SmartHawk

3.8

中危

58 个模型检测该样本为恶意！

重新分析

下载样本

34fea5456bb0c7351da3e67c7bcc8f58bcb70ac5b7d9d70e1204a5f4556958c4

be086e67c5b92065ef4677b3ea38bdb1.exe

分析耗时

40s

最近分析

文件大小

983.0KB

静态报毒动态报毒 100% 9UW@AESPNIY AGEN AI SCORE=85 AIDETECTVM ATTRIBUTE CHAPAK CLASSIC COINMINERX CONFIDENCE DANABOT ELQV GDSDA GENERICKDZ GENKRYPTIK GLUPTEBA HCZB HIGH CONFIDENCE HIGHCONFIDENCE HJMGQM KRYPT KRYPTIK MALPE MALWARE2 MALWARE@#31DYQ4PSWWBOT MINT PFSY R06EC0DI220 SCORE SIGGEN9 STATIC AI SUSGEN SUSPICIOUS PE TITIREZ TROJANBANKER UNSAFE WACATAC X2065 ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Packed-GAV!BE086E67C5B9	20201228	6.0.6.653
Alibaba	TrojanBanker:Win32/Danabot.b5e0d432	20190527	0.3.0.5
Avast	Win32:CoinminerX-gen [Trj]	20201228	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft		20201228	2017.9.26.565
Tencent	Win32.Trojan-banker.Danabot.Pfsy	20201228	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

C:\suwolalidetekikawoxu-rosozoluficokox zaworo.pdb12\bin\xesopu.pdbð2P_P

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861599.859125 NtProtectVirtualMemory	process_identifier: 2008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 831488 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00b30000	success	0	0
1619861599.859125 NtAllocateVirtualMemory	process_identifier: 2008 region_size: 921600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c00000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.752241041481661

section

{'size_of_data': '0x000dc200', 'virtual_address': '0x00011000', 'entropy': 7.752241041481661, 'name': '.data', 'virtual_size': '0x0054b960'}

description

A section with a high entropy has been found

entropy

0.8966395112016293

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.110:443

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen9.43824
MicroWorld-eScan	Gen:Heur.Mint.Titirez.1.23
FireEye	Generic.mg.be086e67c5b92065
McAfee	Packed-GAV!BE086E67C5B9
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanBanker:Win32/Danabot.b5e0d432
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.7c5b92
Arcabit	Trojan.Mint.Titirez.1.23
BitDefenderTheta	Gen:NN.ZexaF.34700.9uW@aeSPNIy
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
ClamAV	Win.Dropper.Generickdz-7724446-0
Kaspersky	HEUR:Trojan-Banker.Win32.Danabot.pef
BitDefender	Gen:Heur.Mint.Titirez.1.23
NANO-Antivirus	Trojan.Win32.DanaBot.hjmgqm
Paloalto	generic.ml
AegisLab	Riskware.Win32.Malicious.1!c
Rising	Trojan.Kryptik!1.C5FB (CLASSIC)
Ad-Aware	Gen:Heur.Mint.Titirez.1.23
Emsisoft	Gen:Heur.Mint.Titirez.1.23 (B)
Comodo	Malware@#31dyq4pswwbot
F-Secure	Heuristic.HEUR/AGEN.1136028
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06EC0DI220
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Krypt
Jiangmin	Trojan.Chapak.jjt
MaxSecure	Trojan.Malware.74661564.susgen
Avira	HEUR/AGEN.1136028
MAX	malware (ai score=85)
Gridinsoft	Trojan.Win32.Kryptik.ba
Microsoft	Trojan:Win32/Glupteba.MX!MTB
ZoneAlarm	HEUR:Trojan-Banker.Win32.Danabot.pef
GData	Gen:Heur.Mint.Titirez.1.23
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPe.X2065
Acronis	suspicious
VBA32	Trojan.Wacatac
ALYac	Gen:Heur.Mint.Titirez.1.23
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/Kryptik.HCZB
TrendMicro-HouseCall	TROJ_GEN.R06EC0DI220
Tencent	Win32.Trojan-banker.Danabot.Pfsy

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-05-03 22:04:53

Imports

Library KERNEL32.dll:

• 0x40d00c GetLocaleInfoW

• 0x40d010 lstrlenW

• 0x40d014 WritePrivateProfileStringW

• 0x40d018 GetLastError

• 0x40d01c BackupRead

• 0x40d020 GetProcAddress

• 0x40d024 ReadFileEx

• 0x40d028 GetAtomNameA

• 0x40d02c LocalAlloc

• 0x40d030 GlobalWire

• 0x40d034 GetModuleHandleA

• 0x40d038 GetProcessShutdownParameters

• 0x40d03c lstrcatW

• 0x40d040 GetCurrentProcessId

• 0x40d044 LCMapStringW

• 0x40d048 GetTickCount

• 0x40d04c FindFirstFileExW

• 0x40d050 InterlockedDecrement

• 0x40d054 HeapAlloc

• 0x40d058 LoadResource

• 0x40d05c FindResourceW

• 0x40d060 DebugActiveProcessStop

• 0x40d064 DosDateTimeToFileTime

• 0x40d068 GetCommandLineA

• 0x40d06c HeapSetInformation

• 0x40d070 GetStartupInfoW

• 0x40d074 TerminateProcess

• 0x40d078 GetCurrentProcess

• 0x40d07c UnhandledExceptionFilter

• 0x40d080 SetUnhandledExceptionFilter

• 0x40d084 IsDebuggerPresent

• 0x40d088 IsProcessorFeaturePresent

• 0x40d08c GetModuleHandleW

• 0x40d090 ExitProcess

• 0x40d094 DecodePointer

• 0x40d098 WriteFile

• 0x40d09c GetStdHandle

• 0x40d0a0 GetModuleFileNameW

• 0x40d0a4 GetModuleFileNameA

• 0x40d0a8 FreeEnvironmentStringsW

• 0x40d0ac WideCharToMultiByte

• 0x40d0b0 GetEnvironmentStringsW

• 0x40d0b4 SetHandleCount

• 0x40d0b8 InitializeCriticalSectionAndSpinCount

• 0x40d0bc GetFileType

• 0x40d0c0 DeleteCriticalSection

• 0x40d0c4 EncodePointer

• 0x40d0c8 TlsAlloc

• 0x40d0cc TlsGetValue

• 0x40d0d0 TlsSetValue

• 0x40d0d4 TlsFree

• 0x40d0d8 InterlockedIncrement

• 0x40d0dc SetLastError

• 0x40d0e0 GetCurrentThreadId

• 0x40d0e4 HeapCreate

• 0x40d0e8 QueryPerformanceCounter

• 0x40d0ec GetSystemTimeAsFileTime

• 0x40d0f0 GetCPInfo

• 0x40d0f4 GetACP

• 0x40d0f8 GetOEMCP

• 0x40d0fc IsValidCodePage

• 0x40d100 LeaveCriticalSection

• 0x40d104 EnterCriticalSection

• 0x40d108 LoadLibraryW

• 0x40d10c HeapFree

• 0x40d110 Sleep

• 0x40d114 RtlUnwind

• 0x40d118 MultiByteToWideChar

• 0x40d11c GetStringTypeW

• 0x40d120 RaiseException

• 0x40d124 HeapSize

• 0x40d128 HeapReAlloc

Library ADVAPI32.dll:

• 0x40d000 GetSecurityDescriptorSacl

• 0x40d004 RegSetValueExA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com		127.0.0.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.238

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.