3.8
中危
12 个模型检测该样本为恶意!
重新分析
更多

07fd8995129843b46d5ba2f07b0ac7238b9665ae7fea63728108c27d6a9e8c56

bc3dca7611fe4cedcfd4cc962d16277d.exe

分析耗时

85s

最近分析

文件大小

5.2MB
静态报毒 动态报毒 BROWSEFOX CLOUD EBSDLC EDJS GENERIC PUA KF MOBOGENIE PHOBFJQKEHI 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20160430 6.0.6.653
Baidu 20160429 1.0.0.2
Avast 20160430 8.0.1489.320
Alibaba 20160429 1.0
Kingsoft 20160430 2013.8.14.323
Tencent 20160430 1.0.0.1
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620902584.80275
IsDebuggerPresent
failed 0 0
1620902590.56875
IsDebuggerPresent
failed 0 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path E:\PRJ_CODE_2_\rtm3-20\ClientLib\Tools\Bin\Game\Release\UpdateExeHead.pdb
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (16 个事件)
Time & API Arguments Status Return Repeated
1620902584.95875
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x750d1000
success 0 0
1620902585.08375
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746a1000
success 0 0
1620902589.08375
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74f81000
success 0 0
1620902589.80275
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74531000
success 0 0
1620902589.80275
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1620902590.31875
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74521000
success 0 0
1620902590.33375
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x744c1000
success 0 0
1620902590.50575
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74317000
success 0 0
1620902590.56875
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03bb0000
success 0 0
1620902590.58375
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x744b1000
success 0 0
1620902590.58375
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74481000
success 0 0
1620902590.61475
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x742b1000
success 0 0
1620902590.64675
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74291000
success 0 0
1620902590.64675
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74471000
success 0 0
1620902590.64675
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74281000
success 0 0
1620902591.00575
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c41000
success 0 0
Foreign language identified in PE resource (17 个事件)
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0005f0a8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_MENU language LANG_CHINESE offset 0x0005f560 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004a
name RT_DIALOG language LANG_CHINESE offset 0x0005f5c0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000160
name RT_STRING language LANG_CHINESE offset 0x0005f9f0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000054
name RT_ACCELERATOR language LANG_CHINESE offset 0x0005f5b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000010
name RT_GROUP_ICON language LANG_CHINESE offset 0x0005f510 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_GROUP_ICON language LANG_CHINESE offset 0x0005f510 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_VERSION language LANG_CHINESE offset 0x0005f720 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002d0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 个事件)
Malwarebytes PUP.Optional.MoboGenie
K7GW Adware ( 004ce12a1 )
K7AntiVirus Adware ( 004ce12a1 )
ESET-NOD32 a variant of Win32/Adware.Mobogenie.A
NANO-Antivirus Riskware.Win32.Mobogenie.ebsdlc
Rising Adware.Mobogenie!8.207-pHoBFJqkeHI (Cloud)
Sophos Generic PUA KF (PUA)
DrWeb Adware.Mobogenie.45
Zillya Adware.BrowseFox.Win32.239802
Avira ADWARE/Mobogenie.edjs
Arcabit PUP.Adware.Mobogenie
Yandex PUA.Mobogenie!
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
Detects VirtualBox through the presence of a file (1 个事件)
dll C:\Windows\system32\VBoxMRXNP.dll
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-11-19 17:27:51

Imports

Library KERNEL32.dll:
0x424008 CreateDirectoryA
0x42400c GetTempPathA
0x424014 CreateProcessA
0x424018 MoveFileA
0x42401c WaitForSingleObject
0x424020 CloseHandle
0x424024 ResumeThread
0x424028 ResetEvent
0x42402c CreateEventA
0x424030 SetEvent
0x424034 OpenMutexA
0x424038 Sleep
0x42403c WriteFile
0x424040 CreateFileA
0x424044 VirtualAlloc
0x424048 VirtualFree
0x424058 GetLastError
0x42405c DeleteFileA
0x42406c CompareStringW
0x424070 CompareStringA
0x424074 SetEndOfFile
0x424078 GetLocaleInfoA
0x42407c GetStringTypeW
0x424080 GetStringTypeA
0x424084 IsBadCodePtr
0x424088 IsBadReadPtr
0x42408c GetModuleFileNameA
0x424090 GetCPInfo
0x424094 GetOEMCP
0x424098 GetACP
0x42409c LoadLibraryA
0x4240a0 LCMapStringW
0x4240a4 MultiByteToWideChar
0x4240a8 LCMapStringA
0x4240ac GetSystemInfo
0x4240b0 VirtualProtect
0x4240b4 VirtualQuery
0x4240b8 InterlockedExchange
0x4240bc CopyFileA
0x4240c0 GetFileSize
0x4240c4 SetFilePointer
0x4240c8 ReadFile
0x4240cc GetShortPathNameA
0x4240d0 MoveFileExA
0x4240d4 GetTempFileNameA
0x4240d8 FlushFileBuffers
0x4240dc lstrlenA
0x4240e8 GetFileType
0x4240ec GetCurrentProcess
0x4240f0 GetCurrentThreadId
0x4240f4 ExitProcess
0x4240f8 ExitThread
0x4240fc CreateThread
0x424100 RtlUnwind
0x424104 RaiseException
0x424108 GetModuleHandleA
0x42410c GetStartupInfoA
0x424110 GetCommandLineA
0x424114 GetVersionExA
0x424118 HeapFree
0x42411c HeapAlloc
0x424120 WideCharToMultiByte
0x42412c GetTickCount
0x424130 GetCurrentProcessId
0x424138 SetHandleCount
0x42413c GetStdHandle
0x424140 GetProcAddress
0x424144 TlsAlloc
0x424148 SetLastError
0x42414c TlsFree
0x424150 TlsSetValue
0x424154 TlsGetValue
0x424158 TerminateProcess
0x424164 HeapReAlloc
0x424168 HeapSize
0x42417c HeapDestroy
0x424180 HeapCreate
0x424184 IsBadWritePtr
0x424188 SetStdHandle
0x42418c PeekNamedPipe
Library USER32.dll:
0x4241c0 FindWindowA
0x4241c4 GetWindowRect
0x4241c8 GetSystemMetrics
0x4241cc DialogBoxParamA
0x4241d0 PostQuitMessage
0x4241d4 LoadIconA
0x4241d8 SetDlgItemTextA
0x4241dc DefWindowProcA
0x4241e0 MessageBoxA
0x4241e4 GetDlgItem
0x4241e8 EnableWindow
0x4241ec InvalidateRect
0x4241f0 GetSystemMenu
0x4241f4 EnableMenuItem
0x4241f8 SendMessageA
0x4241fc SendDlgItemMessageA
0x424200 MoveWindow
Library GDI32.dll:
0x424000 SetTextColor
Library SHELL32.dll:
0x424194 SHBrowseForFolderA
Library SHLWAPI.dll:
0x4241a0 PathFindExtensionA
0x4241a4 PathRemoveFileSpecA
0x4241a8 PathAppendA
0x4241b0 PathRemoveBlanksA
0x4241b4 PathFileExistsA
0x4241b8 PathFindFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 57875 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62319 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.