5.8
高危

03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a

624256432006a3a4343de33aae57efea.exe

分析耗时

92s

最近分析

文件大小

630.5KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECT ANDROM AUFS AUTO AXLB BSCOPE CONFIDENCE DELFINJECT ENEZ FAREIT FR7OW6 GENERICKD HIGH CONFIDENCE HUJPHB KCLOUD KRYPTIK KTSE LOKI LOKIBOT MALWARE2 MALWARE@#KIK0KWI3NSMM MULTIIH NGW@AO5GI2GI RNKBEND S15729597 SAVE SCORE SIGGEN2 STATIC AI SUSPICIOUS PE UNSAFE WAKHI ZADE ZELPHIF ZWLQNYFQF8Q 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FZN!624256432006 20210430 6.0.6.653
Baidu 20190318 1.0.0.2
Avast Other:Malware-gen [Trj] 20210501 21.1.5827.0
Alibaba Backdoor:Win32/DelfInject.2724104f 20190527 0.3.0.5
Tencent Win32.Backdoor.Fareit.Auto 20210501 1.0.0.1
Kingsoft Win32.Hack.Undef.(kcloud) 20210501 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:383110404&cup2hreq=8ef3bd3e04e6cd50f37a4c15e70e48746e2e9e738034849fd620999c82c7f40b
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620754094&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=83941b03835e9a1f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620754094&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:383110404&cup2hreq=8ef3bd3e04e6cd50f37a4c15e70e48746e2e9e738034849fd620999c82c7f40b
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:383110404&cup2hreq=8ef3bd3e04e6cd50f37a4c15e70e48746e2e9e738034849fd620999c82c7f40b
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620783205.706
NtAllocateVirtualMemory
process_identifier: 2032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.533013599433472 section {'size_of_data': '0x00022200', 'virtual_address': '0x00081000', 'entropy': 7.533013599433472, 'name': '.rsrc', 'virtual_size': '0x00022094'} description A section with a high entropy has been found
entropy 0.21683876092136617 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34486941
FireEye Generic.mg.624256432006a3a4
CAT-QuickHeal Trojan.MultiIH.S15729597
McAfee Fareit-FZN!624256432006
Cylance Unsafe
Zillya Backdoor.Androm.Win32.74254
AegisLab Trojan.Win32.Androm.m!c
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056dde41 )
BitDefender Trojan.GenericKD.34486941
K7GW Trojan ( 0056dde41 )
Cybereason malicious.32006a
Cyren W32/Injector.ZADE-0994
Symantec Trojan Horse
ESET-NOD32 Win32/PSW.Fareit.L
APEX Malicious
Avast Other:Malware-gen [Trj]
ClamAV Win.Dropper.LokiBot-9755331-0
Kaspersky HEUR:Backdoor.Win32.Androm.gen
Alibaba Backdoor:Win32/DelfInject.2724104f
NANO-Antivirus Trojan.Win32.Androm.hujphb
Tencent Win32.Backdoor.Fareit.Auto
Ad-Aware Trojan.GenericKD.34486941
Comodo Malware@#kik0kwi3nsmm
DrWeb BackDoor.Siggen2.3242
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.LOKI.AUFS
McAfee-GW-Edition BehavesLike.Win32.Fareit.jh
Emsisoft Trojan.GenericKD.34486941 (B)
SentinelOne Static AI - Suspicious PE
GData Win32.Trojan.Kryptik.FR7OW6
Jiangmin Backdoor.Androm.axlb
Webroot W32.Trojan.Gen
Avira TR/Kryptik.wakhi
Kingsoft Win32.Hack.Undef.(kcloud)
Gridinsoft Trojan.Win32.Packed.oa
Microsoft Trojan:Win32/DelfInject.VA!MSR
