8.0
高危
40 个模型检测该样本为恶意!
重新分析
更多

e802d0071f375ea0e47087c4649ab5759e9482c6f497651b1709010599677c2b

a15757e4122d962264a4e6b419bd28f2.exe

分析耗时

107s

最近分析

文件大小

673.6KB
静态报毒 动态报毒 ADWAREFILETOUR AGEN AI SCORE=100 ARTEMIS ATTRIBUTE BUNDLER CLOUDSCOUT DOWNLOADER27 FILEREPMETAGEN FLBTND GENERIC PUA BG HIGH HIGH CONFIDENCE HIGHCONFIDENCE INNOSETUP LJTN MALWARE@#ZBSHK7CX9VMA SCORE URSU WACATAC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!A15757E4122D 20200312 6.0.6.653
Alibaba AdWare:Win32/CloudScout.7cac96f2 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20200312 18.4.3895.0
Tencent Win32.Adware.Cloudscout.Ljtn 20200313 1.0.0.1
Kingsoft 20200313 2013.8.14.323
CrowdStrike 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619781446.5945
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST http://dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me/QualityCheck/ii9.php
Performs some HTTP requests (4 个事件)
request POST http://dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me/QualityCheck/ii9.php
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://crl.identrust.com/DSTROOTCAX3CRL.crl
Sends data using the HTTP POST Method (1 个事件)
request POST http://dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me/QualityCheck/ii9.php
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619781446.5005
NtProtectVirtualMemory
process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619781446.5005
NtProtectVirtualMemory
process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619781446.5005
NtProtectVirtualMemory
process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00410000
success 0 0
1619801887.045625
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00610000
success 0 0
1619801924.811625
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x06930000
success 0 0
1619801522.221271
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000041e0000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-U6ELK.tmp\idp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-U6ELK.tmp\isskin.dll
Drops an executable to the user AppData folder (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-U6ELK.tmp\isskin.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-U6ELK.tmp\idp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-DP6HS.tmp\a15757e4122d962264a4e6b419bd28f2.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-U6ELK.tmp\Vista.cjstyles
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619801898.451625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Queries for potentially installed applications (2 个事件)
Time & API Arguments Status Return Repeated
1619801895.342625
RegOpenKeyExA
access: 0x00000101
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SMPlayer Downloader_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SMPlayer Downloader_is1
options: 0
failed 2 0
1619801895.342625
RegOpenKeyExA
access: 0x00000101
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SMPlayer Downloader_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SMPlayer Downloader_is1
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619801902.326625
RegSetValueExA
key_handle: 0x000004b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619801902.326625
RegSetValueExA
key_handle: 0x000004b4
value: p@¢Æ=×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619801902.326625
RegSetValueExA
key_handle: 0x000004b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619801902.326625
RegSetValueExW
key_handle: 0x000004b4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619801902.326625
RegSetValueExA
key_handle: 0x000004cc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619801902.326625
RegSetValueExA
key_handle: 0x000004cc
value: p@¢Æ=×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619801902.326625
RegSetValueExA
key_handle: 0x000004cc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619801902.357625
RegSetValueExW
key_handle: 0x000004b0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 个事件)
MicroWorld-eScan Application.Bundler.BVK
FireEye Application.Bundler.BVK
Qihoo-360 Win32/Trojan.70e
McAfee Artemis!A15757E4122D
Zillya Adware.CloudScout.Win32.1940
Sangfor Malware
Alibaba AdWare:Win32/CloudScout.7cac96f2
Cybereason malicious.4122d9
Invincea heuristic
Symantec ML.Attribute.HighConfidence
APEX Malicious
ClamAV Win.Malware.Ursu-7435917-0
Kaspersky not-a-virus:AdWare.Win32.CloudScout.lsf
BitDefender Application.Bundler.BVK
NANO-Antivirus Trojan.InnoSetup.CloudScout.flbtnd
Paloalto generic.ml
AegisLab Adware.Win32.CloudScout.2!c
Tencent Win32.Adware.Cloudscout.Ljtn
Endgame malicious (high confidence)
Comodo Malware@#zbshk7cx9vma
F-Secure Heuristic.HEUR/AGEN.1035165
