5.4
中危
49 个模型检测该样本为恶意!
重新分析
更多

2e8a83ceff559f8df9b5bea70ea2224a6fe93edbd19b75db8c6e512d3c5eb35e

32020b2dffc1a7f9d4166be24f92bac9.exe

分析耗时

30s

最近分析

文件大小

893.9KB
静态报毒 动态报毒 AGEN AI SCORE=100 BSCOPE ELDORADO FILEREPMALWARE GENERICKD GENERICRXIY GENETIC GILWTH GRAYWARE HFSADWARE HIGH CONFIDENCE KPZIP KUAIBA KUAIZIP KZIP MALICIOUS R002C0PER20 R292165 RISKWARERI S8133517 ULISE UNSAFE YZY0OR4VYAY6JNVZ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXIY-YR!32020B2DFFC1 20200627 6.0.6.653
Alibaba Backdoor:Win32/KZip.df17e13e 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:PUP-gen [PUP] 20200627 18.4.3895.0
Tencent 20200627 1.0.0.1
Kingsoft 20200627 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620809370.600474
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path E:\AzureDevOps\Apollo\FloraUtilities\Release\TPopPlus.pdb
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .gfids
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://tpop.kpzip.com/n/tui/tpop/tpop4/tpop4.xml
suspicious_features GET method with no useragent header suspicious_request GET http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now
Performs some HTTP requests (2 个事件)
request GET http://tpop.kpzip.com/n/tui/tpop/tpop4/tpop4.xml
request GET http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620809371.710474
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1620809370.538474
EnumServicesStatusW
service_handle: 0x00506d58
service_type: 59
service_status: 1
failed 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620809374.288474
RegSetValueExA
key_handle: 0x000003a4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620809374.288474
RegSetValueExA
key_handle: 0x000003a4
value: € <¨BG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620809374.288474
RegSetValueExA
key_handle: 0x000003a4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620809374.288474
RegSetValueExW
key_handle: 0x000003a4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620809374.288474
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620809374.303474
RegSetValueExA
key_handle: 0x000003c4
value: € <¨BG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620809374.303474
RegSetValueExA
key_handle: 0x000003c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620809374.319474
RegSetValueExW
key_handle: 0x000003a0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Bkav W32.HfsAdware.C51A
MicroWorld-eScan Trojan.GenericKD.32589094
FireEye Generic.mg.32020b2dffc1a7f9
CAT-QuickHeal PUA.RiskwareRI.S8133517
McAfee GenericRXIY-YR!32020B2DFFC1
Cylance Unsafe
Zillya Adware.KuaiZip.Win32.457
SUPERAntiSpyware Adware.KuaiZip/Variant
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Backdoor:Win32/KZip.df17e13e
K7GW Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D1F14526
TrendMicro TROJ_GEN.R002C0PER20
F-Prot W32/Ulise.AA.gen!Eldorado
Symantec PUA.KpZip
APEX Malicious
Kaspersky HEUR:Trojan-Downloader.Win64.Agent.vho
BitDefender Trojan.GenericKD.32589094
NANO-Antivirus Riskware.Win32.KuaiZip.gilwth
AegisLab Trojan.Win64.Agent.a!c
Avast Win32:PUP-gen [PUP]
Ad-Aware Trojan.GenericKD.32589094
Emsisoft Trojan.GenericKD.32589094 (B)
F-Secure Heuristic.HEUR/AGEN.1119232
DrWeb Program.Kuaizip.1
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Sophos KuaiZip (PUA)
Cyren W32/Ulise.AA.gen!Eldorado
Webroot W32.Adware.Gen
Avira HEUR/AGEN.1119232
Antiy-AVL GrayWare[AdWare]/Win32.KuaiZip
Microsoft PUA:Win32/KuaiZip
Endgame malicious (high confidence)
ViRobot Adware.Kuaizip.915352.A
ZoneAlarm HEUR:Trojan-Downloader.Win64.Agent.vho
GData Trojan.GenericKD.32589094
AhnLab-V3 PUP/Win32.RL_Generic.R292165
ALYac Trojan.GenericKD.32589094
MAX malware (ai score=100)
VBA32 BScope.Adware.KuaiZip
Malwarebytes Adware.Kuaiba
ESET-NOD32 a variant of Win32/KuaiZip.U potentially unwanted
TrendMicro-HouseCall TROJ_GEN.R002C0PER20
Rising Trojan.Generic!8.C3 (C64:YzY0Or4vyay6JnVZ)
Yandex PUA.KuaiZip!
Fortinet Adware/KuaiZip
AVG FileRepMalware
Panda Trj/Genetic.gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-07-26 15:37:28

