6.4
高危
46 个模型检测该样本为恶意!
重新分析
更多

49571529eb6a9094b6df0c5e2d6b3c3a9d06d25c02c32d2fc76a71825e67c34f

c27795b82f15147318990eab0895377b.exe

分析耗时

35s

最近分析

文件大小

2.3MB
静态报毒 动态报毒 C@6E9656 CHINDO CHIR CONFIDENCE ELDORADO FGYPNO GBOT GENERIC PUA DF HFSADWARE HIGH CONFIDENCE MALICIOUS MALICIOUS PE MAUVAISERI R002C0OC820 R180775 S5244821 SCORE SOGOU SOGOUCRTD UNSAFE WQQYP 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee PUP-FTL 20200707 6.0.6.653
Alibaba Downloader:Win32/Sogou.8ad47e94 20190527 0.3.0.5
Avast Win32:Malware-gen 20200707 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200707 2013.8.14.323
Tencent 20200707 1.0.0.1
CrowdStrike win/malicious_confidence_80% (D) 20190702 1.0
静态指标
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path F:\SogouSoftwareWorkDir\SogouSoftware\Src\MiniDownLoad\Release\MiniDownLoad.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620985513.473598
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name EXE
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620997340.1355
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75091000
success 0 0
1620997340.1355
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
Foreign language identified in PE resource (10 个事件)
name EXE language LANG_CHINESE offset 0x0003a310 filetype PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x001ef578
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00243ce8 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE offset 0x00244150 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000068
name RT_VERSION language LANG_CHINESE offset 0x002441b8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002f4
Creates executable files on the filesystem (14 个事件)
file C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
file C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
file C:\Program Files (x86)\SogouSoftware\download\download\msvcr71.dll
file C:\Program Files (x86)\SogouSoftware\crash\ExceptionReport.exe
file C:\Program Files (x86)\SogouSoftware\download\xldl.dll
file C:\Program Files (x86)\SogouSoftware\download\download\msvcp71.dll
file C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
file C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\minidownload.exe
file C:\Program Files (x86)\SogouSoftware\download\download\download_engine.dll
file C:\Program Files (x86)\SogouSoftware\download\download\atl71.dll
file C:\Program Files (x86)\SogouSoftware\download\download\zlib1.dll
file C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll
file C:\Program Files (x86)\SogouSoftware\download\download\dl_peer_id.dll
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\minidownload.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\minidownload.exe
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.935676122614296 section {'size_of_data': '0x0020a800', 'virtual_address': '0x0003a000', 'entropy': 7.935676122614296, 'name': '.rsrc', 'virtual_size': '0x0020a638'} description A section with a high entropy has been found
entropy 0.9002799913848805 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2136 resumed a thread in remote process 428
Time & API Arguments Status Return Repeated
1620985516.488598
NtResumeThread
thread_handle: 0x00000260
suspend_count: 1
process_identifier: 428
success 0 0
Generates some ICMP traffic
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
Bkav W32.HfsAdware.170E
DrWeb BackDoor.Gbot.2850
FireEye Generic.mg.c27795b82f151473
CAT-QuickHeal Trojan.MauvaiseRI.S5244821
McAfee PUP-FTL
Cylance Unsafe
Zillya Downloader.SogouCRTD.Win32.237
Sangfor Malware
K7AntiVirus Unwanted-Program ( 004cca081 )
Alibaba Downloader:Win32/Sogou.8ad47e94
K7GW Unwanted-Program ( 004cca081 )
Invincea heuristic
F-Prot W32/Sogou.H.gen!Eldorado
Symantec SMG.Heur!gen
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Worm.Chir-2282
Kaspersky not-a-virus:Downloader.Win32.Sogou.g
NANO-Antivirus Trojan.Win32.Gbot.fgypno
AegisLab Adware.Win32.Sogou.2!c
Endgame malicious (high confidence)
Emsisoft Application.Chindo (A)
Comodo Application.Win32.Sogou.C@6e9656
F-Secure Adware.ADWARE/Sogou.wqqyp
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0OC820
Sophos Generic PUA DF (PUA)
Ikarus PUA.Sogou
Cyren W32/Sogou.H.gen!Eldorado
Avira ADWARE/Sogou.wqqyp
Antiy-AVL RiskWare[Downloader]/Win32.Sogou
Microsoft PUA:Win32/Sogou
ViRobot Adware.Sogou.2383432.AFM
ZoneAlarm not-a-virus:Downloader.Win32.Sogou.g
Cynet Malicious (score: 100)
AhnLab-V3 PUP/Win32.Downloader.R180775
VBA32 Downloader.Sogou
Malwarebytes Adware.Sogou
ESET-NOD32 a variant of Win32/Sogou.H potentially unwanted
TrendMicro-HouseCall TROJ_GEN.R002C0OC820
Yandex PUA.Downloader!
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_99%
Fortinet Riskware/Sogou
AVG Win32:Malware-gen
CrowdStrike win/malicious_confidence_80% (D)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-04-18 21:10:46

