SmartHawk

3.6

中危

6 个模型检测该样本为恶意！

重新分析

下载样本

3f4e90e758913d4f00633c5c696000c96773520b18a625ebf90eb9867be99494

ef57af5daaf8b8609ec1206490223358.exe

分析耗时

82s

最近分析

文件大小

1.5MB

静态报毒动态报毒 AUTOIT CLASSIC CONFIDENCE PACK SUSGEN

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20191113	6.0.6.653
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast		20191114	18.4.3895.0
Tencent		20191114	1.0.0.1
Kingsoft		20191114	2013.8.14.323

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620831035.926875 IsDebuggerPresent		failed	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620831037.722875 GetDiskFreeSpaceW	root_path: Z:\ sectors_per_cluster: 9659528 number_of_free_clusters: 8891741 total_number_of_clusters: 6222500 bytes_per_sector: 0	failed	0	0
1620831039.722875 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4787243 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1	0

Foreign language identified in PE resource (2 个事件)

name

RT_VERSION

language

LANG_KOREAN

offset

0x00338e80

filetype

MS Windows COFF Motorola 68000 object file

sublanguage

SUBLANG_KOREAN

size

0x00000268

name

RT_MANIFEST

language

LANG_KOREAN

offset

0x003390ec

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_KOREAN

size

0x000005a8

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620831037.113875 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000114 process_identifier: 580	success	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 个事件)

CrowdStrike	win/malicious_confidence_60% (W)
APEX	Malicious
Paloalto	generic.ml
Rising	PUF.Pack-AutoIt!1.B1DC (CLASSIC)
Ikarus	PUA.Autoit
MaxSecure	Trojan.Malware.300983.susgen

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.936422022464113

section

{'size_of_data': '0x00055e00', 'virtual_address': '0x001b3000', 'entropy': 7.936422022464113, 'name': 'UPX1', 'virtual_size': '0x00056000'}

description

A section with a high entropy has been found

entropy

7.996743157256131

section

{'size_of_data': '0x00130c00', 'virtual_address': '0x00209000', 'entropy': 7.996743157256131, 'name': '.rsrc', 'virtual_size': '0x00131000'}

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-03-03 18:59:15

Imports

Library KERNEL32.DLL:

• 0x739810 LoadLibraryA

• 0x739814 GetProcAddress

• 0x739818 VirtualProtect

• 0x73981c VirtualAlloc

• 0x739820 VirtualFree

• 0x739824 ExitProcess

Library ADVAPI32.dll:

• 0x73982c GetAce

Library COMCTL32.dll:

• 0x739834 ImageList_Remove

Library COMDLG32.dll:

• 0x73983c GetOpenFileNameW

Library GDI32.dll:

• 0x739844 LineTo

Library IPHLPAPI.DLL:

• 0x73984c IcmpSendEcho

Library MPR.dll:

• 0x739854 WNetUseConnectionW

Library ole32.dll:

• 0x73985c CoGetObject

Library OLEAUT32.dll:

• 0x739864 VariantInit

Library PSAPI.DLL:

• 0x73986c GetProcessMemoryInfo

Library SHELL32.dll:

• 0x739874 DragFinish

Library USER32.dll:

• 0x73987c GetDC

Library USERENV.dll:

• 0x739884 LoadUserProfileW

Library UxTheme.dll:

• 0x73988c IsThemeActive

Library VERSION.dll:

• 0x739894 VerQueryValueW

Library WININET.dll:

• 0x73989c FtpOpenFileW

Library WINMM.dll:

• 0x7398a4 timeGetTime

Library WSOCK32.dll:

• 0x7398ac connect

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	50005	239.255.255.250	3702
192.168.56.101	58368	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.