SmartHawk

2.8

中危

59 个模型检测该样本为恶意！

重新分析

下载样本

e9eb6182c7505ca4d757a8d70e671ccb79fc9baa153407a09712cbe072e3c7ac

cfb911ee72e181cb17885cddd6d81b65.exe

分析耗时

21s

最近分析

文件大小

224.0KB

静态报毒动态报毒 100% AI SCORE=81 AIDETECTVM ATTRIBUTE CLASSIC COINS CONFIDENCE DANABOT DROPPERX ELDORADO EQOW GDSDA GEN@0 GENKRYPTIK HFOY HIGH CONFIDENCE HIGHCONFIDENCE HSNUBG KRYPTIK LIMPOPO MALWARE1 MIDIE OQW@AYCG27GG QQPASS QQROB R348373 SCORE STEAM STIMILINA SUSGEN SUSPICIOUS PE TDFT TROJANPSW TROJANPWS UNCLASSIFIED UNSAFE USXVPHI20 VEBZENPAK WINDIGO ZEXAF ZXWFS 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanPSW:Win32/Coins.75bab15e	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Tencent	Win32.Trojan-qqpass.Qqrob.Tdft	20200830	1.0.0.1
Kingsoft		20200830	2013.8.14.323
McAfee	Packed-GBE!CFB911EE72E1	20200830	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

C:\yalabofosadi gihekoyihiwuxazokilu mif-bi.pdb8166\bin\bajitodeb.pdbCéB

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910847.15856 NtProtectVirtualMemory	process_identifier: 1404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01b5d000	success	0	0
1619910847.15856 NtAllocateVirtualMemory	process_identifier: 1404 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.469620687103525

section

{'size_of_data': '0x0002a400', 'virtual_address': '0x00001000', 'entropy': 7.469620687103525, 'name': '.text', 'virtual_size': '0x0002a253'}

description

A section with a high entropy has been found

entropy

0.757847533632287

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Midie.74533
FireEye	Generic.mg.cfb911ee72e181cb
CAT-QuickHeal	Trojanpws.Coins
ALYac	Gen:Variant.Midie.74533
Cylance	Unsafe
Zillya	Trojan.Coins.Win32.5248
Sangfor	Malware
K7AntiVirus	Trojan ( 0056cba61 )
Alibaba	TrojanPSW:Win32/Coins.75bab15e
K7GW	Trojan ( 0056cba61 )
Cybereason	malicious.dee6f4
Arcabit	Trojan.Midie.D12325
TrendMicro	TrojanSpy.Win32.VEBZENPAK.USXVPHI20
Cyren	W32/Kryptik.BUJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Windigo-9452777-0
Kaspersky	Trojan-PSW.Win32.Coins.yno
BitDefender	Gen:Variant.Midie.74533
NANO-Antivirus	Trojan.Win32.Coins.hsnubg
ViRobot	Trojan.Win32.Z.Malpack.229376
Tencent	Win32.Trojan-qqpass.Qqrob.Tdft
Ad-Aware	Gen:Variant.Midie.74533
TACHYON	Trojan-PWS/W32.Coins.229376.B
Comodo	TrojWare.Win32.Unclassified.gen@0
F-Secure	Trojan.TR/Crypt.Agent.zxwfs
DrWeb	Trojan.PWS.Steam.18415
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Sophos	Mal/Generic-S
Ikarus	Trojan-Dropper.Win32.Danabot
Avira	TR/Crypt.Agent.zxwfs
eGambit	Unsafe.AI_Score_99%
Antiy-AVL	Trojan/Win32.Kryptik
Microsoft	PWS:Win32/Stimilina.E!rfn
AegisLab	Trojan.Win32.Coins.i!c
ZoneAlarm	Trojan-PSW.Win32.Coins.yno
GData	Gen:Variant.Midie.74533
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.R348373
Acronis	suspicious
McAfee	Packed-GBE!CFB911EE72E1
MAX	malware (ai score=81)
VBA32	Malware-Cryptor.Limpopo
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/Kryptik.HFOY
TrendMicro-HouseCall	TrojanSpy.Win32.VEBZENPAK.USXVPHI20

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-11-22 17:27:44

Imports

Library KERNEL32.dll:

