SmartHawk

4.0

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

29e3bf2a622e628f61477d93d21dd19ba8626aa92e92c07b033023956db4392b

c652952cb75398575e938b114e93a29a.exe

分析耗时

95s

最近分析

文件大小

460.9KB

静态报毒动态报毒 AI SCORE=82 AIDETECTVM BEVD CONFIDENCE DOWNLOADER33 EHLS ELDORADO EPACK FXII GEN2 GENCIRC GENERICKD GENETIC GOZI GRAYWARE HIGH CONFIDENCE HKZLGL KRYPTIK MALCERT MALICIOUS PE MALWARE1 MALWARE@#1HOP35M7UXI1D O5D1HMEZPMG POSSIBLETHREAT QVM20 R + TROJ R339400 SCORE SQABPK54RZP STATIC AI TROJANX URSNIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:Win32/Ursnif.860c3f65	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
McAfee	Packed-GCB!C652952CB753	20201211	6.0.6.653
Tencent	Malware.Win32.Gencirc.10cdd1ea	20201211	1.0.0.1

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906571.78075 GetComputerNameW	computer_name:	failed	0	0
1619906571.78075 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619906569.74975 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00490000	success
1619906571.37475 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004c0000	success
1619906571.37475 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

Communicates with host for which no DNS query was performed (4 个事件)

host	113.108.239.196
host	172.217.24.14
host	203.208.40.98
host	203.208.41.65

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43283495
FireEye	Generic.mg.c652952cb7539857
Qihoo-360	Generic/HEUR/QVM20.1.AF40.Malware.Gen
ALYac	Trojan.GenericKD.43283495
Zillya	Trojan.Ursnif.Win32.11392
Sangfor	Malware
K7AntiVirus	Trojan ( 005680741 )
Alibaba	TrojanSpy:Win32/Ursnif.860c3f65
K7GW	Trojan ( 005680741 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Generic.D2947427
Cyren	W32/S-eab20845!Eldorado
Symantec	Trojan.Ursnif
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
BitDefender	Trojan.GenericKD.43283495
NANO-Antivirus	Trojan.Win32.Ursnif.hkzlgl
Paloalto	generic.ml
Rising	Trojan.Kryptik!8.8 (TFE:3:sqabpk54rzP)
Ad-Aware	Trojan.GenericKD.43283495
Sophos	Mal/Generic-R + Troj/Agent-BEVD
Comodo	Malware@#1hop35m7uxi1d
F-Secure	Trojan.TR/Crypt.EPACK.Gen2
DrWeb	Trojan.DownLoader33.50111
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Packed-GCB!C652952CB753
Emsisoft	MalCert.A (A)
Ikarus	Trojan.Win32.Crypt
Jiangmin	Trojan.Banker.Gozi.aov
Avira	TR/Crypt.EPACK.Gen2
MAX	malware (ai score=82)
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Gridinsoft	Trojan.Win32.Kryptik.ba
Microsoft	Trojan:Win32/Gozi.GA!MTB
AegisLab	Trojan.Win32.Fxii.4!c
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
GData	Trojan.GenericKD.43283495
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Ursnif.R339400
Acronis	suspicious
McAfee	Packed-GCB!C652952CB753
VBA32	Trojan.Downloader
Malwarebytes	Trojan.Ursnif
ESET-NOD32	Win32/Spy.Ursnif.CZ
Tencent	Malware.Win32.Gencirc.10cdd1ea
Yandex	Trojan.Agent!O5d1HmeZPmg
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-04 03:11:41

Imports

Library KERNEL32.dll:

• 0x471abc GetModuleHandleA

• 0x471ac0 GetLastError

• 0x471ac4 LoadLibraryA

• 0x471ac8 GetProcAddress

• 0x471acc VirtualAlloc

Library USER32.dll:

• 0x471ad4 LoadIconA

• 0x471ad8 IsGUIThread

• 0x471adc IsCharAlphaA

• 0x471ae0 IsCharLowerA

• 0x471ae4 IsCharAlphaNumericW

• 0x471ae8 IsCharAlphaNumericA

• 0x471aec IsCharLowerW

• 0x471af0 IsCharAlphaW

• 0x471af4 IsCharUpperA

• 0x471af8 IsClipboardFormatAvailable

• 0x471afc IsCharUpperW

• 0x471b00 GetThreadDesktop

• 0x471b04 GetDialogBaseUnits

• 0x471b08 LoadCursorFromFileA

• 0x471b0c CharUpperW

• 0x471b10 DestroyCursor

• 0x471b14 VkKeyScanA

• 0x471b18 DestroyMenu

• 0x471b1c GetSystemMetrics

• 0x471b20 CharUpperA

• 0x471b24 DrawMenuBar

• 0x471b28 LoadCursorFromFileW

• 0x471b2c GetListBoxInfo

• 0x471b30 GetMenuItemCount

• 0x471b34 IsWindow

• 0x471b38 WindowFromDC

Library GDI32.dll:

• 0x471b40 GetEnhMetaFileA

• 0x471b44 CreateMetaFileA

• 0x471b48 SwapBuffers

• 0x471b4c GetSystemPaletteUse

• 0x471b50 FillPath

• 0x471b54 GetMapMode

• 0x471b58 CloseMetaFile

• 0x471b5c UpdateColors

• 0x471b60 CancelDC

• 0x471b64 GetTextAlign

• 0x471b68 GetLayout

• 0x471b6c RealizePalette

Library ADVAPI32.dll:

• 0x471b74 RegQueryValueExW

• 0x471b78 GetUserNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.