SmartHawk

2.8

中危

63 个模型检测该样本为恶意！

重新分析

下载样本

6d07e88c5caaa9f201ca7580bbe46782a5123097a8592a71108de463e6097223

d4aa0154924df4d854b6a0ce3f6ae2f8.exe

分析耗时

82s

最近分析

文件大小

2.0MB

静态报毒动态报毒 @N0@A0CSMGFI AI SCORE=83 AIDETECTVM AS@8RFF2F BANKERX CONFIDENCE DRIDEX ELDORADO ENCPK EQDY GDSDA GENCIRC GENKRYPTIK HDXO HIGH CONFIDENCE HJZKUN INJECT3 KRYPTIK MALICIOUS PE MALWARE1 MCFKQ PINKSBOT QAKBOT QBOT QBOTPMF R002C0DE620 R335416 S13165854 SCORE TROJANBANKER UNSAFE YZY0OONQPI9BBOLB ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/PinkSbot-GN!D4AA0154924D	20200703	6.0.6.653
Alibaba	TrojanBanker:Win32/Kryptik.eeece953	20190527	0.3.0.5
Avast	Win32:BankerX-gen [Trj]	20200703	18.4.3895.0
Baidu		20190318	1.0.0.2
Kingsoft		20200703	2013.8.14.323
Tencent	Malware.Win32.Gencirc.10b9ecfb	20200703	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910881.168495 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Allocates read-write-execute memory (usually to unpack itself) (4 个事件)

Time & API	Arguments	Status
1619910847.059495 NtAllocateVirtualMemory	process_identifier: 2340 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e00000	success
1619910881.105495 NtAllocateVirtualMemory	process_identifier: 2340 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e80000	success
1619910881.105495 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619921644.233375 NtAllocateVirtualMemory	process_identifier: 1688 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910881.840495 CreateProcessInternalW	thread_identifier: 1300 thread_handle: 0x00000154 process_identifier: 1688 current_directory: filepath: track: 1 command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d4aa0154924df4d854b6a0ce3f6ae2f8.exe /C filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000158 inherit_handles: 0	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)

Bkav	W32.AIDetectVM.malware1
DrWeb	Trojan.Inject3.39575
MicroWorld-eScan	Trojan.Agent.EQDY
CAT-QuickHeal	Trojan.QbotPMF.S13165854
Qihoo-360	Win32/Trojan.BO.f03
McAfee	W32/PinkSbot-GN!D4AA0154924D
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2017489
SUPERAntiSpyware	Trojan.Agent/Gen-QBot
Sangfor	Malware
K7AntiVirus	Trojan ( 0056625d1 )
Alibaba	TrojanBanker:Win32/Kryptik.eeece953
K7GW	Trojan ( 0056625d1 )
Cybereason	malicious.27ffba
Arcabit	Trojan.Agent.EQDY
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZexaF.34130.@n0@a0cSMGfi
F-Prot	W32/Kryptik.BMM.gen!Eldorado
Symantec	Packed.Generic.459
ESET-NOD32	a variant of Win32/Kryptik.HDXO
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Qbot-7768292-0
Kaspersky	HEUR:Trojan-Banker.Win32.Qbot.pef
BitDefender	Trojan.Agent.EQDY
NANO-Antivirus	Trojan.Win32.Inject3.hjzkun
ViRobot	Trojan.Win32.Z.Agent.2087936.I
Avast	Win32:BankerX-gen [Trj]
Rising	Backdoor.Qakbot!8.C7B (C64:YzY0OonqpI9bbolB)
Ad-Aware	Trojan.Agent.EQDY
Emsisoft	Trojan.Agent.EQDY (B)
Comodo	TrojWare.Win32.Qbot.AS@8rff2f
F-Secure	Trojan.TR/AD.Qbot.mcfkq
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DE620
Fortinet	W32/QBOT.CC!tr
FireEye	Generic.mg.d4aa0154924df4d8
Sophos	Mal/EncPk-APV
SentinelOne	DFI - Malicious PE
Cyren	W32/Kryptik.BMM.gen!Eldorado
Jiangmin	Trojan.Banker.Qbot.oh
Webroot	W32.Trojan.Gen
Avira	TR/AD.Qbot.mcfkq
MAX	malware (ai score=83)
Antiy-AVL	Trojan[Banker]/Win32.Qbot
Endgame	malicious (high confidence)
Microsoft	Trojan:Win32/Dridex.RAC!MTB
AegisLab	Trojan.Win32.Eqdy.4!c
ZoneAlarm	HEUR:Trojan-Banker.Win32.Qbot.pef
Cynet	Malicious (score: 90)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-05 19:41:32

