SmartHawk

8.0

高危

61 个模型检测该样本为恶意！

重新分析

下载样本

3564bdccc9678c5bd963a8985de43a407ea90b44e90f95877d63d716b51f632f

c5010f1b60cfdd064d93fe60c5ce8cfd.exe

分析耗时

85s

最近分析

文件大小

1000.5KB

静态报毒动态报毒 100% 4FXEC4PI3EE A + TROJ AEUC AI SCORE=85 AMMYY BADUR BAVE BOZ@546PMN BUBLIK CLASSIC CONFIDENCE CQKILW CUTWAIL FAMVT FDGO GENASA GENCIRC GEND HEYR HIGH CONFIDENCE KRYPTIK LXEV MALICIOUS PE QVM19 R267453 SCORE SLUGIN SMALL STATIC AI UNSAFE UPATRE WASKI Y3@A41E4TB YARWI ZBOT ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Cutwail-FDGO!C5010F1B60CF	20201211	6.0.6.653
Alibaba	TrojanDownloader:Win32/Upatre.4224e387	20190527	0.3.0.5
Avast	Win32:Adware-gen [Adw]	20201210	21.1.5827.0
Baidu	Win32.Trojan.Kryptik.mp	20190318	1.0.0.2
Kingsoft		20201211	2017.9.26.565
Tencent	Malware.Win32.Gencirc.10b0799a	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906585.749625 IsDebuggerPresent		failed	0	0
1619906587.84425 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.code
section	.data2

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (6 个事件)

Time & API	Arguments	Status
1619906585.765625 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 397312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01b70000	success
1619906585.765625 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01bd0000	success
1619906586.452625 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x033f0000	success
1619906587.84425 NtAllocateVirtualMemory	process_identifier: 1940 region_size: 1314816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01d20000	success
1619906587.84425 NtAllocateVirtualMemory	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e60000	success
1619906587.95325 NtAllocateVirtualMemory	process_identifier: 1940 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x033f0000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\budha.exe

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\budha.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\budha.exe

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906587.702625 ShellExecuteExW	parameters: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\budha.exe filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\budha.exe show_type: 0	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906602.18825 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.012839018675239

section

{'size_of_data': '0x00000c00', 'virtual_address': '0x00001000', 'entropy': 7.012839018675239, 'name': '.text', 'virtual_size': '0x00000b71'}

description

A section with a high entropy has been found

entropy

6.977289520012138

section

{'size_of_data': '0x00000800', 'virtual_address': '0x00003000', 'entropy': 6.977289520012138, 'name': '.data', 'virtual_size': '0x0000076d'}

description

A section with a high entropy has been found

entropy

0.24390243902439024

description

Overall entropy of this PE file is high

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: f8cbd004ecf7b671fe3e4e9f65ac38d383084a82

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619906604.78125 RegSetValueExA	key_handle: 0x00000438 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619906604.78125 RegSetValueExA	key_handle: 0x00000438 value: ùì¼>× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619906604.78125 RegSetValueExA	key_handle: 0x00000438 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619906604.78125 RegSetValueExW	key_handle: 0x00000438 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619906604.78125 RegSetValueExA	key_handle: 0x00000450 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619906604.78125 RegSetValueExA	key_handle: 0x00000450 value: ùì¼>× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619906604.78125 RegSetValueExA	key_handle: 0x00000450 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619906604.79725 RegSetValueExW	key_handle: 0x00000434 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

Bkav	W32.FamVT.GeND.Trojan
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoad3.28161
MicroWorld-eScan	Trojan.Agent.BAVE
FireEye	Generic.mg.c5010f1b60cfdd06
CAT-QuickHeal	TrojanDownloader.Upatre.A6
McAfee	Cutwail-FDGO!C5010F1B60CF
Cylance	Unsafe
VIPRE	Trojan.Win32.Zbot.o (v)
K7AntiVirus	Trojan-Downloader ( 0040f6bd1 )
Alibaba	TrojanDownloader:Win32/Upatre.4224e387
K7GW	Trojan ( 004ebb4c1 )
Cybereason	malicious.b60cfd
Arcabit	Trojan.Agent.BAVE
BitDefenderTheta	Gen:NN.ZexaF.34670.!y3@a41e4tb
Cyren	W32/Trojan.HEYR-7073
Symantec	SMG.Heur!gen
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Downloader.Upatre-5744087-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.Agent.BAVE
NANO-Antivirus	Trojan.Win32.Bublik.cqkilw
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Avast	Win32:Adware-gen [Adw]
Rising	Trojan.Waski!1.A489 (CLASSIC)
Ad-Aware	Trojan.Agent.BAVE
Emsisoft	Trojan.Agent.BAVE (B)
Comodo	TrojWare.Win32.Kryptik.BOZ@546pmn
F-Secure	Trojan.TR/Yarwi.AD.5
Baidu	Win32.Trojan.Kryptik.mp
Zillya	Trojan.Generic.Win32.640589
McAfee-GW-Edition	BehavesLike.Win32.Cutwail.fh
Sophos	ML/PE-A + Troj/Agent-AEUC
Ikarus	Trojan.Win32.Badur
Jiangmin	Trojan/Bublik.ggf
Avira	TR/Yarwi.AD.5
MAX	malware (ai score=85)
Antiy-AVL	Virus/Win32.Slugin.a
Gridinsoft	Trojan.Win32.Agent.bot!s1
Microsoft	TrojanDownloader:Win32/Upatre.A
AegisLab	Trojan.Win32.Generic.lXEV
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.Agent.BAVE
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Upatre.R267453
Acronis	suspicious
VBA32	Trojan.Download
ALYac	Trojan.Agent.BAVE
Malwarebytes	Trojan.Dropper