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4193064
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34686.NGW@aO5GI2gi
MAX malware (ai score=100)
VBA32 BScope.Trojan.Crypt
Malwarebytes Trojan.MalPack
Panda Trj/RnkBend.A
Zoner Trojan.Win32.92471
TrendMicro-HouseCall TrojanSpy.Win32.LOKI.AUFS
Rising Trojan.Kryptik!1.CBCB (KTSE)
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.160.110:443
dead_host 216.58.200.46:443
dead_host 172.217.24.14:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x475150 VirtualFree
0x475154 VirtualAlloc
0x475158 LocalFree
0x47515c LocalAlloc
0x475160 GetVersion
0x475164 GetCurrentThreadId
0x475170 VirtualQuery
0x475174 WideCharToMultiByte
0x475178 MultiByteToWideChar
0x47517c lstrlenA
0x475180 lstrcpynA
0x475184 LoadLibraryExA
0x475188 GetThreadLocale
0x47518c GetStartupInfoA
0x475190 GetProcAddress
0x475194 GetModuleHandleA
0x475198 GetModuleFileNameA
0x47519c GetLocaleInfoA
0x4751a0 GetCommandLineA
0x4751a4 FreeLibrary
0x4751a8 FindFirstFileA
0x4751ac FindClose
0x4751b0 ExitProcess
0x4751b4 WriteFile
0x4751bc RtlUnwind
0x4751c0 RaiseException
0x4751c4 GetStdHandle
Library user32.dll:
0x4751cc GetKeyboardType
0x4751d0 LoadStringA
0x4751d4 MessageBoxA
0x4751d8 CharNextA
Library advapi32.dll:
0x4751e0 RegQueryValueExA
0x4751e4 RegOpenKeyExA
0x4751e8 RegCloseKey
Library oleaut32.dll:
0x4751f0 SysFreeString
0x4751f4 SysReAllocStringLen
0x4751f8 SysAllocStringLen
Library kernel32.dll:
0x475200 TlsSetValue
0x475204 TlsGetValue
0x475208 LocalAlloc
0x47520c GetModuleHandleA
Library advapi32.dll:
0x475214 RegQueryValueExA
0x475218 RegOpenKeyExA
0x47521c RegCloseKey
Library kernel32.dll:
0x475224 lstrcpyA
0x475228 WriteFile
0x475230 WaitForSingleObject
0x475234 VirtualQuery
0x475238 VirtualProtectEx
0x47523c VirtualProtect
0x475240 VirtualAlloc
0x475244 Sleep
0x475248 SizeofResource
0x47524c SetThreadLocale
0x475250 SetFilePointer
0x475254 SetEvent
0x475258 SetErrorMode
0x47525c SetEndOfFile
0x475260 ResetEvent
0x475264 ReadFile
0x475268 MulDiv
0x47526c LockResource
0x475270 LoadResource
0x475274 LoadLibraryA
0x475280 GlobalUnlock
0x475284 GlobalReAlloc
0x475288 GlobalHandle
0x47528c GlobalLock
0x475290 GlobalFree
0x475294 GlobalFindAtomA
0x475298 GlobalDeleteAtom
0x47529c GlobalAlloc
0x4752a0 GlobalAddAtomA
0x4752a4 GetVersionExA
0x4752a8 GetVersion
0x4752ac GetTickCount
0x4752b0 GetThreadLocale
0x4752b4 GetSystemInfo
0x4752b8 GetStringTypeExA
0x4752bc GetStdHandle
0x4752c0 GetProcAddress
0x4752c4 GetModuleHandleA
0x4752c8 GetModuleFileNameA
0x4752cc GetLocaleInfoA
0x4752d0 GetLocalTime
0x4752d4 GetLastError
0x4752d8 GetFullPathNameA
0x4752dc GetDiskFreeSpaceA
0x4752e0 GetDateFormatA
0x4752e4 GetCurrentThreadId
0x4752e8 GetCurrentProcessId
0x4752ec GetCurrentProcess
0x4752f0 GetCPInfo
0x4752f4 GetACP
0x4752f8 FreeResource
0x4752fc InterlockedExchange
0x475300 FreeLibrary
0x475304 FormatMessageA
0x475308 FindResourceA
0x47530c EnumCalendarInfoA
0x475318 CreateThread
0x47531c CreateFileA
0x475320 CreateEventA
0x475324 CompareStringA
0x475328 CloseHandle