• 0x42c000 GetCurrencyFormatA

• 0x42c004 GetUserDefaultLangID

• 0x42c008 GetCommandLineA

• 0x42c00c GetUserGeoID

• 0x42c010 GlobalAlloc

• 0x42c014 LoadLibraryW

• 0x42c018 FormatMessageW

• 0x42c01c ReadFile

• 0x42c020 lstrlenW

• 0x42c024 ReplaceFileA

• 0x42c028 LCMapStringA

• 0x42c02c GetLongPathNameW

• 0x42c030 GetTapeStatus

• 0x42c034 OpenWaitableTimerW

• 0x42c038 WritePrivateProfileStringA

• 0x42c03c CreateHardLinkW

• 0x42c040 DebugSetProcessKillOnExit

• 0x42c044 SetConsoleTitleW

• 0x42c048 VirtualProtect

• 0x42c04c GetTempPathA

• 0x42c050 OpenFileMappingA

• 0x42c054 LocalFree

• 0x42c058 FindNextVolumeMountPointA

• 0x42c05c SetComputerNameW

• 0x42c060 GlobalAddAtomA

• 0x42c064 GetProcessWorkingSetSize

• 0x42c068 IsBadStringPtrW

• 0x42c06c WideCharToMultiByte

• 0x42c070 InterlockedIncrement

• 0x42c074 InterlockedDecrement

• 0x42c078 InterlockedCompareExchange

• 0x42c07c InterlockedExchange

• 0x42c080 MultiByteToWideChar

• 0x42c084 Sleep

• 0x42c088 InitializeCriticalSection

• 0x42c08c DeleteCriticalSection

• 0x42c090 EnterCriticalSection

• 0x42c094 LeaveCriticalSection

• 0x42c098 GetLastError

• 0x42c09c HeapFree

• 0x42c0a0 TerminateProcess

• 0x42c0a4 GetCurrentProcess

• 0x42c0a8 UnhandledExceptionFilter

• 0x42c0ac SetUnhandledExceptionFilter

• 0x42c0b0 IsDebuggerPresent

• 0x42c0b4 GetStartupInfoA

• 0x42c0b8 GetCPInfo

• 0x42c0bc RtlUnwind

• 0x42c0c0 RaiseException

• 0x42c0c4 LCMapStringW

• 0x42c0c8 GetStringTypeW

• 0x42c0cc SetHandleCount

• 0x42c0d0 GetStdHandle

• 0x42c0d4 GetFileType

• 0x42c0d8 HeapAlloc

• 0x42c0dc HeapCreate

• 0x42c0e0 VirtualFree

• 0x42c0e4 VirtualAlloc

• 0x42c0e8 HeapReAlloc

• 0x42c0ec GetModuleHandleW

• 0x42c0f0 GetProcAddress

• 0x42c0f4 TlsGetValue

• 0x42c0f8 TlsAlloc

• 0x42c0fc TlsSetValue

• 0x42c100 TlsFree

• 0x42c104 SetLastError

• 0x42c108 GetCurrentThreadId

• 0x42c10c ExitProcess

• 0x42c110 WriteFile

• 0x42c114 GetModuleFileNameA

• 0x42c118 FreeEnvironmentStringsA

• 0x42c11c GetEnvironmentStrings

• 0x42c120 FreeEnvironmentStringsW

• 0x42c124 GetEnvironmentStringsW

• 0x42c128 QueryPerformanceCounter

• 0x42c12c GetTickCount

• 0x42c130 GetCurrentProcessId

• 0x42c134 GetSystemTimeAsFileTime

• 0x42c138 GetStringTypeA

• 0x42c13c HeapSize

• 0x42c140 GetACP

• 0x42c144 GetOEMCP

• 0x42c148 IsValidCodePage

• 0x42c14c GetUserDefaultLCID

• 0x42c150 GetLocaleInfoA

• 0x42c154 EnumSystemLocalesA

• 0x42c158 IsValidLocale

• 0x42c15c InitializeCriticalSectionAndSpinCount

• 0x42c160 LoadLibraryA

• 0x42c164 GetLocaleInfoW

• 0x42c168 GetConsoleCP

• 0x42c16c GetConsoleMode

• 0x42c170 FlushFileBuffers

• 0x42c174 GetModuleHandleA

• 0x42c178 CloseHandle

• 0x42c17c WriteConsoleA

• 0x42c180 GetConsoleOutputCP

• 0x42c184 WriteConsoleW

• 0x42c188 SetFilePointer

• 0x42c18c SetStdHandle

• 0x42c190 CreateFileA

Library USER32.dll:

• 0x42c198 GetCursor

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.