SmartHawk

8.4

高危

55 个模型检测该样本为恶意！

重新分析

下载样本

5ab66b35491c6c3295f5685162b2da93ab7f61b66775333202e5ccbae59299e9

eb26bc7be9a4b98fbb8a28bb6b0006f6.exe

分析耗时

87s

最近分析

文件大小

164.5KB

静态报毒动态报毒 100% AI SCORE=81 AIDETECTVM ATTRIBUTE CLASSIC CONFIDENCE ELDORADO FSJZ FUGRAFA GENCIRC GENKRYPTIK HDVJ HDWC HIGH CONFIDENCE HIGHCONFIDENCE HKZKQH HPGEN HRPRPNTALTW INJECT3 KCLOUD KRYPT KRYPTIK KY0@AC3G7THJ MALICIOUS PE MALWARE2 MALWARE@#3H0XO4Y7B2IWF SCORE STATIC AI TRICKBOT TROJANX TROJDOWNLOADER UNSAFE UOETL ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanDownloader:Win32/Adload.0261e4e9	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20201210	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft	Win32.TrojDownloader.Adload.ry.(kcloud)	20201211	2017.9.26.565
McAfee	Trickbot-FSJZ!EB26BC7BE9A4	20201211	6.0.6.653
Tencent	Malware.Win32.Gencirc.11859a08	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619970726.816374 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

DEC

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619970723.441374 NtProtectVirtualMemory	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0041c000	success	0	0
1619970727.254875 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success	0	0

Foreign language identified in PE resource (1 个事件)

name

RT_VERSION

language

LANG_CHINESE

offset

0x0002b4dc

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000002dc

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\eb26bc7be9a4b98fbb8a28bb6b0006f6.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\eb26bc7be9a4b98fbb8a28bb6b0006f6.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619970727.285875 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x00430000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.952416419824592

section

{'size_of_data': '0x00008a00', 'virtual_address': '0x00023000', 'entropy': 7.952416419824592, 'name': '.rsrc', 'virtual_size': '0x00008935'}

description

A section with a high entropy has been found

entropy

0.21100917431192662

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\eb26bc7be9a4b98fbb8a28bb6b0006f6.exe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2824 called NtSetContextThread to modify thread in remote process 2616
1619970726.941374 NtSetContextThread	thread_handle: 0x000000d8 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4260288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2616	success	0	0

Executed a process and injected code into it, probably while unpacking (4 个事件)

Time & API	Arguments	Status	Return
1619970726.816374 NtResumeThread	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2824	success	0
1619970726.863374 CreateProcessInternalW	thread_identifier: 1060 thread_handle: 0x000000d8 process_identifier: 2616 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\eb26bc7be9a4b98fbb8a28bb6b0006f6.exe track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\eb26bc7be9a4b98fbb8a28bb6b0006f6.exe" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\eb26bc7be9a4b98fbb8a28bb6b0006f6.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000000dc inherit_handles: 0	success	1
1619970726.863374 NtGetContextThread	thread_handle: 0x000000d8	success	0
1619970726.941374 NtSetContextThread	thread_handle: 0x000000d8 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4260288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2616	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.Inject3.41293
MicroWorld-eScan	Gen:Variant.Fugrafa.47090
FireEye	Generic.mg.eb26bc7be9a4b98f
ALYac	Gen:Variant.Fugrafa.47090
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2040162
Sangfor	Malware
K7AntiVirus	Trojan ( 00567ef11 )
Alibaba	TrojanDownloader:Win32/Adload.0261e4e9
K7GW	Trojan ( 00567ef11 )
Cybereason	malicious.be9a4b
Arcabit	Trojan.Fugrafa.DB7F2
BitDefenderTheta	Gen:NN.ZexaF.34670.ky0@aC3G7thj
Cyren	W32/S-2985393c!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HDVJ
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.Win32.Adload.pef
BitDefender	Gen:Variant.Fugrafa.47090
NANO-Antivirus	Trojan.Win32.Inject3.hkzkqh
Rising	Trojan.Kryptik!1.C75C (CLASSIC)
Ad-Aware	Gen:Variant.Fugrafa.47090
Sophos	Mal/Generic-S
Comodo	Malware@#3h0xo4y7b2iwf
F-Secure	Trojan.TR/Kryptik.uoetl
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Mal_HPGen-37b
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Emsisoft	Gen:Variant.Fugrafa.47090 (B)
Ikarus	Trojan.Win32.Krypt
Jiangmin	TrojanDownloader.Adload.aaff
Avira	TR/Kryptik.uoetl
Antiy-AVL	Trojan[Downloader]/Win32.Adload
Kingsoft	Win32.TrojDownloader.Adload.ry.(kcloud)
Microsoft	Trojan:Win32/Trickbot.PVB!MTB
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Adload.pef
GData	Gen:Variant.Fugrafa.47090
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Trickbot-FSJZ!EB26BC7BE9A4
MAX	malware (ai score=81)
VBA32	Trojan.Trickbot
Malwarebytes	Trojan.Crypt
TrendMicro-HouseCall	Mal_HPGen-37b
Tencent	Malware.Win32.Gencirc.11859a08
Yandex	Trojan.GenKryptik!hRpRPNtaLTw
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-02 17:13:45