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2004-09-03 14:07:40

Imports

Library KERNEL32.DLL:

• 0x4060f0 GetModuleHandleA

• 0x4060f4 GetProcAddress

• 0x4060f8 HeapCreate

• 0x4060fc HeapAlloc

• 0x406100 ExitProcess

• 0x406104 FreeLibrary

Library ADVAPI32.dll:

• 0x406250 RegQueryValueExA

• 0x406254 RegOpenKeyA

• 0x406258 GetUserNameA

• 0x40625c CopySid

• 0x406260 GetLengthSid

Library GDI32.dll:

• 0x406300 CreateBitmap

• 0x406304 IntersectClipRect

• 0x406308 ExcludeClipRect

• 0x40630c UpdateColors

• 0x406310 GetTextExtentPoint32A

• 0x406314 CreateCompatibleDC

• 0x406318 DeleteObject

• 0x40631c TextOutA

• 0x406320 SetBkColor

• 0x406324 SetTextColor

• 0x406328 Rectangle

• 0x40632c CreateSolidBrush

• 0x406330 GetStockObject

• 0x406334 CreateFontIndirectA

• 0x406338 GetTextExtentExPointA

• 0x40633c GetTextMetricsA

• 0x406340 CreateFontA

• 0x406344 RealizePalette

Library IMM32.dll:

• 0x4064a0 ImmGetCompositionStringW

• 0x4064a4 ImmSetCompositionFontA

• 0x4064a8 ImmGetContext

• 0x4064ac ImmSetCompositionWindow

Library Msacm32.dll:

• 0x406520 acmDriverID

• 0x406524 acmStreamOpen

Library user32.dll:

• 0x40618c GetMessageA

• 0x406190 DefWindowProcA

• 0x406194 PostQuitMessage

• 0x406198 GetDoubleClickTime

• 0x40619c UpdateWindow

• 0x4061a0 GetQueueStatus

• 0x4061a4 LoadIconA

• 0x4061a8 RegisterClassA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
cry-havok.org	A 18.213.250.117 A 52.4.209.250 A 18.215.128.143
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 172.217.160.78	172.217.160.78
maitikio.com
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49179	18.213.250.117 cry-havok.org	443
192.168.56.101	49180	18.213.250.117 cry-havok.org	443
192.168.56.101	49181	18.213.250.117 cry-havok.org	443
18.213.250.117	443	192.168.56.101	49183
192.168.56.101	49184	18.213.250.117 cry-havok.org	443
192.168.56.101	49185	18.213.250.117 cry-havok.org	443
192.168.56.101	49187	18.213.250.117 cry-havok.org	443
18.213.250.117	443	192.168.56.101	49188
192.168.56.101	49189	18.213.250.117 cry-havok.org	443
192.168.56.101	49190	18.213.250.117 cry-havok.org	443
192.168.56.101	49191	18.213.250.117 cry-havok.org	443
18.213.250.117	443	192.168.56.101	49192
192.168.56.101	49193	18.213.250.117 cry-havok.org	443
192.168.56.101	49194	18.213.250.117 cry-havok.org	443
192.168.56.101	49195	18.213.250.117 cry-havok.org	443
18.213.250.117	443	192.168.56.101	49196
192.168.56.101	49198	18.213.250.117 cry-havok.org	443
192.168.56.101	49199	18.213.250.117 cry-havok.org	443
192.168.56.101	49200	18.213.250.117 cry-havok.org	443
18.213.250.117	443	192.168.56.101	49201

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.