7.6
高危
2 个模型检测该样本为恶意!
重新分析
更多

9886429a6d444a36e95c9881aaa569d2aa7169d3b2c23fa2e17590d2a67d93ae

cbb826c53d54f1de1652c708709defe7.exe

分析耗时

107s

最近分析

文件大小

6.1MB
静态报毒 动态报毒 CLASSIC CVE-2018-2025 NETCAT
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Avast 20210506 21.1.5827.0
Tencent 20210507 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20210507 2017.9.26.565
McAfee 20210504 6.0.6.653
CrowdStrike 20210203 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1620988235.990001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620988236.568001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620988236.662001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620988236.662001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620988237.709001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620988237.740001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620988220.771001
IsDebuggerPresent
failed 0 0
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620988220.677001
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3270887551&cup2hreq=453f68f5216048b52763c717d04674ef21087a737456e60394be01bb796bb498
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620959302&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=3bf4913d92f5be16&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620959302&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:3270887551&cup2hreq=453f68f5216048b52763c717d04674ef21087a737456e60394be01bb796bb498
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3270887551&cup2hreq=453f68f5216048b52763c717d04674ef21087a737456e60394be01bb796bb498
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620988293.919311
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000045d0000
success 0 0
Creates executable files on the filesystem (35 个事件)
file c:\totalcmd\UNRAR9X.DLL
file c:\totalcmd\TC7Z64.DLL
file c:\totalcmd\SHARE_NT.EXE
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander.lnk
file c:\totalcmd\TCLZMA64.DLL
file c:\totalcmd\TCMDX64.EXE
file c:\totalcmd\TC7ZIPIF.DLL
file c:\totalcmd\UNACEV2.DLL
file c:\totalcmd\FRERES32.DLL
file c:\totalcmd\TCMDLZMA.DLL
file c:\totalcmd\NOCLOSE64.EXE
file c:\totalcmd\WCMZIP32.DLL
file c:\totalcmd\TcUsbRun.exe
file C:\Users\Administrator.Oskar-PC\Desktop\Total Commander.lnk
file c:\totalcmd\WCMICONS.DLL
file c:\totalcmd\TCUNZLIB.DLL
file c:\totalcmd\WC32TO16.EXE
file c:\totalcmd\TOTALCMD.EXE
file C:\Users\Administrator.Oskar-PC\Desktop\Total Commander 64 bit.lnk
file c:\totalcmd\TCMDX32.EXE
file c:\totalcmd\TC7Z.DLL
file c:\totalcmd\TCMADM64.EXE
file c:\totalcmd\TCUNZL64.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk
file c:\totalcmd\UNRAR.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander 64 bit.lnk
file c:\totalcmd\NOCLOSE.EXE
file c:\totalcmd\CABRK.DLL
file c:\totalcmd\UNRAR64.DLL
file c:\totalcmd\WCMZIP64.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander Help.lnk
file c:\totalcmd\TCUNIN64.EXE
file c:\totalcmd\TOTALCMD64.EXE
file c:\totalcmd\TCMADMIN.EXE
file c:\totalcmd\TCUNINST.EXE
Creates a shortcut to an executable file (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander 64 bit.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Total Commander.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander Help.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Total Commander 64 bit.lnk
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
ClamAV Win.Malware.Netcat-6917731-0
Rising Exploit.CVE-2018-20250!1.B604 (CLASSIC)
Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 个事件)
Time & API Arguments Status Return Repeated
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620988232.724001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 94.100.180.110
Harvests credentials from local FTP client softwares (4 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\SOFTWARE\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\SOFTWARE\Ghisler\Total Commander
registry HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler\Total Commander
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620988293.013311
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00000000ff35ae10
module_address: 0x00000000ff2b0000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 3408219 0
Detects the presence of Wine emulator (1 个事件)
Time & API Arguments Status Return Repeated
1620988220.724001
LdrGetProcedureAddress
ordinal: 0
module: ntdll
module_address: 0x77d30000
function_address: 0x004189a4
function_name: wine_get_version
failed 3221225785 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-09-07 17:58:18