Imports

Library KERNEL32.dll:

• 0x5c76f4 SetEndOfFile

• 0x5c76f8 HeapSize

• 0x5c76fc GetTimeZoneInformation

• 0x5c7700 CreateFileW

• 0x5c7704 GetProcessHeap

• 0x5c7708 SetStdHandle

• 0x5c770c SetEnvironmentVariableA

• 0x5c7710 FreeEnvironmentStringsW

• 0x5c7714 GetTickCount

• 0x5c7718 GetProcAddress

• 0x5c771c GetStdHandle

• 0x5c7720 ReadFile

• 0x5c7724 WriteFile

• 0x5c7728 GetConsoleMode

• 0x5c772c SetConsoleMode

• 0x5c7730 FreeLibrary

• 0x5c7734 LoadLibraryA

• 0x5c7738 CloseHandle

• 0x5c773c GetLastError

• 0x5c7740 GetOverlappedResult

• 0x5c7744 SetEvent

• 0x5c7748 WaitForSingleObject

• 0x5c774c CreateEventA

• 0x5c7750 CreateThread

• 0x5c7754 GetSystemDirectoryA

• 0x5c7758 FormatMessageA

• 0x5c775c DecodePointer

• 0x5c7760 FindFirstFileA

• 0x5c7764 FindNextFileA

• 0x5c7768 QueryPerformanceCounter

• 0x5c776c GetProcessTimes

• 0x5c7770 GetCurrentProcess

• 0x5c7774 GetCurrentProcessId

• 0x5c7778 GetCurrentThread

• 0x5c777c GetThreadTimes

• 0x5c7780 GetSystemTime

• 0x5c7784 GetSystemTimeAdjustment

• 0x5c7788 GetWindowsDirectoryA

• 0x5c778c GlobalMemoryStatus

• 0x5c7790 CreateFileA

• 0x5c7794 LocalFree

• 0x5c7798 WaitNamedPipeA

• 0x5c779c ConnectNamedPipe

• 0x5c77a0 CreateNamedPipeA

• 0x5c77a4 GetCurrentThreadId

• 0x5c77a8 MapViewOfFile

• 0x5c77ac UnmapViewOfFile

• 0x5c77b0 LocalAlloc

• 0x5c77b4 CreateFileMappingA

• 0x5c77b8 GetFileType

• 0x5c77bc SetHandleInformation

• 0x5c77c0 CreatePipe

• 0x5c77c4 CreateProcessA

• 0x5c77c8 OpenProcess

• 0x5c77cc ClearCommBreak

• 0x5c77d0 GetCommState

• 0x5c77d4 SetCommBreak

• 0x5c77d8 SetCommState

• 0x5c77dc SetCommTimeouts

• 0x5c77e0 ReleaseMutex

• 0x5c77e4 CreateMutexA

• 0x5c77e8 GetEnvironmentVariableA

• 0x5c77ec DeleteFileA

• 0x5c77f0 GetLocalTime

• 0x5c77f4 UnhandledExceptionFilter

• 0x5c77f8 SetUnhandledExceptionFilter

• 0x5c77fc TerminateProcess

• 0x5c7800 IsProcessorFeaturePresent

• 0x5c7804 GetSystemTimeAsFileTime

• 0x5c7808 InitializeSListHead

• 0x5c780c IsDebuggerPresent

• 0x5c7810 GetStartupInfoW

• 0x5c7814 GetModuleHandleW

• 0x5c7818 FindClose

• 0x5c781c GetModuleFileNameW

• 0x5c7820 InitializeCriticalSectionAndSpinCount

• 0x5c7824 TlsAlloc

• 0x5c7828 TlsGetValue

• 0x5c782c TlsSetValue

• 0x5c7830 TlsFree

• 0x5c7834 LoadLibraryExW

• 0x5c7838 RtlUnwind

• 0x5c783c SetLastError

• 0x5c7840 EnterCriticalSection

• 0x5c7844 LeaveCriticalSection

• 0x5c7848 DeleteCriticalSection

• 0x5c784c GetModuleFileNameA

• 0x5c7850 GetModuleHandleExW

• 0x5c7854 WriteConsoleW

• 0x5c7858 MultiByteToWideChar

• 0x5c785c WideCharToMultiByte

• 0x5c7860 ExitProcess

• 0x5c7864 GetCommandLineA

• 0x5c7868 GetCommandLineW

• 0x5c786c GetACP

• 0x5c7870 HeapFree

• 0x5c7874 HeapAlloc

