SmartHawk

5.8

高危

54 个模型检测该样本为恶意！

重新分析

下载样本

54dd660151b98bcbe222d290c2407d654786b72bc2bcdd0293cd8741a1e20266

e1c7ab2be11ce9dee2f0f91263a1fb64.exe

分析耗时

109s

最近分析

文件大小

100.0KB

静态报毒动态报毒 100% AGEN AI SCORE=84 AIDETECTVM ATTRIBUTE AUTO AXDT BSCOPE CLASSIC CONFIDENCE DOWNLOADER33 EGN@8Q4TB9 ELDORADO ELHN FAREIT FAREITVB FORMBOOK GDSDA GM0@AGARJSAI GM0@QGARJSAI GULOADER HIGH CONFIDENCE HIGHCONFIDENCE HJVVIM MALWARE1 NOON PONYSTEALER R + MAL R330931 REMCOS SCORE UNSAFE VBKRYPT VHIC WACATAC ZEVBAF ZO81BNFF4+W 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FRR!E1C7AB2BE11C	20201228	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201228	21.1.5827.0
Alibaba	TrojanSpy:Win32/Injector.4a8f3348	20190527	0.3.0.5
Kingsoft		20201229	2017.9.26.565
Tencent	Win32.Trojan.Inject.Auto	20201229	1.0.0.1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619979195.68825 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (7 个事件)

Time & API	Arguments	Status
1619951419.469 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01cf0000	success
1619951419.469 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619979195.54825 NtProtectVirtualMemory	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619978823.909769 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004150000	success
1619979204.047875 NtAllocateVirtualMemory	process_identifier: 1824 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00480000	success
1619979204.047875 NtProtectVirtualMemory	process_identifier: 1824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619979204.187502 NtProtectVirtualMemory	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619951410.547 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x01ca0000	success	0	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	C:\Users\Administrator.Oskar-PC\DOBBIEFJER\mbenetreg.exe
cmdline	"C:\Users\Administrator.Oskar-PC\DOBBIEFJER\mbenetreg.exe"

Communicates with host for which no DNS query was performed (2 个事件)

host	104.25.233.53
host	172.217.24.14

Installs itself for autorun at Windows startup (2 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\NEWBORNNE				reg_value	C:\Users\Administrator.Oskar-PC\DOBBIEFJER\mbenetreg.vbs
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\NEWBORNNE				reg_value	C:\Users\Administrator.Oskar-PC\DOBBIEFJER\mbenetreg.vbs

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
Cynet	Malicious (score: 85)
FireEye	Gen:Heur.PonyStealer.gm0@qGARJSai
CAT-QuickHeal	Trojanspy.Noon
Qihoo-360	Win32/Trojan.Spy.87a
McAfee	Fareit-FRR!E1C7AB2BE11C
Malwarebytes	Trojan.GuLoader
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Trojan ( 00563a751 )
BitDefender	Gen:Heur.PonyStealer.gm0@qGARJSai
K7GW	Trojan ( 00563a751 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZevbaF.34700.gm0@aGARJSai
Cyren	W32/VBKrypt.AGP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Dropper.Remcos-7647550-0
Kaspersky	Trojan-Spy.Win32.Noon.axdt
Alibaba	TrojanSpy:Win32/Injector.4a8f3348
NANO-Antivirus	Trojan.Win32.Noon.hjvvim
AegisLab	Trojan.Win32.Noon.l!c
MicroWorld-eScan	Gen:Heur.PonyStealer.gm0@qGARJSai
Rising	Downloader.Guloader!1.C913 (CLASSIC)
Ad-Aware	Gen:Heur.PonyStealer.gm0@qGARJSai
Sophos	Mal/Generic-R + Mal/FareitVB-AB
Comodo	TrojWare.Win32.VBKrypt.EGN@8q4tb9
F-Secure	Heuristic.HEUR/AGEN.1134030
DrWeb	Trojan.DownLoader33.24530
TrendMicro	TrojanSpy.Win32.FAREIT.SME.hp
McAfee-GW-Edition	BehavesLike.Win32.Fareit.ct
Emsisoft	Gen:Heur.PonyStealer.gm0@qGARJSai (B)
Avira	HEUR/AGEN.1134030
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Spy]/Win32.Noon
Microsoft	Trojan:Win32/FormBook.BP!MTB
Arcabit	Trojan.PonyStealer.EDEAC1
ZoneAlarm	Trojan-Spy.Win32.Noon.axdt
GData	Gen:Heur.PonyStealer.gm0@qGARJSai
AhnLab-V3	Trojan/Win32.VBKrypt.R330931
VBA32	BScope.Trojan.Wacatac
ALYac	Spyware.Noon.gen
Cylance	Unsafe
Panda	Trj/GdSda.A
ESET-NOD32	a variant of Win32/Injector.ELHN
TrendMicro-HouseCall	TrojanSpy.Win32.FAREIT.SME.hp
Tencent	Win32.Trojan.Inject.Auto
Yandex	Trojan.Injector!zo81BNFF4+w
Ikarus	Trojan.VB.Crypt

