gen:Variant.Zusy.303374
NANO-Antivirus	Trojan.Win32.Filecoder.hjrouc
Paloalto	generic.ml
AegisLab	Trojan.Win32.DelShad.4!c
Tencent	Malware.Win32.Gencirc.10b9c422
Ad-Aware	Gen:Variant.Zusy.303374
Emsisoft	Gen:Variant.Zusy.303374 (B)
Comodo	TrojWare.Win32.Ransom.NetWalker.SD@8rqqoe
F-Secure	Heuristic.HEUR/AGEN.1115135
DrWeb	Trojan.Encoder.32281
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win32.NETWALKER.SBA
McAfee-GW-Edition	BehavesLike.Win32.MultiPlug.kh
Sophos	Mal/Generic-R + Troj/Netwalk-A
Ikarus	Trojan-Ransom.NetWalker
Avira	HEUR/AGEN.1115135
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.DelShad
Gridinsoft	Ransom.Win32.Ransom.vb!s1
Microsoft	Ransom:Win32/Crypmod
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Mailto.gen
GData	Gen:Variant.Zusy.303374
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.RansomCrypt.R374144
VBA32	BScope.TrojanPSW.Spy
ALYac	Trojan.Ransom.Mailto
TrendMicro-HouseCall	Ransom.Win32.NETWALKER.SBA
Rising	Ransom.NetWalker!1.CFC6 (RDMK:cmRtazqrpsI4clMBM+VwBuNldeUg)
Yandex	Trojan.Filecoder!w6c4UtZR3jE
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/NetWalker.B!tr.ransom

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-26 23:20:15

Imports

Library KERNEL32.dll:

• 0x410000 Sleep

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.