DrWeb Trojan.DownLoader27.17385
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.AdwareFileTour.jc
Fortinet W32/Adload.NTZ!tr
Trapmine malicious.high.ml.score
Sophos Generic PUA BG (PUA)
Webroot W32.Adware.Gen
Avira HEUR/AGEN.1035165
MAX malware (ai score=100)
Microsoft Trojan:Win32/Wacatac.C!ml
Arcabit Application.Bundler.BVK
ZoneAlarm not-a-virus:AdWare.Win32.CloudScout.lsf
GData Application.Bundler.BVK
AhnLab-V3 Malware/Gen.Generic.C2848863
Malwarebytes Adware.AdLoad
ESET-NOD32 Win32/TrojanDownloader.Adload.NTZ
Ikarus Trojan-Downloader.Win32.Adload
BitDefenderTheta AI:Packer.D204062917
AVG FileRepMetagen [Adw]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x40e0c4 VirtualFree
0x40e0c8 VirtualAlloc
0x40e0cc LocalFree
0x40e0d0 LocalAlloc
0x40e0d4 WideCharToMultiByte
0x40e0d8 TlsSetValue
0x40e0dc TlsGetValue
0x40e0e0 MultiByteToWideChar
0x40e0e4 GetModuleHandleA
0x40e0e8 GetLastError
0x40e0ec GetCommandLineA
0x40e0f0 WriteFile
0x40e0f4 SetFilePointer
0x40e0f8 SetEndOfFile
0x40e0fc RtlUnwind
0x40e100 ReadFile
0x40e104 RaiseException
0x40e108 GetStdHandle
0x40e10c GetFileSize
0x40e110 GetSystemTime
0x40e114 GetFileType
0x40e118 ExitProcess
0x40e11c CreateFileA
0x40e120 CloseHandle
Library user32.dll:
0x40e128 MessageBoxA
Library oleaut32.dll:
0x40e130 VariantChangeTypeEx
0x40e134 VariantCopyInd
0x40e138 VariantClear
0x40e13c SysStringLen
0x40e140 SysAllocStringLen
Library advapi32.dll:
0x40e148 RegQueryValueExA
0x40e14c RegOpenKeyExA
0x40e150 RegCloseKey
0x40e154 OpenProcessToken
Library kernel32.dll:
0x40e160 WriteFile
0x40e164 VirtualQuery
0x40e168 VirtualProtect
0x40e16c VirtualFree
0x40e170 VirtualAlloc
0x40e174 Sleep
0x40e178 SizeofResource
0x40e17c SetLastError
0x40e180 SetFilePointer
0x40e184 SetErrorMode
0x40e188 SetEndOfFile
0x40e18c RemoveDirectoryA
0x40e190 ReadFile
0x40e194 LockResource
0x40e198 LoadResource
0x40e19c LoadLibraryA
0x40e1a0 IsDBCSLeadByte
0x40e1a8 GetVersionExA
0x40e1ac GetVersion
0x40e1b4 GetSystemInfo
0x40e1b8 GetSystemDirectoryA
0x40e1c0 GetProcAddress
0x40e1c4 GetModuleHandleA
0x40e1c8 GetModuleFileNameA
0x40e1cc GetLocaleInfoA
0x40e1d0 GetLastError
0x40e1d4 GetFullPathNameA
0x40e1d8 GetFileSize
0x40e1dc GetFileAttributesA
0x40e1e0 GetExitCodeProcess
0x40e1e8 GetCurrentProcess
0x40e1ec GetCommandLineA
0x40e1f0 GetACP
0x40e1f4 InterlockedExchange
0x40e1f8 FormatMessageA
0x40e1fc FindResourceA
0x40e200 DeleteFileA
0x40e204 CreateProcessA
0x40e208 CreateFileA
0x40e20c CreateDirectoryA
0x40e210 CloseHandle
Library user32.dll:
0x40e218 TranslateMessage
0x40e21c SetWindowLongA
0x40e220 PeekMessageA
0x40e228 MessageBoxA
0x40e22c LoadStringA
0x40e230 ExitWindowsEx
0x40e234 DispatchMessageA
0x40e238 DestroyWindow
0x40e23c CreateWindowExA
0x40e240 CallWindowProcA
0x40e244 CharPrevA
Library comctl32.dll:
0x40e24c InitCommonControls
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49204 115.238.187.35 www.download.windowsupdate.com 80
192.168.56.101 49191 146.71.73.6 cfhcable.dl.sourceforge.net 443
192.168.56.101 49217 146.71.73.6 cfhcable.dl.sourceforge.net 443
192.168.56.101 49197 192.35.177.64 apps.identrust.com 80
192.168.56.101 49211 23.32.241.66 crl.identrust.com 80
192.168.56.101 49216 23.32.248.43 r3.o.lencr.org 80
192.168.56.101 49178 82.163.143.56 dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me 80
192.168.56.101 49183 82.163.143.56 dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me 80
192.168.56.101 49186 82.163.143.56 dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me 80
192.168.56.101 49187 82.163.143.56 dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me 80
192.168.56.101 49189 82.163.143.56 dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50849 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57089 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 61522 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 64118 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50433 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://crl.identrust.com/DSTROOTCAX3CRL.crl 
GET /DSTROOTCAX3CRL.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.identrust.com
http://apps.identrust.com/roots/dstrootcax3.p7c 
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me/QualityCheck/ii9.php 
POST /QualityCheck/ii9.php HTTP/1.1
Connection: close
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 35
Host: dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSjXH4NoQ%2BkxcQwogO0WnbKwQ%3D%3D 
GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSjXH4NoQ%2BkxcQwogO0WnbKwQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: r3.o.lencr.org

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.