SmartHawk

2.6

中危

50 个模型检测该样本为恶意！

重新分析

下载样本

b6068e2903cdb4c62a02a8342273e30c757e49fc2b93395df733970fefdd6540

fc88922f788122fd88e875c4ed5e5e08.exe

分析耗时

76s

最近分析

文件大小

5.7MB

静态报毒动态报毒 @T1@AGFHUWBI AI SCORE=82 BANKI BSCOPE BSYMEM CONFIDENCE CRYPTINJECT EHLS ELDORADO ENCPK GEN7 GENCBL GENCIRC GENERICKDZ GENETIC GRAYWARE HIGH CONFIDENCE HUPZMN KRYPTIK MALCERT MALICIOUS PE MALWARE@#K5D3XOPBW99 PINKSBOT Q3LIXUJYACS QAKBOT QBOT R350674 S15765864 SCORE UNSAFE XBVHYFYG3LC XPACK ZEXAF ZP4YL8 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/PinkSbot-HA!FC88922F7881	20201022	6.0.6.653
Avast		20201023	18.4.3895.0
Alibaba	Trojan:Win32/Bsymem.fb1fa3e9	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20201022	2013.8.14.323
Tencent	Malware.Win32.Gencirc.10ce01c1	20201022	1.0.0.1
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

MUI

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620809364.11851 NtAllocateVirtualMemory	process_identifier: 880 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x009c0000	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.QakBot.11
MicroWorld-eScan	Trojan.GenericKDZ.69955
FireEye	Generic.mg.fc88922f788122fd
CAT-QuickHeal	Trojan.Qbot.S15765864
Qihoo-360	Win32/Trojan.9ad
McAfee	W32/PinkSbot-HA!FC88922F7881
Cylance	Unsafe
Zillya	Trojan.Bsymem.Win32.1473
K7AntiVirus	Backdoor ( 0056c0cf1 )
BitDefender	Trojan.GenericKDZ.69955
K7GW	Riskware ( 0049f6ae1 )
Cybereason	malicious.f78812
BitDefenderTheta	Gen:NN.ZexaF.34570.@t1@aGFhUWbi
Cyren	W32/RTM.A.gen!Eldorado
Symantec	Packed.Generic.459
APEX	Malicious
ClamAV	Win.Packed.Qbot-9757369-0
Kaspersky	HEUR:Trojan.Win32.Bsymem.pef
Alibaba	Trojan:Win32/Bsymem.fb1fa3e9
NANO-Antivirus	Trojan.Win32.Bsymem.hupzmn
Rising	Trojan.Qakbot!8.4EF9 (TFE:3:xbVHYFYg3lC)
Ad-Aware	Trojan.GenericKDZ.69955
Sophos	Mal/EncPk-APV
Comodo	Malware@#k5d3xopbw99
F-Secure	Trojan.TR/Crypt.XPACK.Gen7
Invincea	Mal/EncPk-APV
McAfee-GW-Edition	W32/PinkSbot-HA!FC88922F7881
Emsisoft	MalCert.A (A)
SentinelOne	DFI - Malicious PE
GData	Win32.Trojan.PSE.ZP4YL8
Jiangmin	Trojan.Bsymem.afm
Avira	TR/Crypt.XPACK.Gen7
MAX	malware (ai score=82)
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
ZoneAlarm	HEUR:Trojan.Win32.Bsymem.pef
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Banki.R350674
Acronis	suspicious
VBA32	BScope.Malware-Cryptor.SB.01798
Malwarebytes	Backdoor.Qbot
Panda	Trj/Genetic.gen
ESET-NOD32	Win32/Qbot.CN
Tencent	Malware.Win32.Gencirc.10ce01c1
Yandex	Trojan.Qbot!Q3lIXUjyaCs
Ikarus	Trojan.Win32.CryptInject
eGambit	Unsafe.AI_Score_73%
Fortinet	W32/GenCBL.BE!tr
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (W)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-08 18:45:35

Imports

Library KERNEL32.dll:

