SmartHawk

6.4

高危

65 个模型检测该样本为恶意！

重新分析

下载样本

f1ee5bac0651f76fdca0b0043f8bad0bccc20b92678e4f535d42d15c119f1939

c2c7435f7d2d73b90be6b9616e54688f.exe

分析耗时

90s

最近分析

文件大小

355.6KB

静态报毒动态报毒 100% 6ZVKJKYFMDY A@4KNK5Y AI SCORE=88 AIDETECTVM BACKDOOR PROGRAM CHILLY CLASSIC CONFIDENCE DCMGREEN DELF DELPHI DMUKV DQQD GENASA HIGH CONFIDENCE KCLOUD LH0Z LUIHA MALICIOUS PE MALWARE1 MULDROP6 PJEB R + TROJ R231801 SCORE SMIA STATIC AI UNSAFE WABOT 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:Win32/Wabot.f67e0505	20190527	0.3.0.5
Baidu	Win32.Backdoor.Wabot.a	20190318	1.0.0.2
Avast	Win32:Delf-VJY [Trj]	20201210	21.1.5827.0
Kingsoft	Win32.Hack.Wabot.a.(kcloud)	20201211	2017.9.26.565
McAfee	W32/Wabot	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:781845259&cup2hreq=909f34ae250e8baee0b5066b0c9ad9e80ef39cf3f0ea897895d2ef9a9ee349a5

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=63a95cb59b9b309f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:781845259&cup2hreq=909f34ae250e8baee0b5066b0c9ad9e80ef39cf3f0ea897895d2ef9a9ee349a5

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:781845259&cup2hreq=909f34ae250e8baee0b5066b0c9ad9e80ef39cf3f0ea897895d2ef9a9ee349a5

Creates executable files on the filesystem (30 个事件)

file	C:\Windows\System32\DC++ Share\Chess.exe
file	C:\Windows\System32\xdccPrograms\InputPersonalization.exe
file	C:\Windows\System32\DC++ Share\SpiderSolitaire.exe
file	C:\Windows\System32\DC++ Share\PDIALOG.exe
file	C:\Windows\System32\DC++ Share\chkrzm.exe
file	C:\Windows\System32\xdccPrograms\FlickLearningWizard.exe
file	C:\Windows\System32\DC++ Share\setup.exe
file	C:\Windows\System32\DC++ Share\VBoxControl.exe
file	C:\Windows\System32\DC++ Share\Journal.exe
file	C:\Windows\System32\DC++ Share\shvlzm.exe
file	C:\Windows\System32\xdccPrograms\InkWatson.exe
file	C:\Windows\System32\DC++ Share\MSASCui.exe
file	C:\Windows\System32\DC++ Share\Solitaire.exe
file	C:\Windows\System32\DC++ Share\master_prefere.exe
file	C:\Windows\System32\xdccPrograms\ConvertInkStore.exe
file	C:\Windows\System32\DC++ Share\MpCmdRun.exe
file	C:\Windows\System32\DC++ Share\Mahjong.exe
file	C:\Windows\System32\DC++ Share\iexplore.exe
file	C:\Windows\System32\DC++ Share\VBoxTray.exe
file	C:\Windows\System32\DC++ Share\ieinstal.exe
file	C:\Windows\System32\DC++ Share\chrome_proxy.exe
file	C:\Windows\System32\DC++ Share\FreeCell.exe
file	C:\Windows\System32\DC++ Share\wabmig.exe
file	C:\Windows\System32\DC++ Share\setup_wm.exe
file	C:\Windows\System32\DC++ Share\uninst.exe
file	C:\Windows\System32\xdccPrograms\mip.exe
file	C:\Windows\System32\DC++ Share\VBoxWHQLFake.exe
file	C:\Windows\System32\DC++ Share\ielowutil.exe
file	C:\Windows\System32\DC++ Share\VBoxDrvInst.exe
file	C:\Windows\System32\DC++ Share\wab.exe

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

reg_value

Explorer.exe sIRC4.exe

Detects VirtualBox through the presence of a file (4 个事件)

file	C:\Windows\System32\DC++ Share\VBoxControl.exe
file	C:\Windows\System32\DC++ Share\VBoxTray.exe
file	C:\Windows\System32\DC++ Share\VBoxDrvInst.exe
file	C:\Windows\System32\DC++ Share\VBoxWHQLFake.exe

