SmartHawk

6.6

高危

51 个模型检测该样本为恶意！

重新分析

下载样本

9836b1703c8c49e326c0f748ee3379e1998eda546e6b5327346fbfe4863d2114

d2a97c3c81ef5943ab3b8f58ea60eb27.exe

分析耗时

21s

最近分析

文件大小

833.5KB

静态报毒动态报毒 AI SCORE=84 AIDETECTVM ATTRIBUTE BADJOKE CLASSIC CONFIDENCE DOWNLOADER34 GDCMY GDSDA GENCIRC HACKTOOL HIGHCONFIDENCE HTJKRH IYNLA MALWARE2 R + TROJ R03BC0DHQ20 ROZENA SCORE SUSGEN SWRORT TROJANX UNCLASSIFIEDMALWARE@0 UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Swrort.89e68768	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20200916	18.4.3895.0
Kingsoft		20200916	2013.8.14.323
McAfee	RDN/Generic.dx	20200915	6.0.6.653
Tencent	Malware.Win32.Gencirc.11aeebc0	20200916	1.0.0.1
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

D:\VS Project\ConsoleApplication1\Debug\3g0.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	.textbss
section	.msvcjmc
section	.00cfg

The executable uses a known packer (1 个事件)

packer

Microsoft Visual C++ V8.0 (Debug)

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910855.318793 NtTerminateProcess	status_code: 0x00000000 process_identifier: 884 process_handle: 0x0000003c	failed	0	0
1619910855.318793 NtTerminateProcess	status_code: 0x00000000 process_identifier: 884 process_handle: 0x0000003c	success	0	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	212.64.87.3

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910850.006793 NtAllocateVirtualMemory	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000003c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 created a remote thread in non-child process 884
1619910850.006793 CreateRemoteThread	thread_identifier: 0 process_identifier: 884 function_address: 0x000b0000 flags: 0 process_handle: 0x0000003c parameter: 0x00000000 stack_size: 0	success	68	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 manipulating memory of non-child process 884
1619910850.006793 NtAllocateVirtualMemory	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000003c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 injected into non-child 884
1619910850.006793 WriteProcessMemory	process_identifier: 884 buffer: üè`å1ÒdR0RRr(·J&1ÿ1À¬<a\|, ÁÏ ÇâðRWRB<Ð@xÀtJÐPHX Óã<I4Ö1ÿ1À¬ÁÏ Ç8àuô}ø;}$uâXX$ÓfKXÓÐD$$[[aYZQÿàX_Zë]hnethwiniThLw&ÿÕ1ÿWWWWWh:Vy§ÿÕé[1ÉQQjQQh¥SPhWÆÿÕëp[1ÒRh@RRRSRPhëU.;ÿÕÆÃP1ÿWWjÿSVh-{ÿÕÀÃ1ÿötùë hªÅâ]ÿÕÁhE!^1ÿÕ1ÿWjQVPh·WàÿÕ¿/9Çt·1ÿééÉèÿÿÿ/mkK9C¼6Z`¡`¨Àâ!"z¯×º¸ýJ»ó§òSý+ >Ó#ÚË+)øÈëB<çúË>>ScüxÕUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0) À©QªlxÉ®ô®¡ ºy*]ñ±jeÒäÔÌ #zÙ-\|o,M¹ë¾³{Ð½ú SM]ØÙÍ%®º±=äß[øþðP55@ìÝ«Ó^g1¸ åøHiÓ7;k¨YâÀ>º:ùÉý/À§¦-µ1aBJ`V©æè©å°õTúá-ý¹¨y hH$1°ÁÎøÔ_¡ååê²í¨¿+ ÷ÃA-VÏüã°Ù;0A¬T+_z#ÀÉÛiobÃRVºhðµ¢VÿÕj@hh@WhX¤SåÿÕ¹ÙQSçWh SVhâÿÕÀtÆÃÀuåXÃè©ýÿÿ212.64.87.3oªQÃ process_handle: 0x0000003c base_address: 0x000b0000	success	1	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Bkav	W32.AIDetectVM.malware2
MicroWorld-eScan	Generic.Exploit.Shellcode.1.2514F3C5
FireEye	Generic.mg.d2a97c3c81ef5943
Qihoo-360	Generic/Trojan.79a
ALYac	Trojan.Agent.Swrort
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Swrort.89e68768
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.c81ef5
Invincea	Mal/Generic-R + Troj/Swrort-BY
BitDefenderTheta	AI:Packer.D9BC30501F
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Cynet	Malicious (score: 85)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.Exploit.Shellcode.1.2514F3C5
NANO-Antivirus	Trojan.Win32.Swrort.htjkrh
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.4!c
Rising	HackTool.Swrort!1.6477 (CLASSIC)
Ad-Aware	Generic.Exploit.Shellcode.1.2514F3C5
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/Swrort.iynla
DrWeb	Trojan.DownLoader34.32514
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R03BC0DHQ20
Sophos	Troj/Swrort-BY
Ikarus	Trojan.Win32.BadJoke
Jiangmin	Trojan.Generic.gdcmy
Avira	TR/Swrort.iynla
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Swrort
Microsoft	Trojan:Win32/Swrort.A
Arcabit	Generic.Exploit.Shellcode.1.2514F3C5
ViRobot	Trojan.Win32.Z.Swrort.853504
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Generic.Exploit.Shellcode.1.2514F3C5
AhnLab-V3	Malware/Win32.Generic.C4193780
McAfee	RDN/Generic.dx
VBA32	Malware-Cryptor.Inject.gen
Cylance	Unsafe
ESET-NOD32	a variant of Win32/Rozena.AVU
TrendMicro-HouseCall	TROJ_GEN.R03BC0DHQ20
Tencent	Malware.Win32.Gencirc.11aeebc0
Fortinet	W32/Swrort.BY!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	212.64.87.3:6565
dead_host	192.168.56.101:49176