• 0x5c7878 OutputDebugStringW

• 0x5c787c WaitForSingleObjectEx

• 0x5c7880 GetStringTypeW

• 0x5c7884 GetDateFormatW

• 0x5c7888 GetTimeFormatW

• 0x5c788c CompareStringW

• 0x5c7890 LCMapStringW

• 0x5c7894 FlushFileBuffers

• 0x5c7898 GetConsoleCP

• 0x5c789c HeapReAlloc

• 0x5c78a0 ReadConsoleW

• 0x5c78a4 SetFilePointerEx

• 0x5c78a8 FindFirstFileExA

• 0x5c78ac IsValidCodePage

• 0x5c78b0 GetOEMCP

• 0x5c78b4 GetCPInfo

• 0x5c78b8 GetEnvironmentStringsW

• 0x5c78bc RaiseException

• 0x5c78c0 Process32FirstW

• 0x5c78c4 PurgeComm

• 0x5c78c8 DuplicateHandle

• 0x5c78cc InterlockedDecrement

• 0x5c78d0 VirtualFree

• 0x5c78d4 HeapValidate

• 0x5c78d8 GetConsoleWindow

• 0x5c78dc FreeLibraryAndExitThread

• 0x5c78e0 GetConsoleDisplayMode

• 0x5c78e4 SetConsoleScreenBufferSize

• 0x5c78e8 GetConsoleScreenBufferInfo

• 0x5c78ec SetConsoleTitleA

• 0x5c78f0 CreateDirectoryExA

• 0x5c78f4 SetMessageWaitingIndicator

• 0x5c78f8 TransmitCommChar

• 0x5c78fc OpenEventA

• 0x5c7900 BuildCommDCBAndTimeoutsW

• 0x5c7904 OpenSemaphoreA

• 0x5c7908 EnumResourceNamesW

• 0x5c790c GetPrivateProfileStructW

• 0x5c7910 Module32FirstW

• 0x5c7914 BindIoCompletionCallback

• 0x5c7918 lstrcat

• 0x5c791c MoveFileA

• 0x5c7920 GetDiskFreeSpaceExA

• 0x5c7924 CreateTimerQueue

• 0x5c7928 _lread

• 0x5c792c FileTimeToLocalFileTime

• 0x5c7930 LoadLibraryExA

• 0x5c7934 WriteProfileSectionW

• 0x5c7938 FlushConsoleInputBuffer

• 0x5c793c GetUserDefaultLCID

• 0x5c7940 IsBadReadPtr

• 0x5c7944 CreateWaitableTimerW

• 0x5c7948 GetModuleHandleA

• 0x5c794c VirtualAlloc

• 0x5c7950 LoadLibraryW

Library USER32.dll:

• 0x5c7958 MsgWaitForMultipleObjects

• 0x5c795c PeekMessageA

• 0x5c7960 FindWindowA

• 0x5c7964 SendMessageA

• 0x5c7968 GetCursorPos

• 0x5c796c GetForegroundWindow

• 0x5c7970 GetCapture

• 0x5c7974 GetQueueStatus

• 0x5c7978 GetClipboardOwner

• 0x5c797c PostMessageA

• 0x5c7980 EnumDisplayMonitors

• 0x5c7984 ShowWindow

• 0x5c7988 UnhookWinEvent

• 0x5c798c DdeQueryStringA

• 0x5c7990 ChangeDisplaySettingsW

• 0x5c7994 EnumDisplaySettingsExA

• 0x5c7998 SendMessageCallbackW

• 0x5c799c PostThreadMessageA

• 0x5c79a0 OffsetRect

• 0x5c79a4 SetScrollRange

• 0x5c79a8 DeregisterShellHookWindow

• 0x5c79ac UnpackDDElParam

• 0x5c79b0 CreateIconIndirect

• 0x5c79b4 LoadCursorFromFileW

• 0x5c79b8 SetCapture

• 0x5c79bc GetProcessDefaultLayout

• 0x5c79c0 RegisterHotKey

• 0x5c79c4 ShowOwnedPopups

• 0x5c79c8 FlashWindowEx

• 0x5c79cc GetMessagePos

• 0x5c79d0 DdeSetQualityOfService

• 0x5c79d4 CloseWindowStation

• 0x5c79d8 FreeDDElParam

• 0x5c79dc GetPropA

• 0x5c79e0 OemKeyScan

• 0x5c79e4 SwitchDesktop

• 0x5c79e8 SetWindowTextA

• 0x5c79ec LoadIconW

• 0x5c79f0 LoadCursorFromFileA

Library GDI32.dll:

