SmartHawk

3.6

中危

52 个模型检测该样本为恶意！

重新分析

下载样本

d02e5813fe95fcf33230af6616f2f277230b3f9f636420c9c0a979540922c6bb

ff67c8659e00bdff07d216c45edf5498.exe

分析耗时

78s

最近分析

文件大小

334.7KB

静态报毒动态报毒 100% 7QGXPBBDHRU ARTEMIS BADCERT BAZAR CERTIFICATE CLOUD CONFIDENCE EMOTET GENCBL GENCIRC HIGH CONFIDENCE HUXFHG JATIF KCLOUD KRYPTIK MALCERT MALWARE@#3WG1WGGTQ278 MALWAREX MANSABO POSSIBLE QNGTE R350953 REDCAP S + MAL SCJA SCORE SUSGEN THREAT TRICKBOT UNSAFE UNTRUSTED YMACCO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Mansabo.64d5df7c	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0
Baidu		20190318	1.0.0.2
Tencent	Malware.Win32.Gencirc.11af1df6	20210224	1.0.0.1
Kingsoft	Win32.Troj.Mansabo.f.(kcloud)	20210224	2017.9.26.565
McAfee	Artemis!FF67C8659E00	20210224	6.0.6.653
Avast	Win64:MalwareX-gen [Trj]	20210224	21.1.5827.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620830015.72677 IsDebuggerPresent		failed	0	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620830037.97677 NtAllocateVirtualMemory	process_identifier: 2420 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000001d60000	success	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620830038.28877 NtProtectVirtualMemory	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffffffffffff base_address: 0x0000000180001000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.626868208687796

section

{'size_of_data': '0x00033000', 'virtual_address': '0x00024000', 'entropy': 7.626868208687796, 'name': '.rsrc', 'virtual_size': '0x00032ea0'}

description

A section with a high entropy has been found

entropy

0.6200607902735562

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Jatif.1474
Qihoo-360	Generic/Trojan.df1
ALYac	Trojan.Agent.Bazar
Cylance	Unsafe
Zillya	Trojan.GenCBL.Win32.4
Sangfor	Trojan.Win32.Ymacco.AAD0
K7AntiVirus	Trojan ( 0056e20b1 )
Alibaba	Trojan:Win32/Mansabo.64d5df7c
K7GW	Trojan ( 0056e20b1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W64/Trojan.SCJA-5792
Symantec	Trojan.Gen.MBT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Mansabo.frv
BitDefender	Gen:Variant.Jatif.1474
NANO-Antivirus	Trojan.Win64.Mansabo.huxfhg
Tencent	Malware.Win32.Gencirc.11af1df6
Ad-Aware	Gen:Variant.Jatif.1474
Emsisoft	MalCert-S.CC (A)
Comodo	Malware@#3wg1wggtq278
F-Secure	Trojan.TR/Redcap.qngte
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Jatif.1474
Sophos	Mal/Generic-S + Mal/BadCert-Gen
Ikarus	possible-Threat.Untrusted.Certificate
GData	Gen:Variant.Jatif.1474
Jiangmin	Trojan.Mansabo.bvc
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.qngte
Kingsoft	Win32.Troj.Mansabo.f.(kcloud)
Gridinsoft	Trojan.Win64.Kryptik.oa
Arcabit	Trojan.Jatif.D5C2
AegisLab	Trojan.Win32.Mansabo.4!c
ZoneAlarm	Trojan.Win32.Mansabo.frv
Microsoft	Trojan:Win32/Trickbot
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Emotet.R350953
McAfee	Artemis!FF67C8659E00
Malwarebytes	Trojan.TrickBot
Panda	Trj/CI.A
ESET-NOD32	a variant of Win32/GenCBL.V
Rising	Trojan.MalCert!1.CC23 (CLOUD)
Yandex	Trojan.GenCBL!7qGXPBbDhrU
eGambit	Generic.Malware
Fortinet	W64/Kryptik.CAC!tr
AVG	Win64:MalwareX-gen [Trj]
Cybereason	malicious.59e00b

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-10 20:35:31

Imports

Library KERNEL32.dll:

