SmartHawk

4.8

中危

50 个模型检测该样本为恶意！

重新分析

下载样本

335cd635286a6beef6de3a507c9da587c8265baa5572c0122a24d4a1e1475bd6

06f553e0a4d9b956dc8911f0af7f2fd8.exe

分析耗时

79s

最近分析

文件大小

2.7MB

静态报毒动态报毒 100% AGEN AI SCORE=85 AIDETECTVM ATTRIBUTE CLASSIC CONFIDENCE CVLH CYJQJ DPEN ELDORADO FMYWPK GENCIRC GENETIC GENKRYPTIK GOYF GRAYWARE HIGH CONFIDENCE HIGHCONFIDENCE ISTARTSURF ISTARTSURFINSTALLER KRYPTIK MALICIOUS PE MALWARE1 PREPSCRAM PREPSCRAMRI PS@8C4M91 R255013 S5399779 SAW@AE127YGI SCORE SKYPESPAM SOFTWAREBUNDLER STARTSURF SUSGEN UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:StartSurf-B [Adw]	20200901	18.4.3895.0
Tencent	Malware.Win32.Gencirc.10b39cb9	20200901	1.0.0.1
Kingsoft		20200901	2013.8.14.323
McAfee	PUP-HMN	20200901	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.mmdd

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

PNG

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2891647900&cup2hreq=2ce08917d100aeb789748ea77c019d79ae7fde1acab4f5097d54dbaf81a2843d

Performs some HTTP requests (3 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620093136&mv=m&mvi=1&pl=23&shardbypass=yes
request	POST https://update.googleapis.com/service/update2?cup2key=10:2891647900&cup2hreq=2ce08917d100aeb789748ea77c019d79ae7fde1acab4f5097d54dbaf81a2843d

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2891647900&cup2hreq=2ce08917d100aeb789748ea77c019d79ae7fde1acab4f5097d54dbaf81a2843d

Resolves a suspicious Top Level Domain (TLD) (2 个事件)

domain	one.mountaincanvas.pw				description	Palau domain TLD
domain	two.wastescrew.pw				description	Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119616.131793 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 806912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e0000	success	0	0
1620119616.131793 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 827392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00740000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.995006059347679

section

{'size_of_data': '0x00048800', 'virtual_address': '0x0026b000', 'entropy': 7.995006059347679, 'name': '.rsrc', 'virtual_size': '0x00048720'}

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.DPEN
CAT-QuickHeal	PUA.PrepscramRI.S5399779
ALYac	Trojan.Agent.DPEN
Sangfor	Malware
K7AntiVirus	Trojan ( 0054ea9e1 )
K7GW	Trojan ( 0054ea9e1 )
Cybereason	malicious.0a4d9b
Arcabit	Trojan.Agent.DPEN
Invincea	heuristic
Cyren	W32/Prepscram.P.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:StartSurf-B [Adw]
Kaspersky	not-a-virus:HEUR:AdWare.Win32.Generic
BitDefender	Trojan.Agent.DPEN
NANO-Antivirus	Trojan.Win32.Patched.fmywpk
Tencent	Malware.Win32.Gencirc.10b39cb9
Ad-Aware	Trojan.Agent.DPEN
Comodo	Application.Win32.IStartSurf.PS@8c4m91
F-Secure	Heuristic.HEUR/AGEN.1103347
DrWeb	Trojan.SkypeSpam.11090
FireEye	Generic.mg.06f553e0a4d9b956
Sophos	IStartSurfInstaller (PUA)
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.Generic.cyjqj
Webroot	W32.Adware.Gen
Avira	HEUR/AGEN.1103347
eGambit	Unsafe.AI_Score_100%
Antiy-AVL	GrayWare/Win32.Kryptik.cx
Microsoft	SoftwareBundler:Win32/Prepscram
ZoneAlarm	not-a-virus:HEUR:AdWare.Win32.Generic
GData	Win32.Trojan.Prepscram.B
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.IStartSurf.R255013
Acronis	suspicious
McAfee	PUP-HMN
MAX	malware (ai score=85)
VBA32	Trojan.SkypeSpam
Malwarebytes	Adware.IStartSurf
ESET-NOD32	a variant of Win32/Kryptik.GOYF
Rising	Trojan.Kryptik!1.B5C3 (CLASSIC)
Ikarus	PUA.Win32.Prepscram
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.CVLH!tr
BitDefenderTheta	Gen:NN.ZexaF.34196.SAW@ae127Ygi
AVG	Win32:StartSurf-B [Adw]
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (D)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-02-10 18:56:10