• 0x9b5460 LoadLibraryA

• 0x9b5464 GetProcAddress

• 0x9b5468 Sleep

• 0x9b546c GetModuleHandleW

• 0x9b5470 VirtualAllocEx

• 0x9b5474 CloseHandle

• 0x9b5478 TerminateProcess

• 0x9b547c OpenProcess

• 0x9b5480 GetTempPathA

• 0x9b5484 LoadLibraryW

• 0x9b5488 GetLastError

• 0x9b548c SetLastError

• 0x9b5490 MapViewOfFile

• 0x9b5494 IsDebuggerPresent

• 0x9b5498 UnhandledExceptionFilter

• 0x9b549c GetCurrentProcess

• 0x9b54a0 GetCurrentThreadId

• 0x9b54a4 SetUnhandledExceptionFilter

• 0x9b54a8 GetStartupInfoW

• 0x9b54ac InterlockedExchange

• 0x9b54b0 GetVersion

• 0x9b54b4 AreFileApisANSI

• 0x9b54b8 GetSystemTime

• 0x9b54bc LocalFree

• 0x9b54c0 GetCurrentProcessId

• 0x9b54c4 DeleteFileW

• 0x9b54c8 GetVersionExA

• 0x9b54cc OutputDebugStringA

• 0x9b54d0 DeleteCriticalSection

• 0x9b54d4 GetFileAttributesExW

• 0x9b54d8 GetSystemInfo

• 0x9b54dc GetDiskFreeSpaceA

• 0x9b54e0 CreateFileMappingW

• 0x9b54e4 CreateFileMappingA

• 0x9b54e8 GetDiskFreeSpaceW

• 0x9b54ec EnterCriticalSection

• 0x9b54f0 LockFileEx

• 0x9b54f4 HeapSize

• 0x9b54f8 GetTempPathW

• 0x9b54fc FlushFileBuffers

• 0x9b5500 MultiByteToWideChar

• 0x9b5504 CreateFileW

• 0x9b5508 ReadFile

• 0x9b550c HeapValidate

• 0x9b5510 HeapCreate

• 0x9b5514 LeaveCriticalSection

• 0x9b5518 HeapDestroy

• 0x9b551c FormatMessageW

• 0x9b5520 WideCharToMultiByte

• 0x9b5524 InitializeCriticalSection

• 0x9b5528 WriteFile

• 0x9b552c FormatMessageA

• 0x9b5530 GetSystemTimeAsFileTime

• 0x9b5534 GetProcessHeap

• 0x9b5538 UnlockFileEx

• 0x9b553c OutputDebugStringW

• 0x9b5540 LockFile

• 0x9b5544 UnlockFile

• 0x9b5548 InterlockedCompareExchange

• 0x9b554c WaitForSingleObject

• 0x9b5550 HeapFree

• 0x9b5554 QueryPerformanceCounter

• 0x9b5558 SystemTimeToFileTime

• 0x9b555c HeapAlloc

• 0x9b5560 SetEndOfFile

• 0x9b5564 UnmapViewOfFile

• 0x9b5568 GetModuleFileNameW

• 0x9b556c SetFilePointer

• 0x9b5570 CreateMutexW

• 0x9b5574 GetFileSize

• 0x9b5578 CreateFileA

• 0x9b557c HeapReAlloc

• 0x9b5580 GetFullPathNameA

• 0x9b5584 GetFullPathNameW

• 0x9b5588 GetTickCount

• 0x9b558c GetSystemDirectoryA

• 0x9b5590 GetFileAttributesW

• 0x9b5594 GetFileAttributesA

• 0x9b5598 MoveFileExA

• 0x9b559c DeleteFileA

• 0x9b55a0 FreeLibrary

• 0x9b55a4 GetCommandLineW

Library USER32.dll:

• 0x9b55ac LoadIconA

• 0x9b55b0 LoadCursorA

Library GDI32.dll:

• 0x9b55b8 GetEnhMetaFileBits

• 0x9b55bc GetStockObject

Library ADVAPI32.dll:

• 0x9b55c4 RegOpenKeyA

• 0x9b55c8 RegQueryValueExA

• 0x9b55cc GetUserNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.