SmartHawk

4.0

中危

52 个模型检测该样本为恶意！

重新分析

下载样本

b77955f7c06080d60d4f34f595eba86e244cfcc0359b6d1ad353a783c993e509

e122391c6f38646cb65f76228e650907.exe

分析耗时

79s

最近分析

文件大小

2.2MB

静态报毒动态报毒 AI SCORE=89 ARTEMIS ATTRIBUTE CLQIJHM COBALT COMETER CONFIDENCE FDNY FUGRAFA GDSDA GENERIK HIGHCONFIDENCE HSXNFX MALICIOUS MALWARE@#X0VQCATBE0MN METERPRETER OWX@AUUN5GPJ QQMPM R002C0WIL20 SCORE SUSGEN SUSPICIOUS PE UNSAFE YMACCO ZEXAF ZFCED7LOZJV 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Cometer.d8a0ad25	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201009	18.4.3895.0
Kingsoft		20201009	2013.8.14.323
McAfee	Artemis!E122391C6F38	20201009	6.0.6.653
CrowdStrike	win/malicious_confidence_60% (D)	20190702	1.0

Starts servers listening (6 个事件)

Time & API	Arguments	Status	Return
1620985508.585633 bind	ip_address: 127.0.0.1 socket: 132 port: 0	success	0
1620985508.585633 listen	socket: 132 backlog: 1	success	0
1620985508.585633 accept	ip_address: socket: 132 port: 0	success	140
1620985549.444633 bind	ip_address: 127.0.0.1 socket: 156 port: 0	success	0
1620985549.444633 listen	socket: 156 backlog: 1	success	0
1620985549.460633 accept	ip_address: socket: 156 port: 0	success	164

Foreign language identified in PE resource (22 个事件)

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

offset

0x0022e820

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000468

name

RT_MENU

language

LANG_CHINESE

offset

0x0022ed00

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000050

name

RT_DIALOG

language

LANG_CHINESE

offset

0x0022ed60

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000120

name

RT_STRING

language

LANG_CHINESE

offset

0x0022ee80

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000048

name

RT_ACCELERATOR

language

LANG_CHINESE

offset

0x0022ed50

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000010

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x0022ec88

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000076

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x0022ec88

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000076

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.818703213727008

section

{'size_of_data': '0x001a4600', 'virtual_address': '0x00001000', 'entropy': 6.818703213727008, 'name': '.text', 'virtual_size': '0x001a44cc'}

description

A section with a high entropy has been found

entropy

0.7379855167873601

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	39.101.174.221

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

39.101.174.221:39999

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

MicroWorld-eScan	Gen:Variant.Fugrafa.78658
FireEye	Generic.mg.e122391c6f38646c
Qihoo-360	Generic/Trojan.c79
ALYac	Trojan.Cometer
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Cometer.d8a0ad25
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Fugrafa.D13342
Invincea	Mal/Generic-S
Cyren	W32/Trojan.FDNY-2940
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Cometer.eiv
BitDefender	Gen:Variant.Fugrafa.78658
NANO-Antivirus	Trojan.Win32.Meterpreter.hsxnfx
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Meterpreter.2334249
Ad-Aware	Gen:Variant.Fugrafa.78658
Emsisoft	Gen:Variant.Fugrafa.78658 (B)
Comodo	Malware@#x0vqcatbe0mn
F-Secure	Backdoor.BDS/Meterpreter.qqmpm
DrWeb	BackDoor.Meterpreter.119
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WIL20
McAfee-GW-Edition	BehavesLike.Win32.Worm.vh
Sophos	Mal/Generic-S
Ikarus	Backdoor.Meterpreter
Jiangmin	Trojan.Cometer.bby
Webroot	W32.Trojan.Gen
Avira	BDS/Meterpreter.qqmpm
Antiy-AVL	Trojan/Win32.Cobalt
Microsoft	Trojan:Win32/Ymacco.AAB7
AegisLab	Trojan.Win32.Cometer.4!c
ZoneAlarm	Trojan.Win32.Cometer.eiv
GData	Gen:Variant.Fugrafa.78658
McAfee	Artemis!E122391C6F38
MAX	malware (ai score=89)
VBA32	Backdoor.Meterpreter
Malwarebytes	Trojan.Cometer
TrendMicro-HouseCall	TROJ_GEN.R002C0WIL20
Rising	Backdoor.Agent!8.C5D (TFE:5:ZfCEd7loZjV)
SentinelOne	DFI - Suspicious PE
eGambit	Unsafe.AI_Score_89%
Fortinet	W32/Generik.CLQIJHM!tr
BitDefenderTheta	Gen:NN.ZexaF.34298.owX@auuN5Gpj
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-15 20:15:44