Imports

Library KERNEL32.dll:
0x4a607c Sleep
0x4a6080 GetSystemDirectoryA
0x4a6084 TerminateThread
0x4a6088 GetVersionExA
0x4a608c GetSystemInfo
0x4a6090 DeviceIoControl
0x4a6094 lstrcpyA
0x4a60a0 GetSystemDirectoryW
0x4a60a4 GetCurrentThread
0x4a60a8 LocalFree
0x4a60ac GetComputerNameW
0x4a60b0 CreateThread
0x4a60b4 OpenMutexW
0x4a60b8 GetTickCount
0x4a60bc GetCommandLineW
0x4a60c0 GetProcessTimes
0x4a60c4 ReadFile
0x4a60cc WriteFile
0x4a60d0 CreateNamedPipeW
0x4a60d8 DisconnectNamedPipe
0x4a60dc CreateEventW
0x4a60e0 SetEvent
0x4a60e4 GetOverlappedResult
0x4a60e8 ExitProcess
0x4a60ec TransactNamedPipe
0x4a60f0 WaitNamedPipeW
0x4a60f4 ConnectNamedPipe
0x4a60f8 FlushFileBuffers
0x4a6100 ResumeThread
0x4a6104 CreateProcessW
0x4a6108 GetModuleHandleA
0x4a610c OpenProcess
0x4a6110 FindFirstFileW
0x4a6114 GetFileAttributesW
0x4a6118 WaitForSingleObject
0x4a6128 GetModuleFileNameA
0x4a612c SetEndOfFile
0x4a6130 GetFullPathNameW
0x4a6138 HeapSize
0x4a613c SetStdHandle
0x4a614c GetCommandLineA
0x4a6150 GetOEMCP
0x4a6154 IsValidCodePage
0x4a6158 FindNextFileA
0x4a615c FindFirstFileExA
0x4a6164 GetProcessHeap
0x4a6168 ReadConsoleW
0x4a6170 GetConsoleMode
0x4a6174 GetConsoleCP
0x4a6178 EnumSystemLocalesW
0x4a617c GetUserDefaultLCID
0x4a6180 IsValidLocale
0x4a6184 GetDriveTypeW
0x4a6188 SetFilePointerEx
0x4a618c GetACP
0x4a6190 HeapReAlloc
0x4a6194 HeapFree
0x4a6198 HeapAlloc
0x4a619c lstrlenW
0x4a61a0 WriteConsoleW
0x4a61a4 GetStdHandle
0x4a61a8 WideCharToMultiByte
0x4a61ac MultiByteToWideChar
0x4a61b4 CreateMutexW
0x4a61c0 GetLastError
0x4a61c4 RaiseException
0x4a61cc DecodePointer
0x4a61d0 CreateFileW
0x4a61d4 CreateDirectoryW
0x4a61d8 LoadLibraryW
0x4a61dc LoadLibraryA
0x4a61e0 GetLocalTime
0x4a61e4 CloseHandle
0x4a61e8 SetErrorMode
0x4a61ec GetCurrentThreadId
0x4a61f4 GetCurrentProcessId
0x4a61f8 GetCurrentProcess
0x4a61fc GetProcAddress
0x4a6200 FreeLibrary
0x4a6204 GetModuleHandleW
0x4a6208 EncodePointer
0x4a620c GetStringTypeW
0x4a6210 GetModuleFileNameW
0x4a6218 ExitThread
0x4a6224 FindClose
0x4a6228 GetModuleHandleExW
0x4a622c LoadLibraryExW
0x4a6230 CompareStringW
0x4a6234 LCMapStringW
0x4a6238 GetLocaleInfoW
0x4a623c SetLastError
0x4a6240 TlsAlloc
0x4a6244 TlsGetValue
0x4a6248 TlsSetValue
0x4a624c TlsFree
0x4a6258 TerminateProcess
0x4a625c RtlUnwind
0x4a6260 PeekNamedPipe
0x4a6264 GetFileType
0x4a6268 FormatMessageA
0x4a626c SleepEx
0x4a6270 VerifyVersionInfoA
0x4a6274 VerSetConditionMask
0x4a6278 OutputDebugStringW
0x4a6280 InitializeSListHead
0x4a6288 GetStartupInfoW
0x4a628c IsDebuggerPresent
0x4a6290 GetCPInfo
Library USER32.dll:
0x4a62d0 GetMonitorInfoW
0x4a62d4 GetClientRect
0x4a62d8 MonitorFromWindow
0x4a62dc WindowFromPoint
0x4a62e0 GetSystemMetrics
0x4a62e4 GetMessageW
0x4a62e8 TranslateMessage
0x4a62ec DispatchMessageW
0x4a62f0 LoadIconW
0x4a62f4 LoadCursorW
0x4a62f8 GetWindowLongW
0x4a62fc GetWindowRect
0x4a6300 SetWindowLongW
0x4a6304 DefWindowProcW
0x4a6308 PostQuitMessage
0x4a630c RegisterClassW
0x4a6310 CreateWindowExW
0x4a6314 DestroyWindow
0x4a6318 ShowWindow
0x4a631c SetWindowPos
