7.4
高危
52 个模型检测该样本为恶意!
重新分析
更多

a356d92ade4d8d537ea6dfabe765d4cd2ff851faae1d4551b91e50b47aac216f

cd8ef9620a6b9ca18a6647d977398606.exe

分析耗时

128s

最近分析

文件大小

422.0KB
静态报毒 动态报毒 AI SCORE=80 AIDETECTVM AUW@AU517KP BSCOPE CLIPBANKER CLOUD CONFIDENCE GDSDA GENERICRXLB HHKYQP HWTT MALICIOUS MALREP MALWARE2 MALWARE@#31UZZBBFZKJEJ MULDROP11 OCCAMY RAZY SCROP SUSPICIOUS PE TBIS THEOHBO TROJANBANKER TROJANX UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXLB-UP!CD8EF9620A6B 20200811 6.0.6.653
Alibaba TrojanBanker:Win32/ClipBanker.376fab46 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20200811 18.4.3895.0
Tencent Win32.Trojan-banker.Clipbanker.Tbis 20200811 1.0.0.1
Kingsoft 20200811 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619906616.328625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906616.328625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906616.422625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619933528.659875
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619906614.843625
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name CURSOR
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2614917776&cup2hreq=89f0e03c07493d18d7f9085f3d47980d6a94e736049e8ed941874370e264e60e
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619904718&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b772a6658326292b&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619904050&mv=u
request POST https://update.googleapis.com/service/update2?cup2key=10:2614917776&cup2hreq=89f0e03c07493d18d7f9085f3d47980d6a94e736049e8ed941874370e264e60e
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2614917776&cup2hreq=89f0e03c07493d18d7f9085f3d47980d6a94e736049e8ed941874370e264e60e
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619906245.503644
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004030000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Bkav W32.AIDetectVM.malware2
MicroWorld-eScan Gen:Variant.Razy.630228
FireEye Generic.mg.cd8ef9620a6b9ca1
CAT-QuickHeal Trojan.ClipBanker
McAfee GenericRXLB-UP!CD8EF9620A6B
Cylance Unsafe
Zillya Trojan.ClipBanker.Win32.3787
Sangfor Malware
K7AntiVirus Trojan ( 0054c4a01 )
Alibaba TrojanBanker:Win32/ClipBanker.376fab46
K7GW Trojan ( 0054c4a01 )
TrendMicro Trojan.Win32.MALREP.THEOHBO
Symantec Trojan Horse
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Kaspersky Trojan-Banker.Win32.ClipBanker.krw
BitDefender Gen:Variant.Razy.630228
NANO-Antivirus Trojan.Win32.ClipBanker.hhkyqp
ViRobot Trojan.Win32.Z.Clipbanker.432128
Tencent Win32.Trojan-banker.Clipbanker.Tbis
Ad-Aware Gen:Variant.Razy.630228
Comodo Malware@#31uzzbbfzkjej
DrWeb Trojan.MulDrop11.52446
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Fortinet W32/ClipBanker.IR!tr
Sophos Mal/Generic-S
Paloalto generic.ml
Cyren W32/Trojan.HWTT-6293
Jiangmin Trojan.Banker.ClipBanker.aee
MAX malware (ai score=80)
Antiy-AVL Trojan[Banker]/Win32.ClipBanker
Arcabit Trojan.Razy.D99DD4
AegisLab Trojan.Win32.ClipBanker.7!c
ZoneAlarm Trojan-Banker.Win32.ClipBanker.krw
Microsoft Trojan:Win32/Occamy.CA3
AhnLab-V3 Malware/Win32.Generic.C4062956
BitDefenderTheta Gen:NN.ZexaF.34152.AuW@au517Kp
ALYac Gen:Variant.Razy.630228
VBA32 BScope.TrojanDropper.Scrop
Malwarebytes Trojan.ClipBanker
ESET-NOD32 a variant of Win32/ClipBanker.IR
TrendMicro-HouseCall Trojan.Win32.MALREP.THEOHBO
Rising Trojan.ClipBanker!8.5FB (CLOUD)
Yandex Trojan.ClipBanker!
SentinelOne DFI - Suspicious PE
GData Gen:Variant.Razy.630228
Webroot W32.Trojan.Gen
AVG Win32:TrojanX-gen [Trj]
Panda Trj/GdSda.A
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.27.142:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-15 02:59:56