• 0x14001f050 CreateThread

• 0x14001f058 TerminateThread

• 0x14001f060 GetExitCodeThread

• 0x14001f068 GetProcAddress

• 0x14001f070 VirtualAlloc

• 0x14001f078 CreateDirectoryW

• 0x14001f080 ReadFile

• 0x14001f088 SetFilePointerEx

• 0x14001f090 WriteFile

• 0x14001f098 GetCurrentProcessId

• 0x14001f0a0 ExitProcess

• 0x14001f0a8 GetTickCount

• 0x14001f0b0 QueryPerformanceCounter

• 0x14001f0b8 RtlCaptureContext

• 0x14001f0c0 RtlLookupFunctionEntry

• 0x14001f0c8 RtlVirtualUnwind

• 0x14001f0d0 IsDebuggerPresent

• 0x14001f0d8 SetUnhandledExceptionFilter

• 0x14001f0e0 UnhandledExceptionFilter

• 0x14001f0e8 GetCurrentProcess

• 0x14001f0f0 TerminateProcess

• 0x14001f0f8 GetStartupInfoA

• 0x14001f100 Sleep

• 0x14001f108 FindResourceA

• 0x14001f110 LoadResource

• 0x14001f118 SizeofResource

• 0x14001f120 CreateFileW

• 0x14001f128 CloseHandle

• 0x14001f130 GlobalAlloc

• 0x14001f138 GetModuleHandleW

• 0x14001f140 lstrcpynW

• 0x14001f148 GetCurrentThreadId

• 0x14001f150 GlobalFree

• 0x14001f158 GetSystemTimeAsFileTime

Library USER32.dll:

• 0x14001f298 ClientToScreen

• 0x14001f2a0 ReleaseCapture

• 0x14001f2a8 SetCapture

• 0x14001f2b0 SetFocus

• 0x14001f2b8 SetCursor

• 0x14001f2c0 LoadCursorW

• 0x14001f2c8 CallWindowProcW

• 0x14001f2d0 EndPaint

• 0x14001f2d8 BeginPaint

• 0x14001f2e0 DestroyCursor

• 0x14001f2e8 SendDlgItemMessageW

• 0x14001f2f0 SetDlgItemTextW

• 0x14001f2f8 EndDialog

• 0x14001f300 GetDlgItemTextW

• 0x14001f308 MessageBoxW

• 0x14001f310 EnableWindow

• 0x14001f318 ShowWindow

• 0x14001f320 LoadIconW

• 0x14001f328 DialogBoxParamW

• 0x14001f330 wsprintfW

• 0x14001f338 GetParent

• 0x14001f340 GetDlgItem

• 0x14001f348 SetWindowTextW

• 0x14001f350 IsWindow

• 0x14001f358 GetWindowLongW

• 0x14001f360 CreateCursor

• 0x14001f368 GetWindowRect

• 0x14001f370 PtInRect

• 0x14001f378 InvalidateRect

• 0x14001f380 UpdateWindow

• 0x14001f388 GetDC

• 0x14001f390 ReleaseDC

• 0x14001f398 SetWindowPos

• 0x14001f3a0 GetWindowLongPtrW

• 0x14001f3a8 SendMessageW

• 0x14001f3b0 GetClientRect

• 0x14001f3b8 FillRect

• 0x14001f3c0 GetFocus

• 0x14001f3c8 DrawFocusRect

• 0x14001f3d0 DrawTextW

• 0x14001f3d8 SetWindowLongPtrW

Library GDI32.dll:

• 0x14001f010 GetObjectW

• 0x14001f018 GetStockObject

• 0x14001f020 DeleteObject

• 0x14001f028 CreateFontIndirectW

• 0x14001f030 SetTextColor

• 0x14001f038 SelectObject

• 0x14001f040 SetBkMode

Library COMDLG32.dll:

• 0x14001f000 GetOpenFileNameW

Library SHELL32.dll:

• 0x14001f288 ShellExecuteW

Library MSVCR90.dll:

• 0x14001f168 _decode_pointer

• 0x14001f170 _onexit

• 0x14001f178 _lock

• 0x14001f180 __dllonexit

• 0x14001f188 _unlock

• 0x14001f190 ?terminate@@YAXXZ

• 0x14001f198 __crt_debugger_hook

• 0x14001f1a0 __set_app_type

• 0x14001f1a8 _encode_pointer

• 0x14001f1b0 _fmode

• 0x14001f1b8 _commode

• 0x14001f1c0 __setusermatherr

• 0x14001f1c8 _configthreadlocale

• 0x14001f1d0 _initterm_e

• 0x14001f1d8 _initterm

• 0x14001f1e0 _acmdln

• 0x14001f1e8 exit

• 0x14001f1f0 _cexit

• 0x14001f1f8 _ismbblead

• 0x14001f200 _exit

• 0x14001f208 _XcptFilter

• 0x14001f210 __C_specific_handler

• 0x14001f218 __getmainargs

• 0x14001f220 _amsg_exit

• 0x14001f228 __CxxFrameHandler3

• 0x14001f230 _byteswap_ulong

• 0x14001f238 _byteswap_uint64

• 0x14001f240 ??_U@YAPEAX_K@Z

• 0x14001f248 memset

• 0x14001f250 malloc

• 0x14001f258 wcslen

• 0x14001f260 ??2@YAPEAX_K@Z

• 0x14001f268 ??3@YAXPEAX@Z

• 0x14001f270 free

• 0x14001f278 ??_V@YAXPEAX@Z

Exports

Ordinal	Address	Name
1	0x140002380	sdfxsdfghjghhfEEADSDDd

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
113.108.239.196	80	192.168.56.101	49191

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.