0x4a6320 IsWindowVisible
0x4a6324 SetTimer
0x4a6328 KillTimer
0x4a6330 GetShellWindow
0x4a6334 GetDesktopWindow
0x4a6338 GetParent
0x4a633c CallWindowProcW
0x4a6340 PostMessageW
0x4a6344 FindWindowExW
0x4a6348 GetLastInputInfo
0x4a634c RegisterClassExW
0x4a6350 wsprintfW
0x4a6354 UpdateWindow
Library GDI32.dll:
0x4a606c GetStockObject
Library ADVAPI32.dll:
0x4a6000 RegQueryValueExA
0x4a6004 RegOpenKeyA
0x4a6008 RegCreateKeyExA
0x4a600c RegSetValueExA
0x4a6014 CryptCreateHash
0x4a6018 CryptHashData
0x4a601c CryptGetHashParam
0x4a6024 LookupAccountNameW
0x4a6028 RegOpenCurrentUser
0x4a602c OpenSCManagerW
0x4a6030 EnumServicesStatusW
0x4a603c RegSetValueExW
0x4a6040 CryptEncrypt
0x4a6044 RegOpenKeyExA
0x4a6048 RegCreateKeyExW
0x4a604c RegCloseKey
0x4a6050 CryptImportKey
0x4a6054 CryptDestroyKey
0x4a6058 CryptDestroyHash
0x4a605c CryptGenRandom
0x4a6060 CryptReleaseContext
Library SHELL32.dll:
0x4a62ac ShellExecuteW
Library ole32.dll:
0x4a6458 CoInitializeEx
0x4a645c CoUninitialize
0x4a6460 CoTaskMemFree
0x4a6464 CoCreateGuid
0x4a6468 StringFromCLSID
0x4a6470 CoGetClassObject
0x4a6474 OleUninitialize
0x4a6478 OleInitialize
Library OLEAUT32.dll:
0x4a6298 VariantInit
0x4a629c SysFreeString
0x4a62a0 SysAllocString
0x4a62a4 VariantClear
Library SHLWAPI.dll:
0x4a62b8 StrCpyW
0x4a62bc StrStrW
0x4a62c0 StrIsIntlEqualA
0x4a62c4 PathFileExistsA
0x4a62c8 PathFindFileNameW
Library WS2_32.dll:
0x4a63e0 ntohl
0x4a63e4 htonl
0x4a63e8 socket
0x4a63ec WSAIoctl
0x4a63f0 getaddrinfo
0x4a63f4 freeaddrinfo
0x4a63f8 recvfrom
0x4a63fc sendto
0x4a6400 accept
0x4a6404 listen
0x4a6408 ioctlsocket
0x4a640c gethostname
0x4a6410 WSAStartup
0x4a6414 WSACleanup
0x4a6418 WSAGetLastError
0x4a641c __WSAFDIsSet
0x4a6420 select
0x4a6424 WSASetLastError
0x4a6428 recv
0x4a642c send
0x4a6430 bind
0x4a6434 closesocket
0x4a6438 connect
0x4a643c getpeername
0x4a6440 getsockname
0x4a6444 getsockopt
0x4a6448 htons
0x4a644c ntohs
0x4a6450 setsockopt
Library VERSION.dll:
0x4a635c GetFileVersionInfoW
0x4a6360 VerQueryValueW
0x4a6368 VerQueryValueA
0x4a636c GetFileVersionInfoA
Library WININET.dll:
0x4a6378 HttpQueryInfoA
0x4a637c InternetOpenA
0x4a6380 InternetCloseHandle
0x4a6384 HttpSendRequestA
0x4a6388 InternetConnectA
0x4a638c InternetSetOptionW
0x4a6390 InternetReadFile
0x4a6394 HttpOpenRequestA
Library IPHLPAPI.DLL:
0x4a6074 GetAdaptersInfo
Library WLDAP32.dll:
0x4a639c
0x4a63a0
0x4a63a4
0x4a63a8
0x4a63ac
0x4a63b0
0x4a63b4
0x4a63b8
0x4a63bc
0x4a63c0
0x4a63c4
0x4a63c8
0x4a63cc
0x4a63d0
0x4a63d4
0x4a63d8

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49174 106.75.18.180 hotnews.dftoutiao.com 80
192.168.56.101 49173 116.55.250.100 tpop.kpzip.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 59704 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now 
GET /hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now HTTP/1.1
Host: hotnews.dftoutiao.com
Accept: */*
http://tpop.kpzip.com/n/tui/tpop/tpop4/tpop4.xml 
GET /n/tui/tpop/tpop4/tpop4.xml HTTP/1.1
Host: tpop.kpzip.com
Accept: */*

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.