• 0x5c79f8 FONTOBJ_vGetInfo

• 0x5c79fc XLATEOBJ_iXlate

• 0x5c7a00 GetLayout

• 0x5c7a04 CheckColorsInGamut

• 0x5c7a08 GetRasterizerCaps

• 0x5c7a0c EngDeletePalette

• 0x5c7a10 GetStringBitmapA

• 0x5c7a14 MoveToEx

• 0x5c7a18 EnumFontFamiliesW

• 0x5c7a1c GetBoundsRect

• 0x5c7a20 GetFontUnicodeRanges

• 0x5c7a24 GetTextExtentExPointWPri

• 0x5c7a28 GetTextExtentPoint32W

• 0x5c7a2c EngFindResource

• 0x5c7a30 EngDeleteSemaphore

• 0x5c7a34 GetEnhMetaFileDescriptionA

• 0x5c7a38 SetMagicColors

• 0x5c7a3c STROBJ_vEnumStart

• 0x5c7a40 DeviceCapabilitiesExA

• 0x5c7a44 GdiSetLastError

• 0x5c7a48 CreateColorSpaceA

• 0x5c7a4c SetWorldTransform

• 0x5c7a50 SetPixel

• 0x5c7a54 AnimatePalette

• 0x5c7a58 SetViewportExtEx

• 0x5c7a5c EqualRgn

• 0x5c7a60 Chord

• 0x5c7a64 GetCharWidthInfo

• 0x5c7a68 GetTextFaceAliasW

• 0x5c7a6c AbortDoc

• 0x5c7a70 CreateScalableFontResourceW

• 0x5c7a74 GetFontData

• 0x5c7a78 EngCreateDeviceSurface

• 0x5c7a7c GdiStartPageEMF

• 0x5c7a80 AddFontResourceA

• 0x5c7a84 CreateRectRgnIndirect

Library COMDLG32.dll:

• 0x5c7a8c GetFileTitleA

Library ADVAPI32.dll:

• 0x5c7a94 RegCloseKey

• 0x5c7a98 RegOpenKeyA

• 0x5c7a9c RegQueryValueExA

• 0x5c7aa0 GetUserNameA

• 0x5c7aa4 EqualSid

• 0x5c7aa8 AllocateAndInitializeSid

• 0x5c7aac CopySid

• 0x5c7ab0 GetLengthSid

• 0x5c7ab4 InitializeSecurityDescriptor

• 0x5c7ab8 SetSecurityDescriptorDacl

• 0x5c7abc SetSecurityDescriptorOwner

• 0x5c7ac0 RegCreateKeyA

• 0x5c7ac4 RegSetValueExA

• 0x5c7ac8 SystemFunction036

• 0x5c7acc RegSetValueA

Library SHELL32.dll:

• 0x5c7ad4 ExtractAssociatedIconExA

• 0x5c7ad8 SHGetSettings

• 0x5c7adc SHGetIconOverlayIndexW

• 0x5c7ae0 SHGetPathFromIDListW

• 0x5c7ae4 ExtractAssociatedIconExW

• 0x5c7ae8 ShellExecuteExA

• 0x5c7aec CheckEscapesW

• 0x5c7af0 SHGetFolderPathA

• 0x5c7af4 SHGetDesktopFolder

• 0x5c7af8 DuplicateIcon

• 0x5c7afc SHGetFolderLocation

• 0x5c7b00 SHInvokePrinterCommandA

• 0x5c7b04 DoEnvironmentSubstW

• 0x5c7b08 SHIsFileAvailableOffline

• 0x5c7b0c DragQueryFile

• 0x5c7b10 SHGetPathFromIDListA

Library ole32.dll:

• 0x5c7b18 CoTaskMemFree

Library SHLWAPI.dll:

• 0x5c7b20 StrRStrIW

• 0x5c7b24 StrRChrIA

• 0x5c7b28 StrChrW

• 0x5c7b2c StrRStrIA

• 0x5c7b30 PathIsUNCA

Library COMCTL32.dll:

• 0x5c7b38 _TrackMouseEvent

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.