Imports

Library MSACM32.dll:

• 0x412150 acmDriverAddW

• 0x412154 acmFormatTagDetailsW

• 0x412158 acmDriverDetailsW

• 0x41215c acmDriverRemove

• 0x412160 acmFormatDetailsW

Library SETUPAPI.dll:

• 0x412168 SetupDiGetClassDescriptionW

• 0x41216c SetupDiDeleteDeviceInfo

• 0x412170 SetupGetInfFileListA

• 0x412174 SetupDuplicateDiskSpaceListA

• 0x412178 SetupDiSetSelectedDevice

Library MAPI32.dll:

• 0x412134

• 0x412138

• 0x41213c

• 0x412140

• 0x412144

• 0x412148

Library SHELL32.dll:

• 0x412180 ShellExecuteExA

• 0x412184 SHAppBarMessage

• 0x412188 FindExecutableA

• 0x41218c SHEmptyRecycleBinW

• 0x412190 SHGetDesktopFolder

Library GDI32.dll:

• 0x412018 EnumFontFamiliesExA

• 0x41201c CreatePalette

• 0x412020 StrokePath

• 0x412024 CopyEnhMetaFileA

• 0x412028 GetColorSpace

Library WINMM.dll:

• 0x412198 joySetCapture

• 0x41219c joy32Message

• 0x4121a0 mixerSetControlDetails

• 0x4121a4 midiStreamPause

• 0x4121a8 mmioInstallIOProcA

Library AVIFIL32.dll:

• 0x412000 AVIFileGetStream

• 0x412004 AVIFileInit

• 0x412008 AVIStreamSampleToTime

• 0x41200c AVISave

• 0x412010 AVIStreamOpenFromFileW

Library KERNEL32.dll:

• 0x412030 GetProcessHeap

• 0x412034 GetStringTypeW

• 0x412038 SetStdHandle

• 0x41203c FlushFileBuffers

• 0x412040 GetEnvironmentStringsW

• 0x412044 GetCommandLineW

• 0x412048 SetFilePointerEx

• 0x41204c GetCPInfo

• 0x412050 GetOEMCP

• 0x412054 IsValidCodePage

• 0x412058 GetConsoleCP

• 0x41205c GetConsoleMode

• 0x412060 HeapSize

• 0x412064 HeapReAlloc

• 0x412068 FreeEnvironmentStringsW

• 0x41206c CloseHandle

• 0x412070 FindNextFileA

• 0x412074 FindFirstFileExA

• 0x412078 FindClose

• 0x41207c CreateFileW

• 0x412080 WriteConsoleW

• 0x412084 DecodePointer

• 0x412088 GetCommandLineA

• 0x41208c EnterCriticalSection

• 0x412090 VirtualProtect

• 0x412094 UnhandledExceptionFilter

• 0x412098 SetUnhandledExceptionFilter

• 0x41209c GetCurrentProcess

• 0x4120a0 TerminateProcess

• 0x4120a4 IsProcessorFeaturePresent

• 0x4120a8 QueryPerformanceCounter

• 0x4120ac GetCurrentProcessId

• 0x4120b0 GetCurrentThreadId

• 0x4120b4 GetSystemTimeAsFileTime

• 0x4120b8 InitializeSListHead

• 0x4120bc IsDebuggerPresent

• 0x4120c0 GetStartupInfoW

• 0x4120c4 GetModuleHandleW

• 0x4120c8 RtlUnwind

• 0x4120cc GetLastError

• 0x4120d0 SetLastError

• 0x4120d4 RaiseException

• 0x4120d8 LeaveCriticalSection

• 0x4120dc DeleteCriticalSection

• 0x4120e0 InitializeCriticalSectionAndSpinCount

• 0x4120e4 TlsAlloc

• 0x4120e8 TlsGetValue

• 0x4120ec TlsSetValue

• 0x4120f0 TlsFree

• 0x4120f4 FreeLibrary

• 0x4120f8 GetProcAddress

• 0x4120fc LoadLibraryExW

• 0x412100 GetStdHandle

• 0x412104 WriteFile

• 0x412108 GetModuleFileNameA

• 0x41210c MultiByteToWideChar

• 0x412110 WideCharToMultiByte

• 0x412114 ExitProcess

• 0x412118 GetModuleHandleExW

• 0x41211c GetACP

• 0x412120 HeapFree

• 0x412124 HeapAlloc

• 0x412128 LCMapStringW

• 0x41212c GetFileType

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.