Library version.dll:
0x475330 VerQueryValueA
0x475338 GetFileVersionInfoA
Library gdi32.dll:
0x475340 UnrealizeObject
0x475344 StretchBlt
0x475348 SetWindowOrgEx
0x47534c SetViewportOrgEx
0x475350 SetTextColor
0x475354 SetStretchBltMode
0x475358 SetROP2
0x47535c SetPixel
0x475360 SetDIBColorTable
0x475364 SetBrushOrgEx
0x475368 SetBoundsRect
0x47536c SetBkMode
0x475370 SetBkColor
0x475374 SelectPalette
0x475378 SelectObject
0x47537c SelectClipRgn
0x475380 SaveDC
0x475384 RestoreDC
0x475388 Rectangle
0x47538c RectVisible
0x475390 RealizePalette
0x475394 Polyline
0x475398 PatBlt
0x47539c MoveToEx
0x4753a0 MaskBlt
0x4753a4 LineTo
0x4753a8 IntersectClipRect
0x4753ac GetWindowOrgEx
0x4753b0 GetTextMetricsA
0x4753bc GetStockObject
0x4753c0 GetPixel
0x4753c4 GetPaletteEntries
0x4753c8 GetObjectA
0x4753cc GetDeviceCaps
0x4753d0 GetDIBits
0x4753d4 GetDIBColorTable
0x4753d8 GetDCOrgEx
0x4753e0 GetClipRgn
0x4753e4 GetClipBox
0x4753e8 GetBrushOrgEx
0x4753ec GetBitmapBits
0x4753f0 ExcludeClipRect
0x4753f4 DeleteObject
0x4753f8 DeleteDC
0x4753fc CreateSolidBrush
0x475400 CreateRectRgn
0x475404 CreatePenIndirect
0x475408 CreatePalette
0x475410 CreateFontIndirectA
0x475414 CreateDIBitmap
0x475418 CreateDIBSection
0x47541c CreateCompatibleDC
0x475424 CreateBrushIndirect
0x475428 CreateBitmap
0x47542c BitBlt
Library user32.dll:
0x475434 CreateWindowExA
0x475438 WindowFromPoint
0x47543c WinHelpA
0x475440 WaitMessage
0x475444 UpdateWindow
0x475448 UnregisterClassA
0x47544c UnhookWindowsHookEx
0x475450 TranslateMessage
0x475458 TrackPopupMenu
0x475460 ShowWindow
0x475464 ShowScrollBar
0x475468 ShowOwnedPopups
0x47546c ShowCursor
0x475470 SetWindowsHookExA
0x475474 SetWindowPos
0x475478 SetWindowPlacement
0x47547c SetWindowLongA
0x475480 SetTimer
0x475484 SetScrollRange
0x475488 SetScrollPos
0x47548c SetScrollInfo
0x475490 SetRect
0x475494 SetPropA
0x475498 SetParent
0x47549c SetMenuItemInfoA
0x4754a0 SetMenu
0x4754a4 SetForegroundWindow
0x4754a8 SetFocus
0x4754ac SetCursor
0x4754b0 SetClassLongA
0x4754b4 SetCapture
0x4754b8 SetActiveWindow
0x4754bc SendMessageA
0x4754c0 ScrollWindow
0x4754c4 ScreenToClient
0x4754c8 RemovePropA
0x4754cc RemoveMenu
0x4754d0 ReleaseDC
0x4754d4 ReleaseCapture
0x4754e0 RegisterClassA
0x4754e4 RedrawWindow
0x4754e8 PtInRect
0x4754ec PostQuitMessage
0x4754f0 PostMessageA
0x4754f4 PeekMessageA
0x4754f8 OffsetRect
0x4754fc OemToCharA
0x475500 MessageBoxA
0x475504 MapWindowPoints
0x475508 MapVirtualKeyA
0x47550c LoadStringA
0x475510 LoadKeyboardLayoutA
0x475514 LoadIconA
0x475518 LoadCursorA
0x47551c LoadBitmapA
0x475520 KillTimer
0x475524 IsZoomed
0x475528 IsWindowVisible
0x47552c IsWindowEnabled
0x475530 IsWindow
0x475534 IsRectEmpty
0x475538 IsIconic
0x47553c IsDialogMessageA
0x475540 IsChild
0x475544 InvalidateRect
0x475548 IntersectRect
0x47554c InsertMenuItemA
0x475550 InsertMenuA
0x475554 InflateRect
0x47555c GetWindowTextA
0x475560 GetWindowRect
0x475564 GetWindowPlacement
0x475568 GetWindowLongA
0x47556c GetWindowDC
0x475570 GetTopWindow
0x475574 GetSystemMetrics
