8.0
高危
23 个模型检测该样本为恶意!
重新分析
更多

d9d17e87f7261c2ae63156fee822d1b39646b3ac61693033ad62ab8cbf4de7c5

3b5dfed3267d7a14a49123d813570b80.exe

分析耗时

74s

最近分析

文件大小

3.8MB
静态报毒 动态报毒 AIDETECTVM APPLICUNWNT@#1IU36UNANOCJN ATTRIBUTE CHINA CONFIDENCE DCSEEXOX9FA GENERIC PUA IO GRIR HIGHCONFIDENCE KINGSOFT MALWARE1 PRESENOKER SCORE SNOJAN SUSGEN UNSAFE YYFJ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Downloader:Win32/Snojan.ee86afd3 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20201211 21.1.5827.0
Kingsoft 20201212 2017.9.26.565
McAfee 20201211 6.0.6.653
Tencent 20201212 1.0.0.1
CrowdStrike win/malicious_confidence_60% (D) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619345035.178793
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
The executable uses a known packer (1 个事件)
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name PNG
resource name XML
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 个事件)
suspicious_features POST method with no referer header suspicious_request POST http://ct.duba.net/itid
suspicious_features POST method with no referer header suspicious_request POST http://did.ijinshan.com/db/?v=2&p=db&u=027094d82032ec8eb2b98d1c03fe1108&m=0800270fc1070000&ip=1698212032&s=3c37d7ef0472b37326d2d341a52726df&mid=-849785337&dsn=VB4d3bbc8a-fd72b187&old_svrid=
suspicious_features POST method with no referer header suspicious_request POST http://infoc0.duba.net/c/
suspicious_features POST method with no referer header suspicious_request POST http://infoc2.duba.net/c/
Performs some HTTP requests (4 个事件)
request POST http://ct.duba.net/itid
request POST http://did.ijinshan.com/db/?v=2&p=db&u=027094d82032ec8eb2b98d1c03fe1108&m=0800270fc1070000&ip=1698212032&s=3c37d7ef0472b37326d2d341a52726df&mid=-849785337&dsn=VB4d3bbc8a-fd72b187&old_svrid=
request POST http://infoc0.duba.net/c/
request POST http://infoc2.duba.net/c/
Sends data using the HTTP POST Method (4 个事件)
request POST http://ct.duba.net/itid
request POST http://did.ijinshan.com/db/?v=2&p=db&u=027094d82032ec8eb2b98d1c03fe1108&m=0800270fc1070000&ip=1698212032&s=3c37d7ef0472b37326d2d341a52726df&mid=-849785337&dsn=VB4d3bbc8a-fd72b187&old_svrid=
request POST http://infoc0.duba.net/c/
request POST http://infoc2.duba.net/c/
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1619345035.178793
GetDiskFreeSpaceExW
root_path: C:\Windows\system32
free_bytes_available: 0
total_number_of_free_bytes: 19610419200
total_number_of_bytes: 0
success 1 0
Checks for known Chinese AV sofware registry keys (2 个事件)
regkey .*rising
regkey .*Kingsoft
Foreign language identified in PE resource (39 个事件)
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name PNG language LANG_CHINESE offset 0x00160af8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000055f
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name XML language LANG_CHINESE offset 0x00165e0c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000375
name RT_BITMAP language LANG_CHINESE offset 0x001662a0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000ae
name RT_BITMAP language LANG_CHINESE offset 0x001662a0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000ae
name RT_ICON language LANG_CHINESE offset 0x00169e08 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00169e08 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00169e08 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00169e08 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE offset 0x0016a2a0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE offset 0x0016a2a0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000014
name RT_VERSION language LANG_CHINESE offset 0x001739a8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000032c
name RT_VERSION language LANG_CHINESE offset 0x001739a8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000032c
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8909517048681534 section {'size_of_data': '0x000bb200', 'virtual_address': '0x000b3000', 'entropy': 7.8909517048681534, 'name': 'UPX1', 'virtual_size': '0x000bc000'} description A section with a high entropy has been found
entropy 0.9727095516569201 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619345035.100793
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619345035.334793
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (2 个事件)
Time & API Arguments Status Return Repeated
1619345035.350793
RegOpenKeyExW
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
options: 0
failed 2 0
1619345035.350793
RegOpenKeyExW
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360安全卫士
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360安全卫士
options: 0
failed 2 0
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to identify installed AV products by registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\rising\RAV
File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 个事件)
Bkav W32.AIDetectVM.malware1
Cylance Unsafe
Sangfor Malware
K7AntiVirus Unwanted-Program ( 0056626f1 )
Alibaba Downloader:Win32/Snojan.ee86afd3
K7GW Unwanted-Program ( 0056626f1 )
Cybereason malicious.595252
Cyren W32/Trojan.YYFJ-6501
Symantec ML.Attribute.HighConfidence
Paloalto generic.ml
Kaspersky not-a-virus:Downloader.Win32.Snojan.grir
Comodo ApplicUnwnt@#1iu36unanocjn
MaxSecure Trojan.Malware.101957538.susgen
Sophos Generic PUA IO (PUA)
Microsoft PUA:Win32/Presenoker
ZoneAlarm not-a-virus:Downloader.Win32.Snojan.grir
Cynet Malicious (score: 100)
VBA32 Downloader.Snojan
ESET-NOD32 a variant of Win32/KingSoft.L potentially unwanted
Yandex PUA.Downloader!DcSEEXox9fA
Fortinet Riskware/Snojan
CrowdStrike win/malicious_confidence_60% (D)
Qihoo-360 Win32/Virus.Downloader.908
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 115.182.195.29:80
dead_host 125.39.136.78:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1970-01-10 11:09:52