Imports

Library KERNEL32.dll:

• 0x412000 GetModuleHandleW

• 0x412004 CreateFileW

• 0x412008 WideCharToMultiByte

• 0x41200c GetLastError

• 0x412010 EncodePointer

• 0x412014 DecodePointer

• 0x412018 SetLastError

• 0x41201c InitializeCriticalSectionAndSpinCount

• 0x412020 TlsAlloc

• 0x412024 TlsGetValue

• 0x412028 TlsSetValue

• 0x41202c TlsFree

• 0x412030 GetSystemTimeAsFileTime

• 0x412034 GetProcAddress

• 0x412038 EnterCriticalSection

• 0x41203c LeaveCriticalSection

• 0x412040 DeleteCriticalSection

• 0x412044 MultiByteToWideChar

• 0x412048 LCMapStringW

• 0x41204c GetStringTypeW

• 0x412050 GetCPInfo

• 0x412054 UnhandledExceptionFilter

• 0x412058 SetUnhandledExceptionFilter

• 0x41205c GetCurrentProcess

• 0x412060 TerminateProcess

• 0x412064 IsProcessorFeaturePresent

• 0x412068 IsDebuggerPresent

• 0x41206c GetStartupInfoW

• 0x412070 QueryPerformanceCounter

• 0x412074 GetCurrentProcessId

• 0x412078 GetCurrentThreadId

• 0x41207c InitializeSListHead

• 0x412080 RtlUnwind

• 0x412084 RaiseException

• 0x412088 FreeLibrary

• 0x41208c LoadLibraryExW

• 0x412090 ExitProcess

• 0x412094 GetModuleHandleExW

• 0x412098 GetModuleFileNameW

• 0x41209c GetStdHandle

• 0x4120a0 WriteFile

• 0x4120a4 HeapFree

• 0x4120a8 HeapAlloc

• 0x4120ac HeapReAlloc

• 0x4120b0 GetFileType

• 0x4120b4 FindClose

• 0x4120b8 FindFirstFileExW

• 0x4120bc FindNextFileW

• 0x4120c0 IsValidCodePage

• 0x4120c4 GetACP

• 0x4120c8 GetOEMCP

• 0x4120cc GetCommandLineA

• 0x4120d0 GetCommandLineW

• 0x4120d4 GetEnvironmentStringsW

• 0x4120d8 FreeEnvironmentStringsW

• 0x4120dc GetProcessHeap

• 0x4120e0 SetStdHandle

• 0x4120e4 HeapSize

• 0x4120e8 FlushFileBuffers

• 0x4120ec GetConsoleCP

• 0x4120f0 GetConsoleMode

• 0x4120f4 SetFilePointerEx

• 0x4120f8 CloseHandle

• 0x4120fc WriteConsoleW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
redirector.gvt1.com	A 203.208.41.65	203.208.41.65
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
one.mountaincanvas.pw
r1---sn-j5o76n7l.gvt1.com	A 58.63.233.66 CNAME r1.sn-j5o76n7l.gvt1.com	58.63.233.66
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.40.34	203.208.40.98
two.wastescrew.pw
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49178	203.208.40.34 update.googleapis.com	443
192.168.56.101	49179	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49182	58.63.233.66 r1---sn-j5o76n7l.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	51809	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620093136&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620093136&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o76n7l.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620093136&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620093136&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.