Imports

Library KERNEL32.dll:
0x417000 CreateMutexW
0x417004 GetLastError
0x417008 CloseHandle
0x41700c ReadProcessMemory
0x417010 Sleep
0x417014 ExitProcess
0x417018 EnumResourceNamesW
0x41701c FindResourceW
0x417020 LoadResource
0x417024 LockResource
0x417028 SizeofResource
0x41702c GetModuleFileNameW
0x417030 CreateDirectoryW
0x417034 CopyFileW
0x417038 CreateProcessW
0x41703c GetFileAttributesW
0x417050 GlobalFree
0x417054 GetTickCount
0x417058 GlobalLock
0x41705c GlobalSize
0x417060 GlobalUnlock
0x417064 GlobalAlloc
0x417068 CreateEventA
0x41706c CreateThread
0x417074 GetExitCodeThread
0x417078 TerminateThread
0x41707c SetLastError
0x417080 SetEvent
0x417084 WriteConsoleW
0x417088 CreateFileW
0x41708c SetFilePointerEx
0x417090 GetConsoleMode
0x417094 GetConsoleCP
0x417098 FlushFileBuffers
0x41709c HeapReAlloc
0x4170a0 HeapSize
0x4170a4 GetProcessHeap
0x4170a8 LCMapStringW
0x4170ac GetStringTypeW
0x4170b0 GetFileType
0x4170b4 SetStdHandle
0x4170c0 WideCharToMultiByte
0x4170c4 MultiByteToWideChar
0x4170c8 GetCommandLineW
0x4170cc GetCommandLineA
0x4170d0 GetCPInfo
0x4170d4 GetOEMCP
0x4170d8 GetACP
0x4170dc IsValidCodePage
0x4170e0 FindNextFileW
0x4170e4 FindFirstFileExW
0x4170e8 FindClose
0x4170f0 GetCurrentProcessId
0x4170f4 GetCurrentThreadId
0x4170fc InitializeSListHead
0x417100 IsDebuggerPresent
0x41710c GetStartupInfoW
0x417114 GetModuleHandleW
0x417118 GetCurrentProcess
0x41711c TerminateProcess
0x417120 LocalFree
0x417124 RtlUnwind
0x417128 RaiseException
0x41712c EncodePointer
0x417134 TlsAlloc
0x417138 TlsGetValue
0x41713c TlsSetValue
0x417140 TlsFree
0x417144 FreeLibrary
0x417148 GetProcAddress
0x41714c LoadLibraryExW
0x417150 GetStdHandle
0x417154 WriteFile
0x417158 GetModuleHandleExW
0x41715c HeapFree
0x417160 HeapAlloc
0x417164 DecodePointer
Library SHELL32.dll:
Library USER32.dll:
0x417184 DestroyWindow
0x417188 DispatchMessageW
0x41718c TranslateMessage
0x417190 GetMessageW
0x417198 CreateWindowExW
0x4171a0 GetWindowLongW
0x4171a4 SetWindowLongW
0x4171a8 RegisterClassW
0x4171ac GetClassInfoW
0x4171b0 CloseWindow
0x4171b4 DefWindowProcW
0x4171bc IsWindow
0x4171c0 SetClipboardData
0x4171c4 EmptyClipboard
0x4171c8 GetClipboardData
0x4171cc CloseClipboard
0x4171d0 OpenClipboard
Library ole32.dll:
0x4171dc CoInitializeEx
0x4171e0 CoCreateInstance
0x4171e4 CoUninitialize
Library OLEAUT32.dll:
0x41716c VariantInit
0x417170 SysFreeString
0x417174 SysAllocString

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49188 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49189 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49187 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49186 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b772a6658326292b&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619904050&mv=u 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b772a6658326292b&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619904050&mv=u HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619904718&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619904718&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.