Imports

Library KERNEL32.dll:
0x416070 CopyFileA
0x416074 WinExec
0x416078 GetUserDefaultLCID
0x41607c GlobalFree
0x416080 GlobalAlloc
0x416084 GetModuleFileNameA
0x416088 GetVersionExA
0x41608c GetCommandLineA
0x416090 GetDriveTypeA
0x416094 GetSystemDirectoryA
0x416098 GetFileSize
0x41609c IsValidCodePage
0x4160a0 WideCharToMultiByte
0x4160a4 GetOEMCP
0x4160a8 GetACP
0x4160ac CompareStringW
0x4160b0 CompareStringA
0x4160b4 GetCPInfo
0x4160b8 GetStringTypeW
0x4160bc GetStringTypeA
0x4160c4 GetStdHandle
0x4160c8 SetHandleCount
0x4160e0 LCMapStringW
0x4160e4 LCMapStringA
0x4160e8 HeapReAlloc
0x4160ec VirtualAlloc
0x4160f0 VirtualFree
0x4160f4 HeapCreate
0x4160f8 HeapDestroy
0x4160fc GetVersion
0x416100 GetStartupInfoA
0x416104 TerminateProcess
0x416108 ExitProcess
0x41610c HeapAlloc
0x416110 HeapFree
0x416114 RtlUnwind
0x416124 CreateFileA
0x416128 SetFilePointer
0x41612c ReadFile
0x416130 WriteFile
0x416134 SetFileTime
0x416138 DeleteFileA
0x416140 CreateDirectoryA
0x416144 GetTickCount
0x41614c Sleep
0x416150 GetCurrentProcess
0x416154 OpenProcess
0x416158 GetProcAddress
0x41615c LoadLibraryA
0x416160 GetModuleHandleA
0x416164 CloseHandle
0x416168 GetLastError
0x41616c FindFirstFileA
0x416170 FindNextFileA
0x416174 FindClose
0x416178 MultiByteToWideChar
0x41617c GetFileAttributesA
0x416180 GetFileType
0x416184 SetFileAttributesA
Library USER32.dll:
0x41618c BeginPaint
0x416190 CharLowerA
0x416198 FindWindowA
0x41619c GetMessageA
0x4161a0 UpdateWindow
0x4161a4 CreateWindowExA
0x4161a8 RegisterClassA
0x4161ac LoadIconA
0x4161b0 OemToCharA
0x4161b4 IsWindowUnicode
0x4161b8 EndPaint
0x4161bc PostQuitMessage
0x4161c0 DefWindowProcA
0x4161c4 GetSystemMetrics
0x4161c8 BringWindowToTop
0x4161cc SetForegroundWindow
0x4161d0 LoadCursorA
0x4161d4 SetCursor
0x4161d8 CharPrevA
0x4161dc MessageBoxA
0x4161e0 CharUpperA
0x4161e4 PostMessageA
0x4161e8 MessageBoxW
0x4161ec EnumWindows
0x4161f0 GetClassNameA
0x4161f4 GetClassLongA
0x4161fc EnableWindow
0x416200 CheckRadioButton
0x416204 GetKeyState
0x416208 IsDlgButtonChecked
0x41620c CheckDlgButton
0x416210 SetFocus
0x416214 DialogBoxParamW
0x416218 DialogBoxParamA
0x41621c MessageBeep
0x416220 SendDlgItemMessageW
0x416224 EndDialog
0x416228 SendMessageW
0x41622c SendMessageA
0x416230 GetDlgItemTextA
0x416234 DestroyWindow
0x416238 CreateDialogParamW
0x41623c CreateDialogParamA
0x416240 GetDlgItem
0x416244 ShowWindow
0x416248 IsIconic
0x41624c GetSystemMenu
0x416250 DeleteMenu
0x416254 GetDC
0x416258 GetClientRect
0x41625c FillRect
0x416260 wsprintfA
0x416264 GetSysColor
0x416268 DrawTextA
0x41626c ReleaseDC
0x416270 SendDlgItemMessageA
0x416274 SetWindowTextA
0x416278 SetDlgItemTextW
0x41627c SetDlgItemTextA
0x416280 GetWindowRect
0x416284 GetParent
0x416288 MoveWindow
0x41628c PeekMessageA
0x416290 IsDialogMessageA
0x416294 TranslateMessage
0x416298 DispatchMessageA
0x41629c GetWindowTextA
Library GDI32.dll:
0x416044 CreateFontA
0x416048 SelectObject
0x41604c GetStockObject
0x416050 DeleteObject
0x416054 CreateSolidBrush
0x416058 SetBkColor
0x41605c SetBkMode
0x416060 IntersectClipRect
0x416064 SetTextColor
Library ADVAPI32.dll:
0x416008 GetTokenInformation
0x416010 LookupAccountSidA
0x416014 FreeSid
0x416018 RegCreateKeyExA
0x41601c RegCreateKeyA
0x416020 RegSetValueExA
0x416024 RegCloseKey
0x416028 RegQueryValueExA
0x41602c RegOpenKeyExA
0x416030 GetUserNameA
0x416038 OpenProcessToken
0x41603c LookupAccountNameA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49288 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49293 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49225 203.208.40.66 update.googleapis.com 443
192.168.56.101 49281 203.208.41.33 redirector.gvt1.com 80
94.100.180.110 443 192.168.56.101 49174

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=3bf4913d92f5be16&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620959302&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=3bf4913d92f5be16&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620959302&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620959302&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620959302&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.