6.2
高危
1 个模型检测该样本为恶意!
重新分析
更多

811e24aa3b4879c7508bf12b7201581a1af1687c3e063211eba8a61c250b579b

44d6c6dc7f33cc32489850d0b95614f6.exe

分析耗时

95s

最近分析

文件大小

1.6MB
静态报毒 动态报毒 TENCENT
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20201006 6.0.6.653
Alibaba 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Avast 20201006 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20201006 2013.8.14.323
静态指标
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1620726222.670531
IsDebuggerPresent
failed 0 0
1620726222.685531
IsDebuggerPresent
failed 0 0
1620726222.685531
IsDebuggerPresent
failed 0 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path e:\Code\1_PCDownloader\PackageTools\product\win32\dbginfo\kpacket.pdb
行为判定
动态指标
Performs some HTTP requests (2 个事件)
request GET http://c.gj.qq.com/packconfig?serviceid=2230&clientver=1000&gjguid=19d12084090d3e540288d4a43ebf20e6&check=23141809&livetime=0
request GET http://c.gj.qq.com/fcgi-bin/downurlquery?id=1331&guid=QN2U1b7Dzh4mWfuPJfnvwWmcR3k7VBi7SQLAkK8nC/0Dd%2BjqRqFt5RvIH7X5afSf&ver=13.0.12.101
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620726222.685531
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02330000
success 0 0
1620744591.62552
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004830000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)
Time & API Arguments Status Return Repeated
1620726223.295531
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19608784896
total_number_of_free_bytes: 19608784896
total_number_of_bytes: 34252779520
success 1 0
1620726223.795531
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19608780800
total_number_of_free_bytes: 19608780800
total_number_of_bytes: 34252779520
success 1 0
Foreign language identified in PE resource (8 个事件)
name RT_ICON language LANG_CHINESE offset 0x0005b7a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005b7a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005b7a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005b7a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005b7a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005b7a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE offset 0x0005bc10 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000005a
name RT_VERSION language LANG_CHINESE offset 0x0005bc6c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000250
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TencentDownload\~1389dc9\QQPCDownload.dll
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TencentDownload\~1389dc9\QQPCDownload.dll
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
ESET-NOD32 a variant of Win32/Tencent.E potentially unwanted
Expresses interest in specific running processes (1 个事件)
process 44d6c6dc7f33cc32489850d0b95614f6.exe
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 151.139.128.14
host 172.217.24.14
host 52.218.29.252
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620744533.50052
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00000000ff35ae10
module_address: 0x00000000ff2b0000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 917915 0
Generates some ICMP traffic
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1970-01-05 13:15:44

