SmartHawk

2.8

中危

55 个模型检测该样本为恶意！

重新分析

下载样本

bfce22f0cf0ddb6920d38b612e3501360f5772edc85cce211df80a5797b5aa18

dbdea804ef4eb5df7ae106edb4b755cb.exe

分析耗时

17s

最近分析

文件大小

169.5KB

静态报毒动态报毒 0NA103EB20 100% AI SCORE=100 AIDETECT BANKERX BSCOPE BUERLOADER CONFIDENCE GDSDA HDFN HDGJ HIGH CONFIDENCE HWOCY4OA IHUTKL KHRX KQ0@ASMI KRYPT KRYPTIK MALPE MALWARE1 MALWARE@#NSSOGO7CO3OZ SAVE SCORE SIGGEN9 SUSGEN TOFSEE UNSAFE VARIADIC WACATAC WVKW X2065 XPSDR YZY0OHM9RVLARXGR ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Ransom:Win32/Shellcode.c439490f	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:BankerX-gen [Trj]	20210404	21.1.5827.0
Tencent	Win32.Backdoor.Tofsee.Wvkw	20210404	1.0.0.1
Kingsoft		20210404	2017.9.26.565
McAfee	Packed-GBE!DBDEA804EF4E	20210404	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

This executable has a PDB path (1 个事件)

pdb_path

C:\fexulunokutuwo ciwawudukixusirob-wetanefipanixiradu calovexir.pdbdb0'

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948412.674036 NtProtectVirtualMemory	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005e4000	success	0	0
1619948412.690036 NtAllocateVirtualMemory	process_identifier: 2216 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00300000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.534639555346362

section

{'size_of_data': '0x0000ec00', 'virtual_address': '0x00001000', 'entropy': 7.534639555346362, 'name': '.text', 'virtual_size': '0x0000eb60'}

description

A section with a high entropy has been found

entropy

0.35014836795252224

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Variadic.A.22.2
FireEye	Generic.mg.dbdea804ef4eb5df
ALYac	Backdoor.Tofsee
Cylance	Unsafe
Zillya	Trojan.Shellcode.Win32.28
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005666c91 )
Alibaba	Ransom:Win32/Shellcode.c439490f
K7GW	Trojan ( 005666c91 )
Cybereason	malicious.4ef4eb
BitDefenderTheta	Gen:NN.ZexaF.34670.kq0@aSmI!DJ
Cyren	W32/Trojan.KHRX-5082
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/Kryptik.HDFN
TrendMicro-HouseCall	TROJ_FRS.0NA103EB20
Avast	Win32:BankerX-gen [Trj]
ClamAV	Win.Dropper.Tofsee-7887861-0
Kaspersky	HEUR:Backdoor.Win32.Tofsee.pef
BitDefender	Gen:Heur.Variadic.A.22.2
NANO-Antivirus	Trojan.Win32.BuerLoader.ihutkl
Paloalto	generic.ml
Tencent	Win32.Backdoor.Tofsee.Wvkw
Ad-Aware	Gen:Heur.Variadic.A.22.2
Emsisoft	Gen:Heur.Variadic.A.22.2 (B)
Comodo	Malware@#nssogo7co3oz
DrWeb	Trojan.Siggen9.45412
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_FRS.0NA103EB20
McAfee-GW-Edition	BehavesLike.Win32.Generic.ct
Sophos	Mal/Generic-S
APEX	Malicious
Jiangmin	Exploit.ShellCode.zl
MaxSecure	Trojan.Malware.101047130.susgen
Avira	TR/AD.BuerLoader.xpsdr
Gridinsoft	Malware.Win32.Wacatac.ba
Microsoft	Trojan:Win32/Tofsee
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Heur.Variadic.A.22.2
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPe.X2065
Acronis	suspicious
McAfee	Packed-GBE!DBDEA804EF4E
MAX	malware (ai score=100)
VBA32	BScope.Trojan.AET.281105
Malwarebytes	Trojan.MalPack.GS
Rising	Exploit.Shellcode!8.2A (C64:YzY0Ohm9rVLARxGr)
Ikarus	Trojan.Win32.Krypt
Fortinet	W32/Kryptik.HDGJ!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-09-12 07:33:48

Imports

Library KERNEL32.dll:

• 0x40010000 FormatMessageA

• 0x40010004 WriteFile

• 0x40010008 GetCurrencyFormatW

• 0x4001000c GetLocaleInfoW

• 0x40010010 Sleep

• 0x40010014 GetFileAttributesA

• 0x40010018 GetExitCodeProcess

• 0x4001001c GetTickCount

• 0x40010020 GetLastError

• 0x40010024 LocalAlloc

• 0x40010028 WritePrivateProfileStringA

• 0x4001002c CreateHardLinkW

• 0x40010030 TransmitCommChar

• 0x40010034 GetPrivateProfileSectionA

• 0x40010038 VirtualProtect

• 0x4001003c GetCurrentProcessId

• 0x40010040 LCMapStringW

• 0x40010044 GetModuleHandleW

• 0x40010048 GetNamedPipeHandleStateA

• 0x4001004c lstrlenA

• 0x40010050 FindResourceA

• 0x40010054 CreateFileA

• 0x40010058 FindFirstFileExA

• 0x4001005c HeapReAlloc

• 0x40010060 GetCommandLineA

• 0x40010064 GetStartupInfoA

• 0x40010068 TerminateProcess

• 0x4001006c GetCurrentProcess

• 0x40010070 UnhandledExceptionFilter

• 0x40010074 SetUnhandledExceptionFilter

• 0x40010078 IsDebuggerPresent

• 0x4001007c GetProcAddress

• 0x40010080 ExitProcess

• 0x40010084 GetStdHandle

• 0x40010088 GetModuleFileNameA

• 0x4001008c FreeEnvironmentStringsA

• 0x40010090 GetEnvironmentStrings

• 0x40010094 FreeEnvironmentStringsW

• 0x40010098 WideCharToMultiByte

• 0x4001009c GetEnvironmentStringsW

• 0x400100a0 SetHandleCount

• 0x400100a4 GetFileType

• 0x400100a8 DeleteCriticalSection

• 0x400100ac TlsGetValue

• 0x400100b0 TlsAlloc

• 0x400100b4 TlsSetValue

• 0x400100b8 TlsFree

• 0x400100bc InterlockedIncrement

• 0x400100c0 SetLastError

• 0x400100c4 GetCurrentThreadId

• 0x400100c8 InterlockedDecrement

• 0x400100cc HeapCreate

• 0x400100d0 VirtualFree

• 0x400100d4 HeapFree

• 0x400100d8 QueryPerformanceCounter

• 0x400100dc GetSystemTimeAsFileTime

• 0x400100e0 LeaveCriticalSection

• 0x400100e4 EnterCriticalSection

• 0x400100e8 LoadLibraryA

• 0x400100ec InitializeCriticalSectionAndSpinCount

• 0x400100f0 GetCPInfo

• 0x400100f4 GetACP

• 0x400100f8 GetOEMCP

• 0x400100fc IsValidCodePage

• 0x40010100 HeapAlloc

• 0x40010104 VirtualAlloc

• 0x40010108 RtlUnwind

• 0x4001010c HeapSize

• 0x40010110 GetLocaleInfoA

• 0x40010114 LCMapStringA

• 0x40010118 MultiByteToWideChar

• 0x4001011c GetStringTypeA

• 0x40010120 GetStringTypeW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.