4.6
中危
5 个模型检测该样本为恶意!
重新分析
更多

6b20d71b05f322ce238b3a59262e504b4519d2d9004a5c61fec965c386b9f313

6b4c66c74b86d7706e28545e4bfe182d.exe

分析耗时

86s

最近分析

文件大小

728.4KB
静态报毒 动态报毒 AIDETECTVM MALICIOUS MALWARE1 MULTIPACKED ZPEVDO
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20201021 18.4.3895.0
Tencent 20201021 1.0.0.1
Kingsoft 20201021 2013.8.14.323
McAfee 20201021 6.0.6.653
CrowdStrike 20190702 1.0
行为判定
动态指标
Performs some HTTP requests (5 个事件)
request GET http://www.biztree.com/dist/downloadurls/BIB7_win32.txt
request GET http://software.biztree.com/dist/downloadurls/BIB7_win32.txt
request GET http://cdn.biztree.com/dist/biztree.bl1
request GET http://download.biztree.com/beta/BIB7-034/BIBMain.upd
request GET http://download.biztree.com/dist/2015/Libraries/V700/BTDocEN.upd
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1620946615.062886
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00ba0000
success 0 0
1620946615.062886
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 811008
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00ba1000
success 0 0
1620946615.062886
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 716800
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c67000
success 0 0
1620946615.062886
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 28672
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00d16000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Program Files (x86)\Business-in-a-Box 2019\unrar.dll
File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 个事件)
Bkav W32.AIDetectVM.malware1
APEX Malicious
Jiangmin Packed.Multi.iws
Antiy-AVL Trojan[Packed]/Multi.MultiPacked
VBA32 Trojan.Zpevdo
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620946617.531886
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.999433186229871 section {'size_of_data': '0x000ae600', 'virtual_address': '0x000c7000', 'entropy': 7.999433186229871, 'name': 'UPX1', 'virtual_size': '0x000af000'} description A section with a high entropy has been found
entropy 7.307234290013166 section {'size_of_data': '0x00006600', 'virtual_address': '0x00176000', 'entropy': 7.307234290013166, 'name': '.rsrc', 'virtual_size': '0x00007000'} description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620946620.109886
RegSetValueExA
key_handle: 0x0000041c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620946620.109886
RegSetValueExA
key_handle: 0x0000041c
value: ôN(wH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620946620.109886
RegSetValueExA
key_handle: 0x0000041c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620946620.109886
RegSetValueExW
key_handle: 0x0000041c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620946620.109886
RegSetValueExA
key_handle: 0x00000434
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620946620.109886
RegSetValueExA
key_handle: 0x00000434
value: ôN(wH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620946620.109886
RegSetValueExA
key_handle: 0x00000434
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620946620.140886
RegSetValueExW
key_handle: 0x00000418
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620946622.312886
RegSetValueExA
key_handle: 0x00000490
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620946622.312886
RegSetValueExA
key_handle: 0x00000490
value: À‹¡)wH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620946622.312886
RegSetValueExA
key_handle: 0x00000490
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620946622.312886
RegSetValueExW
key_handle: 0x00000490
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620946622.312886
RegSetValueExA
key_handle: 0x00000494
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620946622.312886
RegSetValueExA
key_handle: 0x00000494
value: À‹¡)wH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620946622.312886
RegSetValueExA
key_handle: 0x00000494
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-07-03 04:53:54

Imports

Library KERNEL32.DLL:
0x57c1c0 LoadLibraryA
0x57c1c4 GetProcAddress
0x57c1c8 VirtualProtect
0x57c1cc VirtualAlloc
0x57c1d0 VirtualFree
0x57c1d4 ExitProcess
Library ADVAPI32.dll:
0x57c1dc FreeSid
Library COMCTL32.dll:
0x57c1e4 _TrackMouseEvent
Library COMDLG32.dll:
0x57c1ec GetFileTitleW
Library CRYPT32.dll:
0x57c1f4 CryptUnprotectData
Library GDI32.dll:
0x57c1fc Escape
Library gdiplus.dll:
0x57c204 GdipFree
Library NETAPI32.dll:
0x57c20c NetWkstaGetInfo
Library ole32.dll:
0x57c214 CoCreateGuid
Library OLEAUT32.dll:
0x57c21c SysStringByteLen
Library oledlg.dll:
0x57c224 OleUIBusyW
Library PSAPI.DLL:
0x57c22c EnumProcesses
Library SHELL32.dll:
0x57c234 DragFinish
Library SHLWAPI.dll:
0x57c23c PathIsUNCW
Library urlmon.dll:
Library USER32.dll:
0x57c24c GetDC
Library VERSION.dll:
0x57c254 VerQueryValueW
Library WININET.dll:
0x57c25c InternetOpenW
Library WINSPOOL.DRV:
0x57c264 ClosePrinter

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49183 52.84.248.93 cdn.biztree.com 80
192.168.56.101 49186 52.84.248.93 cdn.biztree.com 80
192.168.56.101 49184 54.192.147.79 download.biztree.com 80
192.168.56.101 49185 54.192.147.79 download.biztree.com 80
192.168.56.101 49188 54.192.147.79 download.biztree.com 80
192.168.56.101 49179 54.192.147.99 software.biztree.com 80
192.168.56.101 49178 72.32.212.125 www.biztree.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://download.biztree.com/beta/BIB7-034/BIBMain.upd 
GET /beta/BIB7-034/BIBMain.upd HTTP/1.1
Accept: */*
User-Agent: GetWebFile/1.0
Host: download.biztree.com
http://software.biztree.com/dist/downloadurls/BIB7_win32.txt 
GET /dist/downloadurls/BIB7_win32.txt HTTP/1.1
Accept: */*
User-Agent: GetWebFile/1.0
Connection: Keep-Alive
Host: software.biztree.com
http://download.biztree.com/dist/2015/Libraries/V700/BTDocEN.upd 
GET /dist/2015/Libraries/V700/BTDocEN.upd HTTP/1.1
Accept: */*
User-Agent: GetWebFile/1.0
Host: download.biztree.com
http://www.biztree.com/dist/downloadurls/BIB7_win32.txt 
GET /dist/downloadurls/BIB7_win32.txt HTTP/1.1
Accept: */*
User-Agent: GetWebFile/1.0
Host: www.biztree.com
http://cdn.biztree.com/dist/biztree.bl1 
GET /dist/biztree.bl1 HTTP/1.1
Accept: */*
User-Agent: GetWebFile/1.0
Host: cdn.biztree.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.