6.8
高危
1 个模型检测该样本为恶意!
重新分析
更多

c6a810bf84ea3fd17a282d2a10bec7811c79ff751d5dbcf9eb84cff95f1fd5ba

ac24a354f638eaeb5d4a1c8a4af2ba3f.exe

分析耗时

78s

最近分析

文件大小

216.4KB
静态报毒 动态报毒 DOWNLOADER34
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Tencent 20210422 1.0.0.1
CrowdStrike 20210203 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features POST method with no referer header suspicious_request POST http://www.google-analytics.com/collect
suspicious_features POST method with no referer header suspicious_request POST http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
Performs some HTTP requests (3 个事件)
request POST http://www.google-analytics.com/collect
request POST http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
request GET http://iavs9x.u.avast.com/iavs9x/avast_premium_security_setup_online_x64.exe
Sends data using the HTTP POST Method (2 个事件)
request POST http://www.google-analytics.com/collect
request POST http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1619828617.979125
GetDiskFreeSpaceExW
root_path: C:\Windows\Temp\asw.726409c97758a72d
free_bytes_available: 19609624576
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (1 个事件)
file C:\Windows\Temp\asw.726409c97758a72d\avast_premium_security_setup_online_x64.exe
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
DrWeb Trojan.DownLoader34.48949
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Queries information on disks, possibly for anti-virtualization (2 个事件)
Time & API Arguments Status Return Repeated
1619828617.823125
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x0000007c
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1619828617.823125
DeviceIoControl
input_buffer:
device_handle: 0x0000007c
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566434623363626138662d3764623238312037
success 1 0
Detects Virtual Machines through their custom firmware (1 个事件)
Time & API Arguments Status Return Repeated
1619828617.838125
NtQuerySystemInformation
information_class: 76 (SystemFirmwareTableInformation)
failed 3221225507 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.27.142:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-14 15:23:47

Imports

Library KERNEL32.dll:
0x422058 SizeofResource
0x42205c CreateFileW
0x422060 CloseHandle
0x422064 EnumResourceNamesW
0x42206c CreateDirectoryW
0x422070 LocalFree
0x422074 CreateFileMappingW
0x422078 MapViewOfFile
0x42207c UnmapViewOfFile
0x422080 lstrlenA
0x422088 GetVersionExA
0x42208c GetNativeSystemInfo
0x422090 lstrcatA
0x422094 CreateThread
0x422098 GetCurrentProcess
0x42209c CreateMutexW
0x4220a0 MoveFileExW
0x4220a8 HeapFree
0x4220ac GetDiskFreeSpaceExW
0x4220b0 CreateProcessW
0x4220b4 ResumeThread
0x4220b8 WaitForSingleObject
0x4220bc LoadResource
0x4220c0 CreateHardLinkW
0x4220c4 ReleaseMutex
0x4220cc WriteFile
0x4220d0 SetEndOfFile
0x4220d4 SetFilePointerEx
0x4220d8 GetFileSizeEx
0x4220dc GetLastError
0x4220e0 InterlockedExchange
0x4220e4 ExitProcess
0x4220ec HeapSetInformation
0x4220f0 SetDllDirectoryW
0x4220f4 WriteConsoleW
0x4220f8 GetConsoleMode
0x4220fc GetConsoleCP
0x422100 FlushFileBuffers
0x422104 LCMapStringW
0x422108 FindResourceW
0x42210c Sleep
0x422110 GetExitCodeProcess
0x422114 SetLastError
0x422118 GetProcAddress
0x42211c GetModuleHandleW
0x422120 lstrcpyW
0x422124 GetSystemDirectoryW
0x422128 GetProcessHeap
0x422130 RaiseException
0x422134 GetSystemInfo
0x422138 VirtualProtect
0x42213c VirtualQuery
0x422140 FreeLibrary
0x422144 LoadLibraryExA
0x422148 GetVersionExW
0x42214c DeviceIoControl
0x422154 GetVolumePathNameW
0x422158 HeapSize
0x42215c GetVersion
0x422164 MultiByteToWideChar
0x422168 HeapReAlloc
0x42216c DecodePointer
0x422170 HeapDestroy
0x422178 WideCharToMultiByte
0x422184 SetEvent
0x422188 ResetEvent
0x422190 CreateEventW
0x42219c TerminateProcess
0x4221a4 GetCurrentProcessId
0x4221a8 GetCurrentThreadId
0x4221ac InitializeSListHead
0x4221b0 IsDebuggerPresent
0x4221b4 GetStartupInfoW
0x4221b8 OutputDebugStringW
0x4221bc RtlUnwind
0x4221c0 EncodePointer
0x4221c4 TlsAlloc
0x4221c8 TlsGetValue
0x4221cc TlsSetValue
0x4221d0 TlsFree
0x4221d4 LoadLibraryExW
0x4221d8 GetCommandLineA
0x4221dc GetCommandLineW
0x4221e0 GetStdHandle
0x4221e4 GetModuleFileNameW
0x4221e8 GetModuleHandleExW
0x4221ec GetFileType
0x4221f0 GetStringTypeW
0x4221f4 FindClose
0x4221f8 FindFirstFileExW
0x4221fc FindNextFileW
0x422200 IsValidCodePage
0x422204 GetACP
0x422208 GetOEMCP
0x42220c GetCPInfo
0x422218 SetStdHandle
0x42221c HeapAlloc
Library USER32.dll:
0x422228 wsprintfA
0x42222c MessageBoxExW
0x422230 LoadStringW
0x422234 wsprintfW
0x422238 SetForegroundWindow
0x42223c FindWindowW
0x422240 DispatchMessageW
0x422244 GetMessageW
0x422248 RegisterClassExW
0x42224c PostMessageW
0x422254 GetSystemMetrics
0x422258 LoadImageW
0x42225c DefWindowProcW
0x422260 KillTimer
0x422264 InvalidateRect
0x422268 SetTimer
0x42226c EndPaint
0x422270 FillRect
0x422274 BeginPaint
0x422278 CreateWindowExW
Library GDI32.dll:
0x422048 GetObjectW
0x42204c CreateSolidBrush
0x422050 CreatePatternBrush
Library ADVAPI32.dll:
0x422000 CryptGetHashParam
0x422004 CryptCreateHash
0x422008 CryptDestroyHash
0x42200c CryptGenRandom
0x422018 OpenProcessToken
0x42201c GetTokenInformation
0x422020 IsValidSid
0x422024 GetSidSubAuthority
0x42202c CryptReleaseContext
0x422030 CryptHashData
Library COMCTL32.dll:
0x422038
Library CRYPT32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49175 184.28.98.89 iavs9x.u.avast.com 80
192.168.56.101 49173 203.208.40.33 www.google-analytics.com 80
192.168.56.101 49174 5.62.53.222 v7event.stats.avast.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 63497 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 60215 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://iavs9x.u.avast.com/iavs9x/avast_premium_security_setup_online_x64.exe 
GET /iavs9x/avast_premium_security_setup_online_x64.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Avast Microstub/2.1
Host: iavs9x.u.avast.com
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi 
POST /cgi-bin/iavsevents.cgi HTTP/1.1
Connection: Keep-Alive
Content-Type: iavs4/stats
User-Agent: Avast Microstub/2.1
Content-Length: 245
Host: v7event.stats.avast.com
http://www.google-analytics.com/collect 
POST /collect HTTP/1.1
Connection: Keep-Alive
User-Agent: Avast Microstub/2.1
Content-Length: 119
Host: www.google-analytics.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.