SmartHawk

3.8

中危

63 个模型检测该样本为恶意！

重新分析

下载样本

44ea4b14ee643709c87800d407e19e45d9f6a1f3bea15c00de3afcfba2614e8a

8c94b19e802628cba849af8c6ef0963c.exe

分析耗时

92s

最近分析

文件大小

348.0KB

静态报毒动态报毒 100% AGEN AI SCORE=100 AJFVK CLOUD CONFIDENCE DOWNLOADER27 EDNW ELDORADO ERVGVRR6FMK FOWW GENERICRXAG HICEHM HIGH HIGH CONFIDENCE MALICIOUS PE MALWARE@#20WKU0M0MO5ND MCNJ MINTLUKS MSILFC PASSWORDSTEALER PASSWORDSTEALERA QUASAR QUASARRAT R285137 S6053757 SCORE SUBTI SUSGEN TINCLEX TSCOPE TSPY UNSAFE VM0@AWDIBIH ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:MSIL/QuasarRAT.c144c137	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	MSIL:Rat-B [Trj]	20200411	18.4.3895.0
Kingsoft		20200412	2013.8.14.323
McAfee	GenericRXAG-WH!8C94B19E8026	20200412	6.0.6.653
Tencent	Msil.Trojan.Agent.Ednw	20200412	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2885641890&cup2hreq=72f5e11d86746e81cdbb9f5ca76a03a9aa91f47c0af8983a2f07e8526871c8ba

Performs some HTTP requests (5 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682731&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f5ef4eb1bcaf14e0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682491&mv=m
request	GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f5ef4eb1bcaf14e0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682491&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:2885641890&cup2hreq=72f5e11d86746e81cdbb9f5ca76a03a9aa91f47c0af8983a2f07e8526871c8ba

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2885641890&cup2hreq=72f5e11d86746e81cdbb9f5ca76a03a9aa91f47c0af8983a2f07e8526871c8ba

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Generates some ICMP traffic

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)

MicroWorld-eScan	Generic.MSIL.PasswordStealerA.264A91CF
FireEye	Generic.mg.8c94b19e802628cb
CAT-QuickHeal	Trojan.MsilFC.S6053757
ALYac	Backdoor.MSIL.Quasar.gen
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.892219
AegisLab	Trojan.MSIL.Agent.mCnJ
Sangfor	Malware
K7AntiVirus	Trojan ( 00521dab1 )
Alibaba	Backdoor:MSIL/QuasarRAT.c144c137
K7GW	Trojan ( 00521dab1 )
Cybereason	malicious.e80262
Arcabit	Generic.MSIL.PasswordStealerA.264A91CF
TrendMicro	TSPY_TINCLEX.SM1
Cyren	W32/MSIL_Mintluks.A.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Generic-6295765-0
Kaspersky	Trojan.MSIL.Agent.foww
BitDefender	Generic.MSIL.PasswordStealerA.264A91CF
NANO-Antivirus	Trojan.Win32.Ric.hicehm
SUPERAntiSpyware	Trojan.Agent/Gen-PasswordStealer
Avast	MSIL:Rat-B [Trj]
Rising	Backdoor.Quasar!1.B1DD (CLOUD)
Ad-Aware	Generic.MSIL.PasswordStealerA.264A91CF
Emsisoft	Generic.MSIL.PasswordStealerA.264A91CF (B)
Comodo	Malware@#20wku0m0mo5nd
F-Secure	Heuristic.HEUR/AGEN.1123497
DrWeb	Trojan.DownLoader27.59888
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
Trapmine	malicious.high.ml.score
Sophos	Troj/Subti-A
Ikarus	Trojan.MSIL.Spy
F-Prot	W32/MSIL_Mintluks.A.gen!Eldorado
Jiangmin	Trojan.Generic.ajfvk
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1123497
eGambit	Trojan.Generic
MAX	malware (ai score=100)
Antiy-AVL	Trojan/MSIL.Agent
Microsoft	Backdoor:Win32/QuasarRAT.A
Endgame	malicious (high confidence)
ZoneAlarm	Trojan.MSIL.Agent.foww
GData	Generic.MSIL.PasswordStealerA.264A91CF
AhnLab-V3	Trojan/Win32.Subti.R285137
Acronis	suspicious
McAfee	GenericRXAG-WH!8C94B19E8026

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-02 11:49:03

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
redirector.gvt1.com	A 203.208.41.65	203.208.41.65
update.googleapis.com	A 203.208.40.98	203.208.40.98
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49183	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49184	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49181	203.208.40.98 update.googleapis.com	443
192.168.56.101	49182	203.208.41.65 redirector.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702
192.168.56.101	65005	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f5ef4eb1bcaf14e0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682491&mv=m	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f5ef4eb1bcaf14e0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682491&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=0-7024 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f5ef4eb1bcaf14e0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682491&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f5ef4eb1bcaf14e0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682491&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682731&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619682731&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.