SmartHawk

3.4

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

d2d2b6b08094dd4a6452d2fdbf4572f61b71e3202689a2f394692067ecdb783b

d2c284127033d971a5289611a1e78016.exe

分析耗时

19s

最近分析

文件大小

510.0KB

静态报毒动态报毒 AGENTTESLA AI SCORE=89 ARTEMIS BT5DTX CGBWG CONFIDENCE DELF DELPHILESS EMOP EMOY FAREIT FMGFAYHTTQLI GDSDA GX59ZKIMIVF HIGH CONFIDENCE HNSACJ HPLOKI IGENT KCLOUD KRYPTIK MALWARE@#4YRPFKLCJNGI OEGP SCORE SIGGEN2 SMBD STATIC AI SUSPICIOUS PE TSCOPE TSPY UNSAFE X2094 ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Alibaba	Trojan:Win32/Kryptik.698e69a5	20190527	0.3.0.5
Tencent		20201211	1.0.0.1
Kingsoft	Win32.Troj.Undef.(kcloud)	20201211	2017.9.26.565
McAfee	Artemis!D2C284127033	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910848.209269 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48824132 registers.edi: 0 registers.eax: 0 registers.ebp: 48824200 registers.edx: 52 registers.ebx: 0 registers.esi: 0 registers.ecx: 654 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 9b exception.symbol: d2c284127033d971a5289611a1e78016+0x96338 exception.instruction: div eax exception.module: d2c284127033d971a5289611a1e78016.exe exception.exception_code: 0xc0000094 exception.offset: 615224 exception.address: 0x496338	success	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619910848.006269 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f0000	success
1619910848.209269 NtProtectVirtualMemory	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00496000	success
1619910848.225269 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ff0000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.895550635739848

section

{'size_of_data': '0x0007ae00', 'virtual_address': '0x0007c000', 'entropy': 7.895550635739848, 'name': 'UPX1', 'virtual_size': '0x0007b000'}

description

A section with a high entropy has been found

entropy

0.9656188605108055

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Delf.FareIt.Gen.7
FireEye	Generic.mg.d2c284127033d971
ALYac	Spyware.Infostealer.Fareit
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056a5691 )
BitDefender	Trojan.Delf.FareIt.Gen.7
K7GW	Trojan ( 0056a5691 )
Cybereason	malicious.392c51
Arcabit	Trojan.Delf.FareIt.Gen.7
BitDefenderTheta	Gen:NN.ZelphiF.34670.FmGfayHTtQli
Cyren	W32/Injector.OEGP-4909
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/Injector.EMOP
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Dropper.AgentTesla-8985766-1
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
Alibaba	Trojan:Win32/Kryptik.698e69a5
NANO-Antivirus	Trojan.Win32.Kryptik.hnsacj
ViRobot	Trojan.Win32.S.Agent.522240.BE
Ad-Aware	Trojan.Delf.FareIt.Gen.7
Emsisoft	Trojan.Delf.FareIt.Gen.7 (B)
Comodo	Malware@#4yrpfklcjngi
F-Secure	Trojan.TR/Injector.cgbwg
DrWeb	Trojan.PWS.Siggen2.51894
TrendMicro	TSPY_HPLOKI.SMBD
McAfee-GW-Edition	Fareit-FVZ!07788CB48839
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Jiangmin	Trojan.Kryptik.bus
Avira	TR/Injector.cgbwg
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	PWS:Win32/Fareit.AQ!MTB
AhnLab-V3	Suspicious/Win.Delphiless.X2094
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
GData	Trojan.Delf.FareIt.Gen.7
Cynet	Malicious (score: 100)
McAfee	Artemis!D2C284127033
MAX	malware (ai score=89)
VBA32	TScope.Trojan.Delf
Malwarebytes	Trojan.MalPack.DLF
Panda	Trj/GdSda.A
Zoner	Trojan.Win32.91516
TrendMicro-HouseCall	TSPY_HPLOKI.SMBD
Rising	Trojan.Injector!1.C898 (TFE:5:gX59zkimIvF)
Yandex	Trojan.Igent.bT5dTx.32

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:

• 0x4fb38c LoadLibraryA

• 0x4fb390 GetProcAddress

• 0x4fb394 VirtualProtect

• 0x4fb398 VirtualAlloc

• 0x4fb39c VirtualFree

• 0x4fb3a0 ExitProcess

Library advapi32.dll:

• 0x4fb3a8 RegCloseKey

Library comctl32.dll:

• 0x4fb3b0 ImageList_Add

Library comdlg32.dll:

• 0x4fb3b8 GetSaveFileNameA

Library gdi32.dll:

• 0x4fb3c0 SaveDC

Library ole32.dll:

• 0x4fb3c8 CoGetMalloc

Library oleaut32.dll:

• 0x4fb3d0 VariantCopy

Library user32.dll:

• 0x4fb3d8 GetDC

Library version.dll:

• 0x4fb3e0 VerQueryValueA

Library winmm.dll:

• 0x4fb3e8 mciSendCommandA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.