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.DQQD
FireEye	Generic.mg.c2c7435f7d2d73b9
CAT-QuickHeal	Trojan.Wabot.A8
ALYac	Trojan.Agent.DQQD
Cylance	Unsafe
Zillya	Backdoor.Wabot.Win32.1
SUPERAntiSpyware	Backdoor.Wabot
Sangfor	Malware
K7AntiVirus	Trojan ( 0055c5c91 )
Alibaba	Backdoor:Win32/Wabot.f67e0505
K7GW	Trojan ( 0055c5c91 )
Cybereason	malicious.f7d2d7
Arcabit	Trojan.Agent.DQQD
Baidu	Win32.Backdoor.Wabot.a
Cyren	W32/Backdoor.PJEB-4161
Symantec	W32.Wabot
TotalDefense	Win32/DCMgreen.A
APEX	Malicious
Avast	Win32:Delf-VJY [Trj]
Cynet	Malicious (score: 100)
Kaspersky	Backdoor.Win32.Wabot.a
BitDefender	Trojan.Agent.DQQD
NANO-Antivirus	Trojan.Win32.Wabot.dmukv
Paloalto	generic.ml
ViRobot	Backdoor.Win32.Wabot.157619
Ad-Aware	Trojan.Agent.DQQD
Sophos	Mal/Generic-R + Troj/Luiha-M
Comodo	Backdoor.Win32.Wabot.A@4knk5y
F-Secure	Trojan.TR/Dldr.Delphi.Gen
DrWeb	Trojan.MulDrop6.64369
VIPRE	BehavesLike.Win32.Malware.ssc (mx-v)
TrendMicro	BKDR_WABOT.SMIA
McAfee-GW-Edition	BehavesLike.Win32.Wabot.fc
Emsisoft	Trojan.Agent.DQQD (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor/Wabot.z
Avira	TR/Dldr.Delphi.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Wabot.a
Kingsoft	Win32.Hack.Wabot.a.(kcloud)
Gridinsoft	Backdoor.Win32.Wabot.bot!s1
Microsoft	Backdoor:Win32/Wabot.A
AegisLab	Trojan.Win32.Wabot.lh0Z
ZoneAlarm	Backdoor.Win32.Wabot.a
GData	Win32.Backdoor.Wabot.A
TACHYON	Backdoor/W32.DP-WaBot.Zen
AhnLab-V3	Backdoor/Win32.Wabot.R231801
Acronis	suspicious
McAfee	W32/Wabot

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:40:53

Imports

Library kernel32.dll:

• 0x4110c8 DeleteCriticalSection

• 0x4110cc LeaveCriticalSection

• 0x4110d0 EnterCriticalSection

• 0x4110d4 InitializeCriticalSection

• 0x4110d8 VirtualFree

• 0x4110dc VirtualAlloc

• 0x4110e0 LocalFree

• 0x4110e4 LocalAlloc

• 0x4110e8 GetCurrentThreadId

• 0x4110ec GetStartupInfoA

• 0x4110f0 GetModuleFileNameA

• 0x4110f4 GetLastError

• 0x4110f8 GetCommandLineA

• 0x4110fc FreeLibrary

• 0x411100 ExitProcess

• 0x411104 CreateThread

• 0x411108 WriteFile

• 0x41110c UnhandledExceptionFilter

• 0x411110 SetFilePointer

• 0x411114 SetEndOfFile

• 0x411118 RtlUnwind

• 0x41111c ReadFile

• 0x411120 RaiseException

• 0x411124 GetStdHandle

• 0x411128 GetFileSize

• 0x41112c GetSystemTime

• 0x411130 GetFileType

• 0x411134 CreateFileA

• 0x411138 CloseHandle

Library user32.dll:

• 0x411140 GetKeyboardType

• 0x411144 MessageBoxA

• 0x411148 CharNextA

Library advapi32.dll:

• 0x411150 RegQueryValueExA

• 0x411154 RegOpenKeyExA

• 0x411158 RegCloseKey

Library oleaut32.dll:

• 0x411160 SysFreeString

Library kernel32.dll:

• 0x411168 TlsSetValue

• 0x41116c TlsGetValue

• 0x411170 LocalAlloc

• 0x411174 GetModuleHandleA

Library advapi32.dll:

• 0x41117c RegQueryValueExA

• 0x411180 RegOpenKeyExA

• 0x411184 RegCloseKey

Library kernel32.dll:

• 0x41118c WritePrivateProfileStringA

• 0x411190 WinExec

• 0x411194 UpdateResourceA

• 0x411198 Sleep

• 0x41119c SetFilePointer

• 0x4111a0 ReadFile

• 0x4111a4 GetSystemDirectoryA

• 0x4111a8 GetLastError

• 0x4111ac GetFileAttributesA

• 0x4111b0 FindNextFileA

• 0x4111b4 FindFirstFileA

• 0x4111b8 FindClose

• 0x4111bc FileTimeToLocalFileTime

• 0x4111c0 FileTimeToDosDateTime

• 0x4111c4 ExitProcess

• 0x4111c8 EndUpdateResourceA

• 0x4111cc DeleteFileA

• 0x4111d0 CreateThread

• 0x4111d4 CreateMutexA

• 0x4111d8 CreateFileA

• 0x4111dc CreateDirectoryA

• 0x4111e0 CopyFileA

• 0x4111e4 CloseHandle

• 0x4111e8 BeginUpdateResourceA

Library user32.dll:

• 0x4111f0 SetTimer

• 0x4111f4 GetMessageA

• 0x4111f8 DispatchMessageA

• 0x4111fc CharUpperBuffA

Library wsock32.dll:

• 0x411204 WSACleanup

• 0x411208 WSAStartup

• 0x41120c gethostbyname

• 0x411210 socket

• 0x411214 send

• 0x411218 select

• 0x41121c recv

• 0x411220 ntohs

• 0x411224 listen

• 0x411228 inet_ntoa

• 0x41122c inet_addr

• 0x411230 htons

• 0x411234 htonl

• 0x411238 getsockname

• 0x41123c connect

• 0x411240 closesocket

• 0x411244 bind

• 0x411248 accept

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
redirector.gvt1.com	A 203.208.41.33	203.208.41.97
update.googleapis.com	A 203.208.41.66	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49184	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49185	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49183	203.208.41.33 redirector.gvt1.com	80
192.168.56.101	49182	203.208.41.66 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=63a95cb59b9b309f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=63a95cb59b9b309f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=63a95cb59b9b309f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=63a95cb59b9b309f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619837298&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.