Imports

Library KERNEL32.DLL:
0x574198 LoadLibraryA
0x57419c GetProcAddress
0x5741a0 VirtualProtect
0x5741a4 VirtualAlloc
0x5741a8 VirtualFree
0x5741ac ExitProcess
Library ADVAPI32.dll:
0x5741b4 GetAce
Library COMCTL32.dll:
0x5741bc _TrackMouseEvent
Library GDI32.dll:
0x5741c4 BitBlt
Library IPHLPAPI.DLL:
0x5741cc GetAdaptersInfo
Library MSIMG32.dll:
0x5741d4 AlphaBlend
Library ole32.dll:
0x5741dc CoInitialize
Library OLEAUT32.dll:
0x5741e4 VarUI4FromStr
Library SHELL32.dll:
0x5741ec
Library SHLWAPI.dll:
0x5741f4 StrTrimW
Library USER32.dll:
0x5741fc GetDC
Library VERSION.dll:
0x574204 VerQueryValueW
Library WTSAPI32.dll:
0x57420c WTSFreeMemory

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49178 119.29.44.54 infoc2.duba.net 80
192.168.56.101 49179 119.29.44.54 infoc2.duba.net 80
192.168.56.101 49175 139.199.215.55 ct.duba.net 80
192.168.56.101 49176 139.199.218.80 did.ijinshan.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53238 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://did.ijinshan.com/db/?v=2&p=db&u=027094d82032ec8eb2b98d1c03fe1108&m=0800270fc1070000&ip=1698212032&s=3c37d7ef0472b37326d2d341a52726df&mid=-849785337&dsn=VB4d3bbc8a-fd72b187&old_svrid= 
POST /db/?v=2&p=db&u=027094d82032ec8eb2b98d1c03fe1108&m=0800270fc1070000&ip=1698212032&s=3c37d7ef0472b37326d2d341a52726df&mid=-849785337&dsn=VB4d3bbc8a-fd72b187&old_svrid= HTTP/1.1
Host: did.ijinshan.com
User-Agent: Microsoft-ATL-Native/8.00
http://infoc2.duba.net/c/ 
POST /c/ HTTP/1.1
Content-Length: 154
Content-Type: Application
Host: infoc2.duba.net
User-Agent: Microsoft-ATL-Native/8.00
http://ct.duba.net/itid 
POST /itid HTTP/1.1
Content-Length: 36
Content-Type: Application
Host: ct.duba.net
User-Agent: Microsoft-ATL-Native/8.00
http://infoc0.duba.net/c/ 
POST /c/ HTTP/1.1
Content-Length: 202
Content-Type: Application
Host: infoc0.duba.net
User-Agent: Microsoft-ATL-Native/8.00

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.