SmartHawk

3.0

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

7637970576d0b0accd1913e4ea1790b102de0ec8522c0caccc8b9d9f042a9512

e0aea29571870842b3905d5cd1519f6a.exe

分析耗时

16s

最近分析

文件大小

173.0KB

静态报毒动态报毒 100% AI SCORE=81 AIDETECTVM ATTRIBUTE BUNITU CLASSIC COINMINERX CONFIDENCE ELDORADO ELQV EMOTET FSEV GANDCRAB GDSDA GENKRYPTIK HDGH HIGH CONFIDENCE HIGHCONFIDENCE KILLPROC2 KQ0@AQTU43S KRYPTIK MALPE MALWARE1 MALWARE@#8S83ISM8GFZX MINT PAYMEN45 PHOBOSRANSOM R06EC0DIA20 RACK SCORE STATIC AI SUSGEN SUSPICIOUS PE TITIREZ TOFSEE TRRQ UNSAFE WACATAC X2065 ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Tofsee.edc74b84	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:CoinminerX-gen [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
McAfee	Trojan-FSEV!E0AEA2957187	20201211	6.0.6.653
Tencent		20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

C:\vigajemulahehedug74-toku.pdb\crypt\tmp_1654747783\bin\movezo.pdbà(lTHkþÿ

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

AFX_DIALOG_LAYOUT

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948412.916662 NtProtectVirtualMemory	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00ce4000	success	0	0
1619948412.932662 NtAllocateVirtualMemory	process_identifier: 2868 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00310000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.544202017620747

section

{'size_of_data': '0x0000fa00', 'virtual_address': '0x00001000', 'entropy': 7.544202017620747, 'name': '.text', 'virtual_size': '0x0000f820'}

description

A section with a high entropy has been found

entropy

0.3633720930232558

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Titirez.1.23
FireEye	Generic.mg.e0aea29571870842
Qihoo-360	Win32/Trojan.Ransom.eed
ALYac	Trojan.Ransom.Paymen45
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Tofsee.edc74b84
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Mint.Titirez.1.23
Cyren	W32/GandCrab.BD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Bunitu-7867941-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.Mint.Titirez.1.23
AegisLab	Trojan.Win32.Rack.trrq
Avast	Win32:CoinminerX-gen [Trj]
Rising	Trojan.Kryptik!1.C65B (CLASSIC)
Ad-Aware	Gen:Heur.Mint.Titirez.1.23
Sophos	Mal/Generic-S
Comodo	Malware@#8s83ism8gfzx
F-Secure	Trojan.TR/AD.PhobosRansom.fwz
DrWeb	Trojan.KillProc2.10660
TrendMicro	Ransom_Rack.R06EC0DIA20
McAfee-GW-Edition	BehavesLike.Win32.Emotet.ct
Emsisoft	Gen:Heur.Mint.Titirez.1.23 (B)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Avira	TR/AD.PhobosRansom.fwz
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Trojan.Win32.Wacatac.ba
Microsoft	Trojan:Win32/Tofsee.GM!MTB
ViRobot	Trojan.Win32.S.Ransom.177152
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Heur.Mint.Titirez.1.23
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPe.X2065
Acronis	suspicious
McAfee	Trojan-FSEV!E0AEA2957187
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/Kryptik.HDGH
TrendMicro-HouseCall	Ransom_Rack.R06EC0DIA20
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_95%

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-04-17 00:29:21

Imports

Library KERNEL32.dll:

• 0x411000 GetCurrencyFormatA

• 0x411004 SetCommTimeouts

• 0x411008 GlobalAlloc

• 0x41100c Sleep

• 0x411010 GetExitCodeProcess

• 0x411014 GetFileAttributesW

• 0x411018 ReadFile

• 0x41101c lstrlenW

• 0x411020 WritePrivateProfileStringW

• 0x411024 FormatMessageA

• 0x411028 LCMapStringA

• 0x41102c FindFirstFileExA

• 0x411030 GetLastError

• 0x411034 GetProcAddress

• 0x411038 RemoveDirectoryA

• 0x41103c OpenWaitableTimerA

• 0x411040 GetPrivateProfileSectionA

• 0x411044 GetCurrentProcessId

• 0x411048 GetModuleHandleW

• 0x41104c CreateHardLinkA

• 0x411050 HeapAlloc

• 0x411054 GetDriveTypeW

• 0x411058 GetLocaleInfoA

• 0x41105c FindResourceA

• 0x411060 GetNamedPipeHandleStateW

• 0x411064 CreateFileA

• 0x411068 GetStartupInfoW

• 0x41106c TerminateProcess

• 0x411070 GetCurrentProcess

• 0x411074 UnhandledExceptionFilter

• 0x411078 SetUnhandledExceptionFilter

• 0x41107c IsDebuggerPresent

• 0x411080 ExitProcess

• 0x411084 WriteFile

• 0x411088 GetStdHandle

• 0x41108c GetModuleFileNameA

• 0x411090 GetModuleFileNameW

• 0x411094 FreeEnvironmentStringsW

• 0x411098 GetEnvironmentStringsW

• 0x41109c GetCommandLineW

• 0x4110a0 SetHandleCount

• 0x4110a4 GetFileType

• 0x4110a8 GetStartupInfoA

• 0x4110ac DeleteCriticalSection

• 0x4110b0 TlsGetValue

• 0x4110b4 TlsAlloc

• 0x4110b8 TlsSetValue

• 0x4110bc TlsFree

• 0x4110c0 InterlockedIncrement

• 0x4110c4 SetLastError

• 0x4110c8 GetCurrentThreadId

• 0x4110cc InterlockedDecrement

• 0x4110d0 HeapCreate

• 0x4110d4 VirtualFree

• 0x4110d8 HeapFree

• 0x4110dc QueryPerformanceCounter

• 0x4110e0 GetTickCount

• 0x4110e4 GetSystemTimeAsFileTime

• 0x4110e8 GetCPInfo

• 0x4110ec GetACP

• 0x4110f0 GetOEMCP

• 0x4110f4 IsValidCodePage

• 0x4110f8 LeaveCriticalSection

• 0x4110fc EnterCriticalSection

• 0x411100 LoadLibraryA

• 0x411104 InitializeCriticalSectionAndSpinCount

• 0x411108 VirtualAlloc

• 0x41110c HeapReAlloc

• 0x411110 RtlUnwind

• 0x411114 WideCharToMultiByte

• 0x411118 MultiByteToWideChar

• 0x41111c LCMapStringW

• 0x411120 GetStringTypeA

• 0x411124 GetStringTypeW

• 0x411128 HeapSize

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.