Imports

Library WS2_32.dll:

• 0x5a6284 getnameinfo

• 0x5a6288 shutdown

• 0x5a628c recv

• 0x5a6290 ntohl

• 0x5a6294 gethostname

• 0x5a6298 sendto

• 0x5a629c recvfrom

• 0x5a62a0 freeaddrinfo

• 0x5a62a4 getaddrinfo

• 0x5a62a8 select

• 0x5a62ac __WSAFDIsSet

• 0x5a62b0 ioctlsocket

• 0x5a62b4 listen

• 0x5a62b8 htonl

• 0x5a62bc accept

• 0x5a62c0 WSACleanup

• 0x5a62c4 WSAStartup

• 0x5a62c8 WSAIoctl

• 0x5a62cc WSASetLastError

• 0x5a62d0 socket

• 0x5a62d4 setsockopt

• 0x5a62d8 ntohs

• 0x5a62dc htons

• 0x5a62e0 getsockopt

• 0x5a62e4 getsockname

• 0x5a62e8 getpeername

• 0x5a62ec connect

• 0x5a62f0 bind

• 0x5a62f4 WSAGetLastError

• 0x5a62f8 send

• 0x5a62fc closesocket

Library WLDAP32.dll:

• 0x5a6238

• 0x5a623c

• 0x5a6240

• 0x5a6244

• 0x5a6248

• 0x5a624c

• 0x5a6250

• 0x5a6254

• 0x5a6258

• 0x5a625c

• 0x5a6260

• 0x5a6264

• 0x5a6268

• 0x5a626c

• 0x5a6270

• 0x5a6274

• 0x5a6278

• 0x5a627c

Library Normaliz.dll:

• 0x5a6220 IdnToAscii

Library KERNEL32.dll:

