SmartHawk

6.2

高危

44 个模型检测该样本为恶意！

重新分析

下载样本

c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc

84db618ff4b489fe09429ee18becb8e5.exe

分析耗时

90s

最近分析

文件大小

3.3MB

静态报毒动态报毒 AI SCORE=81 ARTEMIS ATTRIBUTE DANGEROUSSIG GENKD HIGH CONFIDENCE HIGHCONFIDENCE HWHXML LNSPA MALCERT MALWARE@#30Q9BFBBX35Y4 NETWIRE PARALLAX RUGMI SCORE UNSAFE XAPARO YMACCO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Baidu		20190318	1.0.0.2
Alibaba	TrojanDownloader:Win32/NetWire.e0bad911	20190527	0.3.0.5
Kingsoft		20201228	2017.9.26.565
McAfee	Artemis!84DB618FF4B4	20201228	6.0.6.653
Tencent		20201228	1.0.0.1
Avast	Win32:DangerousSig [Trj]	20201228	21.1.5827.0
CrowdStrike		20190702	1.0

This executable is signed

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.didata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:1085500713&cup2hreq=bd3fe7882ecb4c34a102162c46b553475de1ef0de07d2d6ae1aa9c3afd8cbbec

Performs some HTTP requests (2 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:1085500713&cup2hreq=bd3fe7882ecb4c34a102162c46b553475de1ef0de07d2d6ae1aa9c3afd8cbbec

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:1085500713&cup2hreq=bd3fe7882ecb4c34a102162c46b553475de1ef0de07d2d6ae1aa9c3afd8cbbec

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973814.9735 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00390000	success	0	0
1620973824.5045 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00930000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973843.247188 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

C:\Windows\System32\ipconfig.exe

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1620973845.966188 RegSetValueExA	key_handle: 0x00000404 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620973845.966188 RegSetValueExA	key_handle: 0x00000404 value: ÐÕý~H× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620973845.966188 RegSetValueExA	key_handle: 0x00000404 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620973845.966188 RegSetValueExW	key_handle: 0x00000404 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620973845.982188 RegSetValueExA	key_handle: 0x00000414 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620973845.982188 RegSetValueExA	key_handle: 0x00000414 value: ÐÕý~H× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620973845.982188 RegSetValueExA	key_handle: 0x00000414 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620973846.091188 RegSetValueExW	key_handle: 0x000003fc value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

199.96.62.17:443

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.PWS.ZOL
ALYac	Backdoor.RAT.Parallax
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.Win32.NetWire.4!c
K7AntiVirus	Trojan ( 0056dcd01 )
BitDefender	Trojan.PWS.ZOL
K7GW	Trojan ( 0056dcd01 )
Cybereason	malicious.ff4b48
Arcabit	Trojan.PWS.ZOL
Symantec	ML.Attribute.HighConfidence
Paloalto	generic.ml
Kaspersky	Trojan.Win32.NetWire.jqy
Alibaba	TrojanDownloader:Win32/NetWire.e0bad911
NANO-Antivirus	Trojan.Win32.NetWire.hwhxml
Ad-Aware	Trojan.PWS.ZOL
Emsisoft	MalCert.A (A)
Comodo	Malware@#30q9bfbbx35y4
F-Secure	Trojan.TR/NetWire.lnspa
DrWeb	BackDoor.Rat.288
TrendMicro	Backdoor.Win32.PARALLAX.AA
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Jiangmin	Trojan.NetWire.vg
Webroot	W32.Trojan.GenKD
Avira	TR/NetWire.lnspa
Antiy-AVL	Trojan[Backdoor]/Win32.Xaparo
Gridinsoft	Trojan.Win32.Gen.oa
Microsoft	Trojan:Win32/Ymacco.AAC2
ZoneAlarm	Trojan.Win32.NetWire.jqy
GData	Trojan.PWS.ZOL
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Injector.C4179959
McAfee	Artemis!84DB618FF4B4
MAX	malware (ai score=81)
Malwarebytes	Trojan.Downloader
Panda	Trj/CI.A
ESET-NOD32	Win32/TrojanDownloader.Rugmi.FAH
TrendMicro-HouseCall	Backdoor.Win32.PARALLAX.AA
Fortinet	W32/Rugmi.FAH!tr.dldr
AVG	Win32:DangerousSig [Trj]
Avast	Win32:DangerousSig [Trj]
Qihoo-360	Generic/Trojan.535

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-02 03:49:18

Exports

Ordinal	Address	Name
3	0x403c1c	@@Fouri@Finalize
2	0x403c0c	@@Fouri@Initialize
4	0x4659b0	TMethodImplementationIntercept
6	0x6e62fc	_Form1
1	0x4021b7	__GetExceptDLLinfo
5	0x6cf0ac	___CPPdebugHook

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
i.imgur.com	A 199.96.62.17	104.244.43.228
redirector.gvt1.com	A 203.208.41.65	203.208.41.65
update.googleapis.com	A 203.208.41.66	203.208.41.66
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49190	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49188	203.208.41.66 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54991	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60911	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	53500	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	54260	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.