SmartHawk

6.2

高危

53 个模型检测该样本为恶意！

重新分析

下载样本

07fd393e36e2519dda8edff80b6c629347586a628d70103d0cb425ba5c6cd0b9

c88143e4cd12c72f43d7c4830b4734cf.exe

分析耗时

86s

最近分析

文件大小

556.9KB

静态报毒动态报毒 100% AI SCORE=88 ARTEMIS ATTRIBUTE AZORULT BSCOPE CARBERP CMY3U CONFIDENCE DANGEROUSSIG DOWNLOADER34 FSFS GANDCRAB GANDCRYPT GENERIC PUA OH GENERICKD GENKRYPTIK HBTK HIGH CONFIDENCE HIGHCONFIDENCE HPEBWR IUX@A8B1SKCI JKNB KCLOUD KRYPTIK MALCERT MALWARE@#2C5GNMKAKGOU0 R002C0GLV20 SCORE SUSGEN UNSAFE VDZAL WACATAC ZEXAF ZNFRD7CYKCV 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Alibaba	Trojan:Win32/Kryptik.40f53197	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:DangerousSig [Trj]	20201231	21.1.5827.0
Tencent		20201231	1.0.0.1
Kingsoft	Win32.Troj.CMY3U.b.(kcloud)	20201231	2017.9.26.565
McAfee	Artemis!C88143E4CD12	20201231	6.0.6.653

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906639.125125 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906637.750125 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.code

The executable uses a known packer (1 个事件)

packer

PureBasic 4.x -> Neil Hodgson

Allocates read-write-execute memory (usually to unpack itself) (4 个事件)

Time & API	Arguments	Status
1619906638.484125 NtProtectVirtualMemory	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 299008 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1619906638.500125 NtAllocateVirtualMemory	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e0000	success
1619906638.500125 NtAllocateVirtualMemory	process_identifier: 2856 region_size: 315392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success
1619906639.109125 NtAllocateVirtualMemory	process_identifier: 2856 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02f00000	success

Creates a suspicious process (1 个事件)

cmdline

C:\Windows\system32\svchost.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906639.125125 NtProtectVirtualMemory	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x10001000	success	0	0

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906639.031125 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c88143e4cd12c72f43d7c4830b4734cf.exe newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Credentials\380451\380451.exe newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Credentials\380451\380451.exe flags: 2 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c88143e4cd12c72f43d7c4830b4734cf.exe	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.579442427023373

section

{'size_of_data': '0x00049200', 'virtual_address': '0x00001000', 'entropy': 7.579442427023373, 'name': '.code', 'virtual_size': '0x00049184'}

description

A section with a high entropy has been found

entropy

0.530852994555354

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34231907
ALYac	Spyware.Infostealer.Azorult
Cylance	Unsafe
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Kryptik.40f53197
K7GW	Trojan ( 0056230f1 )
K7AntiVirus	Trojan ( 0056230f1 )
Cyren	W32/Trojan.JKNB-5254
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DangerousSig [Trj]
Kaspersky	Trojan.Win32.CMY3U.bxh
BitDefender	Trojan.GenericKD.34231907
NANO-Antivirus	Trojan.Win32.CMY3U.hpebwr
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.34231907
Sophos	Generic PUA OH (PUA)
Comodo	Malware@#2c5gnmkakgou0
F-Secure	Trojan.TR/AD.Carberp.vdzal
DrWeb	Trojan.DownLoader34.4860
VIPRE	BehavesLike.Win32.Malware.mmu (mx-v)
TrendMicro	TROJ_GEN.R002C0GLV20
McAfee-GW-Edition	Artemis!Trojan
MaxSecure	Trojan.Malware.104329244.susgen
FireEye	Generic.mg.c88143e4cd12c72f
Emsisoft	MalCert.A (A)
Ikarus	Trojan.Win32.Crypt
GData	Trojan.GenericKD.34231907
Jiangmin	Trojan.CMY3U.ic
Avira	TR/AD.Carberp.vdzal
Antiy-AVL	Trojan/Win32.CMY3U
Kingsoft	Win32.Troj.CMY3U.b.(kcloud)
Arcabit	Trojan.Generic.D20A5663
AegisLab	Trojan.Win32.CMY3U.4!c
ZoneAlarm	Trojan.Win32.CMY3U.bxh
Microsoft	Trojan:Win32/GandCrypt.PVB!MTB
Cynet	Malicious (score: 100)
McAfee	Artemis!C88143E4CD12
MAX	malware (ai score=88)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Ransom.GandCrab
ESET-NOD32	a variant of Win32/Kryptik.HBTK
TrendMicro-HouseCall	TROJ_GEN.R002C0GLV20
Rising	Trojan.GenKryptik!8.AA55 (TFE:4:ZNfRd7cYkCV)
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/Kryptik.FSFS!tr
BitDefenderTheta	Gen:NN.ZexaF.34700.IuX@a8B1skci
AVG	Win32:DangerousSig [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-07 03:55:04