Imports

Library KERNEL32.dll:
0x42d020 CloseHandle
0x42d024 DebugBreak
0x42d028 GetCommandLineW
0x42d02c GetTempPathW
0x42d030 CompareStringW
0x42d034 GetProcessHeap
0x42d038 SetEndOfFile
0x42d03c WriteConsoleW
0x42d040 SetStdHandle
0x42d044 SetFilePointer
0x42d048 lstrlenW
0x42d04c PeekNamedPipe
0x42d054 GetFullPathNameW
0x42d05c FlushFileBuffers
0x42d060 GetConsoleMode
0x42d064 GetConsoleCP
0x42d068 FindFirstFileExW
0x42d06c GetDriveTypeW
0x42d078 CreateThread
0x42d07c ExitThread
0x42d080 MultiByteToWideChar
0x42d084 CreateFileW
0x42d088 WriteFile
0x42d08c OutputDebugStringW
0x42d098 lstrlenA
0x42d09c LockResource
0x42d0a0 SizeofResource
0x42d0a4 GetModuleHandleW
0x42d0a8 LoadResource
0x42d0ac FindResourceW
0x42d0b4 FreeResource
0x42d0b8 CreateFileA
0x42d0bc CreateMutexW
0x42d0c0 lstrcmpW
0x42d0c4 GetSystemDirectoryW
0x42d0c8 DeviceIoControl
0x42d0cc ReadFile
0x42d0d0 CopyFileW
0x42d0d4 GetLastError
0x42d0d8 HeapFree
0x42d0dc HeapSetInformation
0x42d0e0 GetStartupInfoW
0x42d0e4 RaiseException
0x42d0e8 TerminateProcess
0x42d0ec GetCurrentProcess
0x42d0f8 IsDebuggerPresent
0x42d0fc HeapAlloc
0x42d104 EncodePointer
0x42d108 DecodePointer
0x42d10c HeapCreate
0x42d110 GetCPInfo
0x42d114 GetACP
0x42d118 GetOEMCP
0x42d11c IsValidCodePage
0x42d120 TlsAlloc
0x42d124 TlsGetValue
0x42d128 TlsSetValue
0x42d12c TlsFree
0x42d130 SetLastError
0x42d134 GetCurrentThreadId
0x42d138 GetProcAddress
0x42d13c LCMapStringW
0x42d140 GetStringTypeW
0x42d144 ExitProcess
0x42d148 GetStdHandle
0x42d14c GetModuleFileNameW
0x42d158 SetHandleCount
0x42d160 GetFileType
0x42d16c GetTickCount
0x42d170 GetCurrentProcessId
0x42d180 RtlUnwind
0x42d184 Sleep
0x42d188 HeapSize
0x42d18c WideCharToMultiByte
0x42d190 GetUserDefaultLCID
0x42d194 GetLocaleInfoW
0x42d198 GetLocaleInfoA
0x42d19c EnumSystemLocalesA
0x42d1a0 IsValidLocale
0x42d1a4 FreeLibrary
0x42d1a8 InterlockedExchange
0x42d1ac LoadLibraryW
0x42d1b0 HeapReAlloc
0x42d1b8 CreateDirectoryW
0x42d1c0 WaitForSingleObject
0x42d1c4 OutputDebugStringA
0x42d1cc FindFirstFileW
0x42d1d0 FindNextFileW
0x42d1d4 FindClose
0x42d1d8 GetVersionExW
0x42d1dc GetLocalTime
0x42d1e0 CreateEventW
0x42d1e4 CreateSemaphoreW
0x42d1e8 ResetEvent
0x42d1ec ReleaseSemaphore
0x42d1f0 SetEvent
0x42d1f8 DeleteFileW
0x42d1fc lstrcpynW
0x42d200 lstrcpyW
0x42d204 GetFileSize
Library USER32.dll:
0x42d258 wvsprintfW
0x42d25c wsprintfW
0x42d260 CharNextW
0x42d264 LoadStringW
Library SHELL32.dll:
0x42d228 ShellExecuteExW
0x42d22c ShellExecuteW
0x42d234 SHFileOperationW
Library ole32.dll:
0x42d2a8 CoInitialize
0x42d2ac CoGetClassObject
0x42d2b0 CoCreateGuid
0x42d2b4 CoUninitialize
Library SHLWAPI.dll:
0x42d23c StrCpyW
0x42d240 PathIsDirectoryW
0x42d244 PathFileExistsW
0x42d248 SHSetValueW
0x42d24c SHGetValueW
0x42d250 PathAppendW
Library PSAPI.DLL:
0x42d220 GetModuleBaseNameW
Library WININET.dll:
0x42d27c InternetConnectW
0x42d280 InternetCloseHandle
0x42d284 InternetOpenW
0x42d288 InternetSetOptionW
0x42d290 HttpQueryInfoW
0x42d294 InternetCrackUrlW
0x42d298 HttpSendRequestW
0x42d29c HttpOpenRequestW
0x42d2a0 InternetReadFile
Library VERSION.dll:
0x42d26c VerQueryValueW
0x42d274 GetFileVersionInfoW
Library NETAPI32.dll:
0x42d210 NetApiBufferFree
0x42d218 Netbios
Library ADVAPI32.dll:
0x42d000 RegOpenKeyExA
0x42d004 RegCloseKey
0x42d008 OpenSCManagerW
0x42d00c OpenServiceW
0x42d010 QueryServiceStatus
0x42d014 CloseServiceHandle
0x42d018 RegQueryValueExA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.