SmartHawk

5.0

中危

60 个模型检测该样本为恶意！

重新分析

下载样本

6b224fc7c8dd28fb1bc51f674f7243727d0e965844d186840422b343a82561af

d9993bfafe35579c4bc9cc4793d9098f.exe

分析耗时

81s

最近分析

文件大小

31.5KB

静态报毒动态报毒 100% AI SCORE=88 ATTRIBUTE AUTOIT BA@7OEJ5X BACKDOORNJRAT BLADABI BLADABINDI BMW@AG55R0F CLOUD CONFIDENCE ECSQGN ELDORADO GDSDA GEN7 GEN8 HARMINERLL HIGH CONFIDENCE HIGHCONFIDENCE HWMAFIYA KBJVTIMNMIW LA1H MALICIOUS PE NJRAT R + MAL R130484 SAVE SCORE STATIC AI SUSGEN TSCOPE UNSAFE WTDP ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:MSIL/Bladabindi.5a61796b	20190527	0.3.0.5
Baidu	MSIL.Backdoor.Bladabindi.a	20190318	1.0.0.2
Avast	MSIL:Bladabindi-JK [Trj]	20210329	21.1.5827.0
Tencent	Win32.Trojan.Generic.Wtdp	20210329	1.0.0.1
Kingsoft		20210329	2017.9.26.565
McAfee	BackDoor-NJRat!D9993BFAFE35	20210329	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006408.71275 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006414.61875 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (21 个事件)

Time & API	Arguments	Status
1621006406.83775 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x003f0000	success
1621006406.83775 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00420000	success
1621006408.14975 NtProtectVirtualMemory	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success
1621006408.72775 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047a000	success
1621006408.74375 NtProtectVirtualMemory	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success
1621006408.74375 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00472000	success
1621006409.69675 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00482000	success
1621006410.16575 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00483000	success
1621006410.22775 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004bb000	success
1621006410.22775 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b7000	success
1621006410.46275 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048c000	success
1621006410.68075 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00730000	success
1621006411.88475 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00484000	success
1621006413.00975 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00485000	success
1621006413.02475 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success
1621006413.18075 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004aa000	success
1621006413.32175 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a2000	success
1621006414.38475 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00731000	success
1621006414.49375 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success
1621006414.55575 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049a000	success
1621006414.57175 NtAllocateVirtualMemory	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006414.50975 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	52.218.30.236

A process attempted to delay the analysis task. (1 个事件)

description

d9993bfafe35579c4bc9cc4793d9098f.exe tried to sleep 2728163 seconds, actually delayed analysis time by 2728163 seconds

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.HarMinerLL.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.MSIL.Bladabindi.95358F1F
FireEye	Generic.mg.d9993bfafe35579c
ALYac	Generic.MSIL.Bladabindi.95358F1F
Cylance	Unsafe
Zillya	Trojan.Bladabindi.Win32.99364
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
Alibaba	Backdoor:MSIL/Bladabindi.5a61796b
K7GW	Trojan ( 700000121 )
Cybereason	malicious.afe355
Arcabit	Generic.MSIL.Bladabindi.95358F1F
Baidu	MSIL.Backdoor.Bladabindi.a
Cyren	W32/MSIL_Bladabindi.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Bladabindi.AS
APEX	Malicious
Avast	MSIL:Bladabindi-JK [Trj]
ClamAV	Win.Trojan.B-468
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.MSIL.Bladabindi.95358F1F
NANO-Antivirus	Trojan.Win32.Gen8.ecsqgn
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.lA1H
Tencent	Win32.Trojan.Generic.Wtdp
Ad-Aware	Generic.MSIL.Bladabindi.95358F1F
TACHYON	Backdoor/W32.DN-NjRat.32256
Sophos	Mal/Generic-R + Mal/Bladabi-D
Comodo	Backdoor.MSIL.Bladabindi.BA@7oej5x
DrWeb	BackDoor.Bladabindi.15771
VIPRE	Backdoor.MSIL.Bladabindi.a (v)
TrendMicro	BKDR_BLADABI.SMC
McAfee-GW-Edition	BehavesLike.Win32.BackdoorNJRat.nm
Emsisoft	Generic.MSIL.Bladabindi.95358F1F (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDropper.Autoit.dce
Avira	TR/Dropper.Gen7
eGambit	Unsafe.AI_Score_100%
Microsoft	Backdoor:MSIL/Bladabindi
GData	MSIL.Trojan-Spy.Bladabindi.BQ
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Bladabindi.R130484
Acronis	suspicious
McAfee	BackDoor-NJRat!D9993BFAFE35
MAX	malware (ai score=88)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Generic.Trojan.Malicious.DDS
Zoner	Trojan.Win32.85838
TrendMicro-HouseCall	BKDR_BLADABI.SMC

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-08 01:30:04

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
52.218.30.236	80	192.168.56.101	49191

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63497	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60215	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	57757	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.