0x475578 GetSystemMenu
0x47557c GetSysColorBrush
0x475580 GetSysColor
0x475584 GetSubMenu
0x475588 GetScrollRange
0x47558c GetScrollPos
0x475590 GetScrollInfo
0x475594 GetPropA
0x475598 GetParent
0x47559c GetWindow
0x4755a0 GetMenuStringA
0x4755a4 GetMenuState
0x4755a8 GetMenuItemInfoA
0x4755ac GetMenuItemID
0x4755b0 GetMenuItemCount
0x4755b4 GetMenu
0x4755b8 GetLastActivePopup
0x4755bc GetKeyboardState
0x4755c4 GetKeyboardLayout
0x4755c8 GetKeyState
0x4755cc GetKeyNameTextA
0x4755d0 GetIconInfo
0x4755d4 GetForegroundWindow
0x4755d8 GetFocus
0x4755dc GetDlgItem
0x4755e0 GetDesktopWindow
0x4755e4 GetDCEx
0x4755e8 GetDC
0x4755ec GetCursorPos
0x4755f0 GetCursor
0x4755f4 GetClientRect
0x4755f8 GetClassNameA
0x4755fc GetClassInfoA
0x475600 GetCapture
0x475604 GetActiveWindow
0x475608 FrameRect
0x47560c FindWindowA
0x475610 FillRect
0x475614 EqualRect
0x475618 EnumWindows
0x47561c EnumThreadWindows
0x475620 EndPaint
0x475624 EnableWindow
0x475628 EnableScrollBar
0x47562c EnableMenuItem
0x475630 DrawTextA
0x475634 DrawMenuBar
0x475638 DrawIconEx
0x47563c DrawIcon
0x475640 DrawFrameControl
0x475644 DrawFocusRect
0x475648 DrawEdge
0x47564c DispatchMessageA
0x475650 DestroyWindow
0x475654 DestroyMenu
0x475658 DestroyIcon
0x47565c DestroyCursor
0x475660 DeleteMenu
0x475664 DefWindowProcA
0x475668 DefMDIChildProcA
0x47566c DefFrameProcA
0x475670 CreatePopupMenu
0x475674 CreateMenu
0x475678 CreateIcon
0x47567c ClientToScreen
0x475680 CheckMenuItem
0x475684 CallWindowProcA
0x475688 CallNextHookEx
0x47568c BeginPaint
0x475690 CharNextA
0x475694 CharLowerA
0x475698 CharToOemA
0x47569c AdjustWindowRectEx
Library kernel32.dll:
0x4756a8 Sleep
Library oleaut32.dll:
0x4756b0 SafeArrayPtrOfIndex
0x4756b4 SafeArrayGetUBound
0x4756b8 SafeArrayGetLBound
0x4756bc SafeArrayCreate
0x4756c0 VariantChangeType
0x4756c4 VariantCopy
0x4756c8 VariantClear
0x4756cc VariantInit
Library comctl32.dll:
0x4756dc ImageList_Write
0x4756e0 ImageList_Read
0x4756f0 ImageList_DragMove
0x4756f4 ImageList_DragLeave
0x4756f8 ImageList_DragEnter
0x4756fc ImageList_EndDrag
0x475700 ImageList_BeginDrag
0x475704 ImageList_Remove
0x475708 ImageList_DrawEx
0x47570c ImageList_Draw
0x47571c ImageList_Add
0x475724 ImageList_Destroy
0x475728 ImageList_Create
0x47572c InitCommonControls
Library comdlg32.dll:
0x475734 GetOpenFileNameA
Library kernel32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49188 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49189 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49187 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49185 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=83941b03835e9a1f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620754094&mv=m&mvi=3
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=83941b03835e9a1f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620754094&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620754094&mv=m&mvi=1&pl=23&shardbypass=yes
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620754094&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.