3.6
中危
19 个模型检测该样本为恶意!
重新分析
更多

15b69f38c89eb7f61c16d19a26ecf1449af704e2fe1ae1b24b012c9bf00cdcb9

3f47e83dac4457f1abeb1d01ab98e5fd.exe

分析耗时

98s

最近分析

文件大小

18.3MB
静态报毒 动态报毒 100% CONFIDENCE EIKOBP GRAYWARE HIGH CONFIDENCE KUAIBA LYRICS NSIS QVM42 RAMNIT SCORE SEARCHER STARTPAGE SUSPICIOUS PE UNSAFE WACATAC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20200902 6.0.6.653
Alibaba 20190527 0.3.0.5
Baidu NSIS.Trojan-Dropper.Agent.c 20190318 1.0.0.2
Tencent 20200902 1.0.0.1
Kingsoft 20200902 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1878378958&cup2hreq=ac6d303670800c629b72dd1e9362f61c81e56682473ed118d1a18451b7d7ab99
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes
request GET http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes
request POST https://update.googleapis.com/service/update2?cup2key=10:1878378958&cup2hreq=ac6d303670800c629b72dd1e9362f61c81e56682473ed118d1a18451b7d7ab99
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1878378958&cup2hreq=ac6d303670800c629b72dd1e9362f61c81e56682473ed118d1a18451b7d7ab99
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620946606.953625
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74711000
success 0 0
1620946606.953625
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
Foreign language identified in PE resource (1 个事件)
name RT_VERSION language LANG_CHINESE offset 0x00051790 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000194
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 个事件)
Elastic malicious (high confidence)
FireEye Generic.mg.3f47e83dac4457f1
Cybereason malicious.981296
Invincea heuristic
Baidu NSIS.Trojan-Dropper.Agent.c
APEX Malicious
ClamAV Win.Trojan.Ramnit-5500
NANO-Antivirus Trojan.Win32.RDN.eikobp
DrWeb Adware.Searcher.1222
SentinelOne DFI - Suspicious PE
Webroot Pua.Add.Lyrics
Antiy-AVL GrayWare/Win32.StartPage.gen
Microsoft Trojan:Win32/Wacatac.C!ml
Malwarebytes Adware.Kuaiba
Ikarus Win32.Ramnit
eGambit Unsafe.AI_Score_66%
AVG Win32:Adware-gen [Adw]
CrowdStrike win/malicious_confidence_100% (D)
Qihoo-360 QVM42.0.Malware.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-12-06 06:50:46

Imports

Library KERNEL32.dll:
0x407060 CompareFileTime
0x407064 SearchPathA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CreateDirectoryA
0x407084 SetFileAttributesA
0x407088 Sleep
0x40708c GetTickCount
0x407090 CreateFileA
0x407094 GetFileSize
0x407098 GetModuleFileNameA
0x40709c GetCurrentProcess
0x4070a0 CopyFileA
0x4070a4 ExitProcess
0x4070a8 SetFileTime
0x4070ac GetTempPathA
0x4070b0 GetCommandLineA
0x4070b4 SetErrorMode
0x4070b8 LoadLibraryA
0x4070bc lstrcpynA
0x4070c0 GetDiskFreeSpaceA
0x4070c4 GlobalUnlock
0x4070c8 GlobalLock
0x4070cc CreateThread
0x4070d0 CreateProcessA
0x4070d4 RemoveDirectoryA
0x4070d8 GetTempFileNameA
0x4070dc lstrlenA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 GetVersion
0x4070ec CloseHandle
0x4070f0 lstrcmpiA
0x4070f4 lstrcmpA
0x4070fc GlobalFree
0x407100 GlobalAlloc
0x407104 WaitForSingleObject
0x407108 GetExitCodeProcess
0x40710c GetModuleHandleA
0x407110 LoadLibraryExA
0x407114 GetProcAddress
0x407118 FreeLibrary
0x40711c MultiByteToWideChar
0x407128 WriteFile
0x40712c ReadFile
0x407130 MulDiv
0x407134 SetFilePointer
0x407138 FindClose
0x40713c FindNextFileA
0x407140 FindFirstFileA
0x407144 DeleteFileA
Library USER32.dll:
0x40716c EndDialog
0x407170 ScreenToClient
0x407174 GetWindowRect
0x407178 EnableMenuItem
0x40717c GetSystemMenu
0x407180 SetClassLongA
0x407184 IsWindowEnabled
0x407188 SetWindowPos
0x40718c GetSysColor
0x407190 GetWindowLongA
0x407194 SetCursor
0x407198 LoadCursorA
0x40719c CheckDlgButton
0x4071a0 GetMessagePos
0x4071a4 LoadBitmapA
0x4071a8 CallWindowProcA
0x4071ac IsWindowVisible
0x4071b0 CloseClipboard
0x4071b4 SetClipboardData
0x4071b8 EmptyClipboard
0x4071bc RegisterClassA
0x4071c0 TrackPopupMenu
0x4071c4 AppendMenuA
0x4071c8 CreatePopupMenu
0x4071cc GetSystemMetrics
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 DestroyWindow
0x4071ec CreateDialogParamA
0x4071f0 SetTimer
0x4071f4 SetWindowTextA
0x4071f8 PostQuitMessage
0x4071fc SetForegroundWindow
0x407200 wsprintfA
0x407204 SendMessageTimeoutA
0x407208 FindWindowExA
0x407210 CreateWindowExA
0x407214 GetClassInfoA
0x407218 DialogBoxParamA
0x40721c CharNextA
0x407220 OpenClipboard
0x407224 ExitWindowsEx
0x407228 IsWindow
0x40722c GetDlgItem
0x407230 SetWindowLongA
0x407234 LoadImageA
0x407238 GetDC
0x40723c EnableWindow
0x407240 InvalidateRect
0x407244 SendMessageA
0x407248 DefWindowProcA
0x40724c BeginPaint
0x407250 GetClientRect
0x407254 FillRect
0x407258 DrawTextA
0x40725c EndPaint
0x407260 ShowWindow
Library GDI32.dll:
0x40703c SetBkColor
0x407040 GetDeviceCaps
0x407044 DeleteObject
0x407048 CreateBrushIndirect
0x40704c CreateFontIndirectA
0x407050 SetBkMode
0x407054 SetTextColor
0x407058 SelectObject
Library SHELL32.dll:
0x407154 SHBrowseForFolderA
0x407158 SHGetFileInfoA
0x40715c ShellExecuteA
0x407160 SHFileOperationA
Library ADVAPI32.dll:
0x407000 RegQueryValueExA
0x407004 RegSetValueExA
0x407008 RegEnumKeyA
0x40700c RegEnumValueA
0x407010 RegOpenKeyExA
0x407014 RegDeleteKeyA
0x407018 RegDeleteValueA
0x40701c RegCloseKey
0x407020 RegCreateKeyExA
Library COMCTL32.dll:
0x407028 ImageList_AddMasked
0x40702c ImageList_Destroy
0x407030
0x407034 ImageList_Create
Library ole32.dll:
0x407278 CoTaskMemFree
0x40727c OleInitialize
0x407280 OleUninitialize
0x407284 CoCreateInstance
Library VERSION.dll:
0x40726c GetFileVersionInfoA
0x407270 VerQueryValueA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 203.208.40.34 update.googleapis.com 443
192.168.56.101 49181 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49182 58.63.233.66 r1---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=16638-31433
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=31434-45096
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6925
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620920908&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=6926-16637
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.