8.0
高危
54 个模型检测该样本为恶意!
重新分析
更多

bf4102286da42edc8a6efd98c2739113beba3b7219ef7e55992bcfefa3bdae46

9978efd4a97d8868953b8f9f8ba1318d.exe

分析耗时

132s

最近分析

文件大小

76.0KB
静态报毒 动态报毒 AI SCORE=100 CONFIDENCE CRGOPI DIAL DIALER ELDORADO EMGFAK2GPFY GENCIRC GRAYWARE HIGH CONFIDENCE L2HR MAUVAISERI OMGZ PORN R + DIAL R101528 S5256558 SCAR SCORE SMALL SUSGEN TEDEOS UNSAFE VIGRAM WEBDIAL WEBDIALER ZEXAF ZXTPSDMDPUN 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20200915 6.0.6.653
Baidu 20190318 1.0.0.2
Alibaba Trojan:Win32/Dialer.635b99cf 20190527 0.3.0.5
Avast Win32:Dh-A [Heur] 20200917 18.4.3895.0
Tencent Malware.Win32.Gencirc.10b3bb16 20200917 1.0.0.1
Kingsoft 20200917 2013.8.14.323
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1620808763.968625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620808764.093625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620808767.343625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620808763.687625
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:4035912678&cup2hreq=16065542e9dfbe23f85b0ff756e8526e7041ebc965f6c227a32876845566a39d
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=976dc081a5dbb3ee&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=3
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=976dc081a5dbb3ee&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:4035912678&cup2hreq=16065542e9dfbe23f85b0ff756e8526e7041ebc965f6c227a32876845566a39d
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:4035912678&cup2hreq=16065542e9dfbe23f85b0ff756e8526e7041ebc965f6c227a32876845566a39d
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620822409.408145
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1620822347.643145
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19612024832
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\9978efd4a97d8868953b8f9f8ba1318d.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\9978efd4a97d8868953b8f9f8ba1318d.lnk
Creates a shortcut to an executable file (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\9978efd4a97d8868953b8f9f8ba1318d.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\9978efd4a97d8868953b8f9f8ba1318d.lnk
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.920901362751695 section {'size_of_data': '0x00012400', 'virtual_address': '0x00010000', 'entropy': 7.920901362751695, 'name': 'UPX1', 'virtual_size': '0x00013000'} description A section with a high entropy has been found
entropy 0.9733333333333334 description Overall entropy of this PE file is high
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9978efd4a97d8868953b8f9f8ba1318d reg_value c:\windows\9978efd4a97d8868953b8f9f8ba1318d.exe -m
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Dialer.Webdialer.F
FireEye Generic.mg.9978efd4a97d8868
CAT-QuickHeal Trojan.MauvaiseRI.S5256558
Cylance Unsafe
VIPRE BehavesLike.Win32.Malware.wsc (mx-v)
AegisLab Riskware.Win32.Small.l2hr
Sangfor Malware
K7AntiVirus Dialer ( 00046bb31 )
BitDefender Dialer.Webdialer.F
K7GW Dialer ( 00046bb31 )
Cybereason malicious.4a97d8
Arcabit Dialer.Webdialer.F
TrendMicro DIAL_RAS.HT
BitDefenderTheta Gen:NN.ZexaF.34242.emGfaK2GpFy
Cyren W32/Dialer.S.gen!Eldorado
Symantec Dialer.Generic
ESET-NOD32 a variant of Win32/Dialer.WebDial
TrendMicro-HouseCall DIAL_RAS.HT
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.Scar.omgz
Alibaba Trojan:Win32/Dialer.635b99cf
NANO-Antivirus Trojan.Win32.Webdial.crgopi
Avast Win32:Dh-A [Heur]
Tencent Malware.Win32.Gencirc.10b3bb16
Ad-Aware Dialer.Webdialer.F
F-Secure Dialer.DIAL/000019
DrWeb Dialer.Webdial
Zillya Dialer.WebDialer.Win32.47
Invincea Mal/Generic-R + Dial/WebDial-A
Sophos Dial/WebDial-A
APEX Malicious
Jiangmin Porn-Dialer.WebDialer.t
Avira DIAL/000019
Antiy-AVL GrayWare[Porn-Dialer]/Win32.WebDialer
Microsoft Program:Win32/Vigram.A
AhnLab-V3 Unwanted/Win32.Dialer.R101528
ZoneAlarm Trojan.Win32.Scar.omgz
GData Dialer.Webdialer.F
TotalDefense Win32/Dialer.WebDialer!generic
Acronis suspicious
VBA32 Trojan.Scar
ALYac Dialer.Webdialer.F
MAX malware (ai score=100)
Rising Worm.Tedeos!8.5B48 (TFE:5:ZxtPSdMDPuN)
Yandex Dialer.Webdialer.Gen
Ikarus Dialer
MaxSecure Trojan.Malware.9564421.susgen
Fortinet W32/Webdialer.7ACD!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2002-01-03 07:13:39

Imports

Library KERNEL32.DLL:
0x4235c8 LoadLibraryA
0x4235cc GetProcAddress
0x4235d0 ExitProcess
Library ADVAPI32.dll:
0x4235d8 RegCloseKey
Library GDI32.dll:
0x4235e0 GetObjectA
Library ole32.dll:
0x4235e8 OleInitialize
Library SHELL32.dll:
0x4235f0 ShellExecuteA
Library USER32.dll:
0x4235f8 SetFocus

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49197 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49198 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49194 203.208.41.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=976dc081a5dbb3ee&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=976dc081a5dbb3ee&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7230
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=976dc081a5dbb3ee&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=976dc081a5dbb3ee&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620793703&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.