• 0x5a6064 DecodePointer

• 0x5a6068 HeapSize

• 0x5a606c GetTimeZoneInformation

• 0x5a6070 SetEndOfFile

• 0x5a6074 WriteConsoleW

• 0x5a6078 GetFileAttributesExW

• 0x5a607c DeleteFileW

• 0x5a6080 GetProcessHeap

• 0x5a6084 SetEnvironmentVariableA

• 0x5a6088 FreeEnvironmentStringsW

• 0x5a608c GetEnvironmentStringsW

• 0x5a6090 GetCommandLineW

• 0x5a6094 GetCommandLineA

• 0x5a6098 GetCPInfo

• 0x5a609c GetOEMCP

• 0x5a60a0 IsValidCodePage

• 0x5a60a4 FindNextFileW

• 0x5a60a8 FindFirstFileExW

• 0x5a60ac FindClose

• 0x5a60b0 FlushFileBuffers

• 0x5a60b4 SetStdHandle

• 0x5a60b8 Sleep

• 0x5a60bc GetSystemTime

• 0x5a60c0 LoadLibraryW

• 0x5a60c4 GetProcAddress

• 0x5a60c8 FreeLibrary

• 0x5a60cc GetStdHandle

• 0x5a60d0 GetEnvironmentVariableW

• 0x5a60d4 GetFileType

• 0x5a60d8 WriteFile

• 0x5a60dc GetLastError

• 0x5a60e0 GetModuleHandleW

• 0x5a60e4 MultiByteToWideChar

• 0x5a60e8 EnterCriticalSection

• 0x5a60ec LeaveCriticalSection

• 0x5a60f0 InitializeCriticalSectionEx

• 0x5a60f4 DeleteCriticalSection

• 0x5a60f8 SleepEx

• 0x5a60fc VerSetConditionMask

• 0x5a6100 QueryPerformanceFrequency

• 0x5a6104 GetSystemDirectoryA

• 0x5a6108 GetModuleHandleA

• 0x5a610c LoadLibraryA

• 0x5a6110 VerifyVersionInfoA

• 0x5a6114 QueryPerformanceCounter

• 0x5a6118 GetTickCount

• 0x5a611c MoveFileExA

• 0x5a6120 CloseHandle

• 0x5a6124 WaitForSingleObjectEx

• 0x5a6128 GetEnvironmentVariableA

• 0x5a612c ReadFile

• 0x5a6130 PeekNamedPipe

• 0x5a6134 WaitForMultipleObjects

• 0x5a6138 SetLastError

• 0x5a613c FormatMessageA

• 0x5a6140 WideCharToMultiByte

• 0x5a6144 GetFullPathNameW

• 0x5a6148 GetCurrentDirectoryW

• 0x5a614c GetStringTypeW

• 0x5a6150 SystemTimeToFileTime

• 0x5a6154 SetConsoleMode

• 0x5a6158 ReadConsoleA

• 0x5a615c SwitchToFiber

• 0x5a6160 LCMapStringW

• 0x5a6164 DeleteFiber

• 0x5a6168 CreateFiber

• 0x5a616c FindFirstFileW

• 0x5a6170 FormatMessageW

• 0x5a6174 ConvertFiberToThread

• 0x5a6178 ConvertThreadToFiber

• 0x5a617c GetModuleFileNameA

• 0x5a6180 UnhandledExceptionFilter

• 0x5a6184 SetUnhandledExceptionFilter

• 0x5a6188 GetCurrentProcess

• 0x5a618c TerminateProcess

• 0x5a6190 IsProcessorFeaturePresent

• 0x5a6194 GetCurrentProcessId

• 0x5a6198 GetCurrentThreadId

• 0x5a619c GetSystemTimeAsFileTime

• 0x5a61a0 InitializeSListHead

• 0x5a61a4 IsDebuggerPresent

• 0x5a61a8 GetStartupInfoW

• 0x5a61ac RaiseException

• 0x5a61b0 RtlUnwind

• 0x5a61b4 InitializeCriticalSectionAndSpinCount

• 0x5a61b8 TlsAlloc

• 0x5a61bc TlsGetValue

• 0x5a61c0 TlsSetValue

• 0x5a61c4 TlsFree

• 0x5a61c8 LoadLibraryExW

• 0x5a61cc ExitProcess

• 0x5a61d0 GetModuleHandleExW

• 0x5a61d4 SetConsoleCtrlHandler

• 0x5a61d8 CreateFileW

• 0x5a61dc GetDriveTypeW

• 0x5a61e0 SystemTimeToTzSpecificLocalTime

• 0x5a61e4 FileTimeToSystemTime

• 0x5a61e8 CreateThread

• 0x5a61ec ExitThread

• 0x5a61f0 FreeLibraryAndExitThread

• 0x5a61f4 SetFilePointerEx

• 0x5a61f8 GetModuleFileNameW

• 0x5a61fc GetACP

• 0x5a6200 GetConsoleMode

• 0x5a6204 ReadConsoleW

• 0x5a6208 GetConsoleCP

• 0x5a620c HeapAlloc

• 0x5a6210 HeapFree

• 0x5a6214 HeapReAlloc

• 0x5a6218 CompareStringW

Library USER32.dll:

• 0x5a6228 MessageBoxW

• 0x5a622c GetUserObjectInformationW

• 0x5a6230 GetProcessWindowStation

Library ADVAPI32.dll:

• 0x5a6000 CryptReleaseContext

• 0x5a6004 CryptEnumProvidersW

• 0x5a6008 CryptSignHashW

• 0x5a600c CryptDestroyHash

• 0x5a6010 CryptCreateHash

• 0x5a6014 CryptDecrypt

• 0x5a6018 CryptExportKey

• 0x5a601c CryptGetUserKey

• 0x5a6020 CryptGetProvParam

• 0x5a6024 CryptSetHashParam

• 0x5a6028 CryptDestroyKey

• 0x5a602c CryptGenRandom

• 0x5a6030 DeregisterEventSource

• 0x5a6034 CryptAcquireContextW

• 0x5a6038 RegisterEventSourceW

• 0x5a603c ReportEventW

Library CRYPT32.dll:

• 0x5a6044 CertCloseStore

• 0x5a6048 CertOpenStore

• 0x5a604c CertEnumCertificatesInStore

• 0x5a6050 CertDuplicateCertificateContext

• 0x5a6054 CertFreeCertificateContext

• 0x5a6058 CertGetCertificateContextProperty

• 0x5a605c CertFindCertificateInStore

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.