SmartHawk

5.6

高危

56 个模型检测该样本为恶意！

重新分析

下载样本

cd4ea9f0add28de11dee831302cddfa2b0e4b42e3d65c8929e735ece2f94590e

c110ea67aea49c2135f36cbbe3c1ca22.exe

分析耗时

95s

最近分析

文件大小

242.9KB

静态报毒动态报毒 100% AI SCORE=87 AIDETECTVM AVADDONCRYPT BSCOPE CONFIDENCE CQJPQ DRIXED EHLS ELDORADO EMOTET ENCPK FAKEMS GDI7HKDZL6C GENCIRC GENERICKD GENERIK GENETIC GOZI GRAYWARE HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE1 MALWARE@#2LWGNGN6V92BI NHQVJZN QVM20 R338920 S + MAL SCORE STATIC AI TROJANX UNSAFE URSNIF X6YBYSMFAHF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Drixed-FJL!C110EA67AEA4	20201228	6.0.6.653
Baidu		20190318	1.0.0.2
Alibaba	TrojanSpy:Win32/Ursnif.d645706a	20190527	0.3.0.5
Kingsoft		20201228	2017.9.26.565
Tencent	Malware.Win32.Gencirc.10cdd189	20201228	1.0.0.1
Avast	Win32:TrojanX-gen [Trj]	20201228	21.1.5827.0
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619878885.700625 GetComputerNameW	computer_name:	failed	0	0
1619878885.700625 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)

resource name	MUI
resource name	WEVT_TEMPLATE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2670911750&cup2hreq=d30fd9e1dfc032a2a1203a949ab6f19c46df11ada17ba5131e3f69b8553bbf85

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=175100e49e01d733&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:2670911750&cup2hreq=d30fd9e1dfc032a2a1203a949ab6f19c46df11ada17ba5131e3f69b8553bbf85

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2670911750&cup2hreq=d30fd9e1dfc032a2a1203a949ab6f19c46df11ada17ba5131e3f69b8553bbf85

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619878881.606625 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success
1619878884.966625 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success
1619878884.966625 NtProtectVirtualMemory	process_identifier: 1320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43263076
FireEye	Generic.mg.c110ea67aea49c21
CAT-QuickHeal	Trojan.Gozi
McAfee	Drixed-FJL!C110EA67AEA4
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 005680741 )
BitDefender	Trojan.GenericKD.43263076
K7GW	Spyware ( 005674951 )
Cybereason	malicious.7aea49
Cyren	W32/Trojan.DZZ.gen!Eldorado
Symantec	Packed.Generic.459
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
Alibaba	TrojanSpy:Win32/Ursnif.d645706a
Rising	Ransom.AvaddonCrypt!8.11D2A (TFE:2:x6YBYSmfahF)
Ad-Aware	Trojan.GenericKD.43263076
Emsisoft	Trojan.GenericKD.43263076 (B)
Comodo	Malware@#2lwgngn6v92bi
F-Secure	Trojan.TR/Spy.Ursnif.cqjpq
DrWeb	Trojan.Gozi.683
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Emotet.dm
Sophos	Mal/Generic-S + Mal/EncPk-APV
Ikarus	Trojan-Spy.Agent
GData	Trojan.GenericKD.43263076
Jiangmin	Trojan.Banker.Gozi.aoj
MaxSecure	Banker.Banker.WIN32.Gozi.pef_188492
Avira	TR/Spy.Ursnif.cqjpq
MAX	malware (ai score=87)
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Gridinsoft	Trojan.Win32.Kryptik.ba
Arcabit	Trojan.Generic.D2942464
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
Microsoft	Trojan:Win32/Gozi!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Ursnif.R338920
Acronis	suspicious
BitDefenderTheta	AI:Packer.601D603B1F
ALYac	Trojan.GenericKD.43263076
VBA32	BScope.Trojan.Encoder
Malwarebytes	Trojan.FakeMS
Panda	Trj/Genetic.gen
Zoner	Trojan.Win32.91267
ESET-NOD32	Win32/Spy.Ursnif.CZ
Tencent	Malware.Win32.Gencirc.10cdd189
Yandex	Trojan.Agent!GdI7hkdZL6c

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.160.110:443
dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-31 23:29:23

Imports

Library KERNEL32.dll:

• 0x437920 LoadLibraryA

• 0x437924 GetProcAddress

• 0x437928 VirtualAlloc

• 0x43792c GetLastError

• 0x437930 GetModuleHandleA

Library USER32.dll:

• 0x437938 LoadIconA

• 0x43793c IsGUIThread

• 0x437940 IsCharAlphaA

• 0x437944 IsCharLowerA

• 0x437948 IsCharAlphaNumericW

• 0x43794c IsCharAlphaNumericA

• 0x437950 IsCharLowerW

• 0x437954 IsCharAlphaW

• 0x437958 IsCharUpperA

• 0x43795c IsClipboardFormatAvailable

• 0x437960 IsCharUpperW

• 0x437964 IsWindowUnicode

• 0x437968 GetDesktopWindow

• 0x43796c GetMenu

Library GDI32.dll:

• 0x437974 GetEnhMetaFileW

Library ADVAPI32.dll:

• 0x43797c RegQueryValueExA

• 0x437980 GetUserNameA

Library MSVCRT.dll:

• 0x437988 __p__commode

• 0x43798c __p__fmode

• 0x437990 __set_app_type

• 0x437994 _controlfp

• 0x437998 _adjust_fdiv

• 0x43799c __setusermatherr

• 0x4379a0 _initterm

• 0x4379a4 __getmainargs

• 0x4379a8 __initenv

• 0x4379ac exit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com A 172.217.160.110	172.217.160.78
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
redirector.gvt1.com	A 203.208.41.33	203.208.41.97
update.googleapis.com	A 203.208.40.98	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49186	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49187	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49183	203.208.40.98 update.googleapis.com	443
192.168.56.101	49185	203.208.41.33 redirector.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	54991	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=175100e49e01d733&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=175100e49e01d733&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

URI

Data

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=175100e49e01d733&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=175100e49e01d733&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619849777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.