3.8
中危
2 个模型检测该样本为恶意!
重新分析
更多

fcdbd4d7add5ff212269bb687ba908bac715a81801d05fcbbee4cea553bc4e21

2b25389b7dd8cb053af297a804000181.exe

分析耗时

79s

最近分析

文件大小

7.9MB
静态报毒 动态报毒 CRYPMOD GENERICCRTD
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20170121 1.0.0.2
Avast 20170121 8.0.1489.320
Tencent 20170121 1.0.0.1
Kingsoft 20170121 2013.8.14.323
McAfee 20170121 6.0.6.653
CrowdStrike 20161024 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (6 个事件)
request GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D
request GET http://crl.verisign.com/pca3.crl
request GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
request GET http://crl.verisign.com/pca3-g5.crl
request GET http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAp%2B46fQSIGMh3oYapEPIWI%3D
request GET http://sf.symcb.com/sf.crl
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
CAT-QuickHeal Ransom.Crypmod.16758
Zillya Downloader.GenericCRTD.Win32.5335
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620128026.856
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.66
host 203.208.41.65
Wscript.exe initiated network communications indicative of a script based payload download (7 个事件)
Time & API Arguments Status Return Repeated
1620128032.341
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
socket: 964
failed 0 0
1620128037.997
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
socket: 964
failed 0 0
1620128043.856
WSASend
buffer: GET /pca3.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.verisign.com
socket: 1020
failed 0 0
1620128047.888
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
socket: 964
failed 0 0
1620128049.841
WSASend
buffer: GET /pca3-g5.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.verisign.com
socket: 1020
failed 0 0
1620128051.231
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAp%2B46fQSIGMh3oYapEPIWI%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: sf.symcd.com
socket: 840
failed 0 0
1620128051.7
WSASend
buffer: GET /sf.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: sf.symcb.com
socket: 836
failed 0 0
Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (7 个事件)
Time & API Arguments Status Return Repeated
1620128032.341
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
socket: 964
failed 0 0
1620128037.997
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
socket: 964
failed 0 0
1620128043.856
WSASend
buffer: GET /pca3.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.verisign.com
socket: 1020
failed 0 0
1620128047.888
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
socket: 964
failed 0 0
1620128049.841
WSASend
buffer: GET /pca3-g5.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.verisign.com
socket: 1020
failed 0 0
1620128051.231
WSASend
buffer: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAp%2B46fQSIGMh3oYapEPIWI%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: sf.symcd.com
socket: 840
failed 0 0
1620128051.7
WSASend
buffer: GET /sf.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: sf.symcb.com
socket: 836
failed 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-09-25 16:10:33

Imports

Library ws2_32.dll:
Library advapi32.dll:
0x95200c CryptGenRandom
0x952010 CryptReleaseContext
Library ntdll.dll:
Library kernel32.dll:
0x952020 VirtualAlloc
0x952024 VirtualFree
0x952034 CloseHandle
0x952038 CreateEventA
0x95203c CreateThread
0x952044 DuplicateHandle
0x952048 ExitProcess
0x952054 GetProcAddress
0x952058 GetStdHandle
0x95205c GetSystemInfo
0x952060 GetThreadContext
0x952064 LoadLibraryW
0x952068 LoadLibraryA
0x95206c ResumeThread
0x952074 SetEvent
0x95207c SetThreadPriority
0x952084 SetWaitableTimer
0x952088 SuspendThread
0x95208c WaitForSingleObject
0x952090 WriteFile
Library winmm.dll:
0x952098 timeBeginPeriod

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49175 117.18.237.29 crl.verisign.com 80
192.168.56.101 49181 117.18.237.29 crl.verisign.com 80
192.168.56.101 49174 23.52.27.27 sf.symcd.com 80
192.168.56.101 49180 23.52.27.27 sf.symcd.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57089 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 64118 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50849 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 53661 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://crl.verisign.com/pca3-g5.crl 
GET /pca3-g5.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAp%2B46fQSIGMh3oYapEPIWI%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAp%2B46fQSIGMh3oYapEPIWI%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com
http://crl.verisign.com/pca3.crl 
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
http://sf.symcb.com/sf.crl 
GET /sf.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcb.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.