SmartHawk

9.0

极危

51 个模型检测该样本为恶意！

重新分析

下载样本

2346feb8b69f4d17bac41f58ba38e609c83fc7512813595d78f44d2184f04901

cc269f64a9d1932ee9908f2734e526b8.exe

分析耗时

98s

最近分析

文件大小

468.0KB

静态报毒动态报毒 AGEN AI SCORE=100 AIDETECTVM ANDROM CONFIDENCE DDIV DM0@AAW0FZEB DM0@GAW0FZEB EEDQ FAREITVB FNVOXE GDSDA GENASA GENCIRC HIGH CONFIDENCE LOKI MALICIOUS PE MALWARE1 MALWARE@#38G2CDXZHSZ7L PONYSTEALER PUTTY QCXFKNFPUPW QVM03 R + MAL RJMU SCORE SIGGEN8 STATIC AI TIOIBOCX UNSAFE VBKRYPT2 X2034 ZEVBAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201206	20.10.5736.0
Alibaba	Backdoor:Win32/Androm.aa4b7ca9	20190527	0.3.0.5
Tencent	Malware.Win32.Gencirc.114d8dbb	20201206	1.0.0.1
Kingsoft		20201206	2017.9.26.565
McAfee		20201207	6.0.6.653
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619918351.209125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619918357.538125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619918362.116125 GetComputerNameW	computer_name: OSKAR-PC	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619918345.97575 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (8 个事件)

Time & API	Arguments	Status
1619918345.78875 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02760000	success
1619918345.78875 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02850000	success
1619918345.78875 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02851000	success
1619918345.78875 NtProtectVirtualMemory	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619918346.631125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x03c90000	success
1619918346.631125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03dd0000	success
1619918346.631125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03dd1000	success
1619918346.631125 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success

Steals private information from local Internet browsers (19 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Foreign language identified in PE resource (1 个事件)

name

RT_VERSION

language

LANG_CHINESE

offset

0x00072270

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

size

0x0000022c

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619918345.22575 NtProtectVirtualMemory	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x003d0000	success	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619918357.459125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\objectPulsaarernes6

reg_value

wscript "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\objectsandeltrernes.vbs"

Harvests credentials from local FTP client softwares (22 个事件)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (3 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Putty Files, Registry Keys and/or Mutexes Detected

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.PonyStealer.Dm0@gaW0fzeb
ALYac	Gen:Heur.PonyStealer.Dm0@gaW0fzeb
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Gen:Heur.PonyStealer.Dm0@gaW0fzeb
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.4a9d19
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Malware.Score-6882711-0
Kaspersky	Backdoor.Win32.Androm.rjmu
Alibaba	Backdoor:Win32/Androm.aa4b7ca9
NANO-Antivirus	Trojan.Win32.Androm.fnvoxe
AegisLab	Trojan.Win32.Androm.4!c
Tencent	Malware.Win32.Gencirc.114d8dbb
Ad-Aware	Gen:Heur.PonyStealer.Dm0@gaW0fzeb
Emsisoft	Gen:Heur.PonyStealer.Dm0@gaW0fzeb (B)
Comodo	Malware@#38g2cdxzhsz7l
F-Secure	Heuristic.HEUR/AGEN.1130122
DrWeb	Trojan.Siggen8.13769
Zillya	Backdoor.Androm.Win32.62453
TrendMicro	TrojanSpy.Win32.LOKI.TIOIBOCX
FireEye	Generic.mg.cc269f64a9d1932e
Sophos	Mal/Generic-R + Mal/FareitVB-V
SentinelOne	Static AI - Malicious PE
GData	Gen:Heur.PonyStealer.Dm0@gaW0fzeb
Avira	HEUR/AGEN.1130122
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Arcabit	Trojan.PonyStealer.E2A892
ZoneAlarm	Backdoor.Win32.Androm.rjmu
Microsoft	VirTool:Win32/VBInject.ACZ!bit
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/VBKrypt2.Suspicious.X2034
MAX	malware (ai score=100)
VBA32	Backdoor.Androm
Panda	Trj/GdSda.A
ESET-NOD32	a variant of Win32/Injector.EEDQ
TrendMicro-HouseCall	TrojanSpy.Win32.LOKI.TIOIBOCX
Yandex	Trojan.GenAsa!QcXfKnfpupw
TACHYON	Backdoor/W32.VB-Androm.479232.AC
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Injector.DDIV!tr
BitDefenderTheta	Gen:NN.ZevbaF.34670.Dm0@aaW0fzeb
AVG	Win32:Trojan-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.24.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-03-08 12:15:31

Imports

Library MSVBVM60.DLL:

• 0x401000 _CIcos

• 0x401004 _adj_fptan

• 0x401008 __vbaVarMove

• 0x40100c __vbaFreeVar

• 0x401010 __vbaLenBstr

• 0x401014 __vbaFreeVarList

• 0x401018 _adj_fdiv_m64

• 0x40101c __vbaR8Sgn

• 0x401020 _adj_fprem1

• 0x401024 __vbaStrCat

• 0x401028 __vbaSetSystemError

• 0x40102c __vbaRecDestruct

• 0x401030 __vbaHresultCheckObj

• 0x401034 __vbaLenBstrB

• 0x401038 _adj_fdiv_m32

• 0x40103c __vbaAryDestruct

• 0x401040 _adj_fdiv_m16i

• 0x401044 _adj_fdivr_m16i

• 0x401048 _CIsin

• 0x40104c

• 0x401050 __vbaChkstk

• 0x401054 EVENT_SINK_AddRef

• 0x401058 __vbaAryConstruct2

• 0x40105c DllFunctionCall

• 0x401060 _adj_fpatan

• 0x401064 EVENT_SINK_Release

• 0x401068 _CIsqrt

• 0x40106c EVENT_SINK_QueryInterface

• 0x401070 __vbaExceptHandler

• 0x401074

• 0x401078 _adj_fprem

• 0x40107c _adj_fdivr_m64

• 0x401080 __vbaFPException

• 0x401084 __vbaStrVarVal

• 0x401088

• 0x40108c

• 0x401090 _CIlog

• 0x401094 __vbaFileOpen

• 0x401098 __vbaNew2

• 0x40109c __vbaR8Str

• 0x4010a0 _adj_fdiv_m32i

• 0x4010a4

• 0x4010a8 _adj_fdivr_m32i

• 0x4010ac __vbaStrCopy

• 0x4010b0 __vbaFreeStrList

• 0x4010b4 _adj_fdivr_m32

• 0x4010b8 _adj_fdiv_r

• 0x4010bc

• 0x4010c0

• 0x4010c4 __vbaVarDup

• 0x4010c8 __vbaVarSetObjAddref

• 0x4010cc _CIatan

• 0x4010d0

• 0x4010d4 __vbaStrMove

• 0x4010d8 __vbaR8IntI4

• 0x4010dc _allmul

• 0x4010e0 _CItan

• 0x4010e4 _CIexp

• 0x4010e8 __vbaFreeStr

• 0x4010ec __vbaFreeObj

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.24.78	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
orubuoru1.ga
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	62912	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.