Imports

Library MSVCRT.dll:

• 0x476bd4 memset

• 0x476bd8 fread

• 0x476bdc fclose

• 0x476be0 ftell

• 0x476be4 fseek

• 0x476be8 memcpy

• 0x476bec strlen

• 0x476bf0 strcpy

• 0x476bf4 _errno

• 0x476bf8 realloc

• 0x476bfc malloc

• 0x476c00 free

• 0x476c04 calloc

• 0x476c08 fopen

• 0x476c0c floor

• 0x476c10 toupper

• 0x476c14 memmove

• 0x476c18 sprintf

• 0x476c1c perror

• 0x476c20 _CIatan

• 0x476c24 fprintf

• 0x476c28 _CIlog

• 0x476c2c ldexp

• 0x476c30 _CIpow

• 0x476c34 qsort

• 0x476c38 _CIexp

• 0x476c3c ceil

• 0x476c40 _CIsqrt

• 0x476c44 _CIcos

• 0x476c48 _CIsin

• 0x476c4c exit

• 0x476c50 frexp

• 0x476c54 _CIacos

• 0x476c58 memchr

• 0x476c5c __CxxFrameHandler

Library KERNEL32.dll:

• 0x476c64 GetModuleHandleA

• 0x476c68 HeapCreate

• 0x476c6c HeapDestroy

• 0x476c70 ExitProcess

• 0x476c74 HeapAlloc

• 0x476c78 HeapFree

• 0x476c7c GetCurrentThreadId

• 0x476c80 GetCurrentProcessId

• 0x476c84 FreeLibrary

• 0x476c88 LoadLibraryA

• 0x476c8c GetProcAddress

• 0x476c90 WriteFile

• 0x476c94 CloseHandle

• 0x476c98 HeapReAlloc

Library COMCTL32.dll:

• 0x476ca0 InitCommonControls

Library USER32.dll:

• 0x476ca8 MessageBoxA

• 0x476cac GetWindowThreadProcessId

• 0x476cb0 IsWindowVisible

• 0x476cb4 IsWindowEnabled

• 0x476cb8 GetForegroundWindow

• 0x476cbc EnableWindow

• 0x476cc0 EnumWindows

Library OLE32.dll:

• 0x476cc8 CoInitialize

Library WSOCK32.dll:

• 0x476cd0 socket

• 0x476cd4 inet_addr

• 0x476cd8 gethostbyname

• 0x476cdc htons

• 0x476ce0 connect

• 0x476ce4 ioctlsocket

• 0x476ce8 closesocket

• 0x476cec WSACleanup

• 0x476cf0 WSAStartup

Library ODBC32.dll:

• 0x476cf8 SQLGetDiagField

• 0x476cfc SQLDescribeCol

• 0x476d00 SQLSetStmtAttr

• 0x476d04 SQLExecDirect

• 0x476d08 SQLAllocHandle

• 0x476d0c SQLFreeHandle

• 0x476d10 SQLGetData

• 0x476d14 SQLConnect

• 0x476d18 SQLDisconnect

• 0x476d1c SQLDriverConnect

• 0x476d20 SQLSetEnvAttr

• 0x476d24 SQLNumResultCols

• 0x476d28 SQLFetchScroll

• 0x476d2c SQLFetch

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.