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2013-07-27 03:24:56

Imports

Library MSVBVM60.DLL:

• 0x401000 _CIcos

• 0x401004 _adj_fptan

• 0x401008 __vbaVarMove

• 0x40100c __vbaFreeVar

• 0x401010 __vbaEnd

• 0x401014 __vbaFreeVarList

• 0x401018 _adj_fdiv_m64

• 0x40101c __vbaFreeObjList

• 0x401020

• 0x401024 _adj_fprem1

• 0x401028

• 0x40102c __vbaStrCat

• 0x401030 __vbaHresultCheckObj

• 0x401034

• 0x401038 _adj_fdiv_m32

• 0x40103c

• 0x401040

• 0x401044 __vbaObjSet

• 0x401048

• 0x40104c _adj_fdiv_m16i

• 0x401050 __vbaObjSetAddref

• 0x401054 _adj_fdivr_m16i

• 0x401058 _CIsin

• 0x40105c

• 0x401060 __vbaChkstk

• 0x401064 EVENT_SINK_AddRef

• 0x401068 __vbaStrCmp

• 0x40106c

• 0x401070 __vbaI2I4

• 0x401074 __vbaObjVar

• 0x401078 DllFunctionCall

• 0x40107c

• 0x401080 _adj_fpatan

• 0x401084 EVENT_SINK_Release

• 0x401088 _CIsqrt

• 0x40108c EVENT_SINK_QueryInterface

• 0x401090 __vbaExceptHandler

• 0x401094 _adj_fprem

• 0x401098 _adj_fdivr_m64

• 0x40109c __vbaFPException

• 0x4010a0 _CIlog

• 0x4010a4 __vbaErrorOverflow

• 0x4010a8 __vbaInStr

• 0x4010ac __vbaNew2

• 0x4010b0 _adj_fdiv_m32i

• 0x4010b4 _adj_fdivr_m32i

• 0x4010b8

• 0x4010bc __vbaStrCopy

• 0x4010c0 __vbaFreeStrList

• 0x4010c4 _adj_fdivr_m32

• 0x4010c8 _adj_fdiv_r

• 0x4010cc

• 0x4010d0 __vbaVarTstNe

• 0x4010d4 __vbaInStrB

• 0x4010d8 __vbaLateMemCall

• 0x4010dc __vbaVarDup

• 0x4010e0 __vbaFpI4

• 0x4010e4 _CIatan

• 0x4010e8 __vbaStrMove

• 0x4010ec __vbaCastObj

• 0x4010f0

• 0x4010f4 _allmul

• 0x4010f8 _CItan

• 0x4010fc

• 0x401100 _CIexp

• 0x401104 __vbaFreeStr

• 0x401108 __vbaFreeObj

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com		127.0.0.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142 A 172.217.160.110	172.217.160.78

TCP

Source	Source Port	Destination	Destination Port
104.25.233.53	443	192.168.56.101	49176

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.