Imports

Library KERNEL32.dll:
0x441010 GetCurrentProcessId
0x441014 SizeofResource
0x441018 LockResource
0x44101c LoadResource
0x441020 GetTempPathW
0x441024 CreateFileW
0x441028 FindResourceExW
0x44102c GetCurrentProcess
0x441030 GetFileSize
0x441034 GetModuleHandleW
0x441038 TerminateProcess
0x441040 FindFirstFileW
0x441048 lstrcmpW
0x44104c SetFileAttributesW
0x441054 DeleteFileW
0x441058 MoveFileExW
0x44105c GetTickCount
0x441060 GetFileAttributesW
0x441064 CreateDirectoryW
0x441068 FindNextFileW
0x44106c GetLastError
0x441070 FindClose
0x441074 SetFilePointer
0x441078 RemoveDirectoryW
0x44107c ReadFile
0x441080 MultiByteToWideChar
0x441084 GetCommandLineW
0x441088 WideCharToMultiByte
0x44108c UnmapViewOfFile
0x441090 CreateFileMappingW
0x441094 MapViewOfFile
0x4410a4 VirtualAlloc
0x4410ac SetEvent
0x4410b4 ReleaseSemaphore
0x4410b8 ResetEvent
0x4410bc CreateSemaphoreW
0x4410c0 CreateEventW
0x4410c4 GetStdHandle
0x4410c8 WriteFile
0x4410cc CopyFileW
0x4410d0 SetFileTime
0x4410d4 MoveFileW
0x4410d8 GetTempFileNameW
0x4410dc GetSystemInfo
0x4410e8 WriteConsoleW
0x4410ec GetConsoleOutputCP
0x4410f0 WriteConsoleA
0x4410f4 GetLocaleInfoW
0x4410f8 CreateFileA
0x4410fc FindResourceW
0x441100 GetProcAddress
0x441104 LoadLibraryW
0x441108 CloseHandle
0x44110c CreateProcessW
0x441110 GetSystemDirectoryW
0x441114 WaitForSingleObject
0x441118 GetModuleFileNameW
0x44111c VirtualFree
0x441120 FlushFileBuffers
0x441124 SetStdHandle
0x441128 GetConsoleMode
0x44112c GetConsoleCP
0x441130 LoadLibraryA
0x44113c GetCommandLineA
0x441150 GetStartupInfoA
0x441154 GetFileType
0x441158 SetHandleCount
0x44115c GetModuleFileNameA
0x441160 HeapCreate
0x441164 GetStringTypeW
0x441168 RaiseException
0x44116c GetVersionExA
0x441170 HeapDestroy
0x441174 HeapAlloc
0x441178 HeapFree
0x44117c HeapReAlloc
0x441180 HeapSize
0x441184 GetProcessHeap
0x441188 InterlockedExchange
0x44118c GetACP
0x441190 GetLocaleInfoA
0x441194 GetThreadLocale
0x4411a0 Sleep
0x4411ac IsDebuggerPresent
0x4411b0 ExitThread
0x4411b4 GetCurrentThreadId
0x4411b8 CreateThread
0x4411bc GetStartupInfoW
0x4411c0 RtlUnwind
0x4411c4 LCMapStringA
0x4411c8 LCMapStringW
0x4411cc GetCPInfo
0x4411d0 GetModuleHandleA
0x4411d4 TlsGetValue
0x4411d8 TlsAlloc
0x4411dc TlsSetValue
0x4411e0 TlsFree
0x4411e4 SetLastError
0x4411e8 ExitProcess
0x4411ec GetOEMCP
0x4411f0 IsValidCodePage
0x4411f4 GetUserDefaultLCID
0x4411f8 EnumSystemLocalesA
0x4411fc IsValidLocale
0x441200 GetStringTypeA
Library USER32.dll:
0x441234 UnregisterClassA
0x441238 CharLowerW
0x44123c CharUpperW
Library ADVAPI32.dll:
0x441000 RegQueryValueExW
0x441004 RegCloseKey
0x441008 RegOpenKeyExW
Library ole32.dll:
0x441244 CoUninitialize
0x441248 CoInitialize
Library OLEAUT32.dll:
0x441208 SysFreeString
0x44120c SysAllocString
0x441210 VariantClear
0x441214 VariantCopy
Library SHLWAPI.dll:
0x44121c PathAddBackslashW
0x441220 PathRemoveFileSpecW
0x441224 PathIsDirectoryW
0x441228 PathAppendW
0x44122c PathFileExistsW

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49174 113.96.200.36 master.etl.desktop.qq.com 443
192.168.56.101 49175 183.3.225.35 c.gj.qq.com 80
52.218.29.252 80 192.168.56.101 49180

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://c.gj.qq.com/fcgi-bin/downurlquery?id=1331&guid=QN2U1b7Dzh4mWfuPJfnvwWmcR3k7VBi7SQLAkK8nC/0Dd%2BjqRqFt5RvIH7X5afSf&ver=13.0.12.101 
GET /fcgi-bin/downurlquery?id=1331&guid=QN2U1b7Dzh4mWfuPJfnvwWmcR3k7VBi7SQLAkK8nC/0Dd%2BjqRqFt5RvIH7X5afSf&ver=13.0.12.101 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: c.gj.qq.com
http://c.gj.qq.com/packconfig?serviceid=2230&clientver=1000&gjguid=19d12084090d3e540288d4a43ebf20e6&check=23141809&livetime=0 
GET /packconfig?serviceid=2230&clientver=1000&gjguid=19d12084090d3e540288d4a43ebf20e6&check=23141809&livetime=0 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: c.gj.qq.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.