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-11 11:57:37

Imports

Library KERNEL32.dll:

• 0x518000 WaitForSingleObject

• 0x518004 TerminateProcess

• 0x518008 GetExitCodeProcess

• 0x51800c CreateRemoteThread

• 0x518010 CreateProcessW

• 0x518014 GetSystemDirectoryW

• 0x518018 VirtualAllocEx

• 0x51801c WriteProcessMemory

• 0x518020 lstrcatW

• 0x518024 GetCurrentThreadId

• 0x518028 IsDebuggerPresent

• 0x51802c RaiseException

• 0x518030 MultiByteToWideChar

• 0x518034 WideCharToMultiByte

• 0x518038 UnhandledExceptionFilter

• 0x51803c SetUnhandledExceptionFilter

• 0x518040 GetCurrentProcess

• 0x518044 IsProcessorFeaturePresent

• 0x518048 QueryPerformanceCounter

• 0x51804c GetCurrentProcessId

• 0x518050 GetSystemTimeAsFileTime

• 0x518054 InitializeSListHead

• 0x518058 GetStartupInfoW

• 0x51805c GetModuleHandleW

• 0x518060 GetLastError

• 0x518064 HeapAlloc

• 0x518068 HeapFree

• 0x51806c GetProcessHeap

• 0x518070 VirtualQuery

• 0x518074 FreeLibrary

• 0x518078 GetProcAddress

• 0x51807c CreateFileW

• 0x518080 InterlockedPushEntrySList

• 0x518084 InterlockedFlushSList

• 0x518088 GetModuleFileNameW

• 0x51808c LoadLibraryExW

• 0x518090 RtlUnwind

• 0x518094 SetLastError

• 0x518098 EnterCriticalSection

• 0x51809c LeaveCriticalSection

• 0x5180a0 DeleteCriticalSection

• 0x5180a4 InitializeCriticalSectionAndSpinCount

• 0x5180a8 TlsAlloc

• 0x5180ac TlsGetValue

• 0x5180b0 TlsSetValue

• 0x5180b4 TlsFree

• 0x5180b8 EncodePointer

• 0x5180bc GetModuleHandleExW

• 0x5180c0 GetStdHandle

• 0x5180c4 WriteFile

• 0x5180c8 ExitProcess

• 0x5180cc GetCommandLineA

• 0x5180d0 GetCommandLineW

• 0x5180d4 HeapValidate

• 0x5180d8 GetSystemInfo

• 0x5180dc GetDateFormatW

• 0x5180e0 GetTimeFormatW

• 0x5180e4 CompareStringW

• 0x5180e8 LCMapStringW

• 0x5180ec GetLocaleInfoW

• 0x5180f0 IsValidLocale

• 0x5180f4 GetUserDefaultLCID

• 0x5180f8 EnumSystemLocalesW

• 0x5180fc GetFileType

• 0x518100 GetCurrentThread

• 0x518104 OutputDebugStringW

• 0x518108 WriteConsoleW

• 0x51810c SetConsoleCtrlHandler

• 0x518110 FindClose

• 0x518114 FindFirstFileExW

• 0x518118 FindNextFileW

• 0x51811c IsValidCodePage

• 0x518120 GetACP

• 0x518124 GetOEMCP

• 0x518128 GetCPInfo

• 0x51812c GetEnvironmentStringsW

• 0x518130 FreeEnvironmentStringsW

• 0x518134 SetEnvironmentVariableW

• 0x518138 SetStdHandle

• 0x51813c GetStringTypeW

• 0x518140 HeapReAlloc

• 0x518144 HeapSize

• 0x518148 HeapQueryInformation

• 0x51814c FlushFileBuffers

• 0x518150 GetConsoleCP

• 0x518154 GetConsoleMode

• 0x518158 GetFileSizeEx

• 0x51815c SetFilePointerEx

• 0x518160 CloseHandle

• 0x518164 ReadFile

• 0x518168 ReadConsoleW

• 0x51816c DecodePointer

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	53660	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.