SmartHawk

3.8

中危

60 个模型检测该样本为恶意！

重新分析

下载样本

7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

cf04c482d91c7174616fb8e83288065a.exe

分析耗时

79s

最近分析

文件大小

227.2KB

静态报毒动态报毒 AI SCORE=85 AIDETECTVM BESR BSCOPE CONFIDENCE EHLS ELDORADO ELKD GENCIRC GENERICRXKU GENETIC GENKRYPTIK GOZI GRAYWARE HIGH CONFIDENCE HKVGXM JMKBTSBBG6E KCLOUD KRYPTIK MALICIOUS PE MALWARE1 MALWARE@#3U9VGU1QOLDA3 MINT OQ2@A4VFMWFE R + TROJ R066C0DIA20 R338798 REGOTET SCORE STATIC AI TROJANBANKER UNSAFE URSNIF URSNIFDROPPER V5BRNGRSX9O XAPKH ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:Win32/Ursnif.3b50ad32	20190527	0.3.0.5
Avast	Win32:Trojan-gen	20201210	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10cdd0f7	20201211	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Banker.(kcloud)	20201211	2017.9.26.565
McAfee	GenericRXKU-DV!CF04C482D91C	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619913239.664125 GetComputerNameW	computer_name:	failed	0	0
1619913239.664125 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:1691529049&cup2hreq=fcae96a4a6a2f5440a86d5b70a84df8c419229ec2b8cf1ae99d02d3db5ab06fa

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619884101&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6bfed6bfe715bfd0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619884338&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:1691529049&cup2hreq=fcae96a4a6a2f5440a86d5b70a84df8c419229ec2b8cf1ae99d02d3db5ab06fa

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:1691529049&cup2hreq=fcae96a4a6a2f5440a86d5b70a84df8c419229ec2b8cf1ae99d02d3db5ab06fa

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619913232.664125 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00330000	success
1619913239.320125 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00360000	success
1619913239.320125 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Gozi.683
MicroWorld-eScan	Gen:Heur.Mint.Regotet.1
FireEye	Generic.mg.cf04c482d91c7174
ALYac	Gen:Heur.Mint.Regotet.1
Cylance	Unsafe
Zillya	Trojan.Ursnif.Win32.11386
Sangfor	Malware
K7AntiVirus	Spyware ( 0055ddc51 )
Alibaba	TrojanSpy:Win32/Ursnif.3b50ad32
K7GW	Spyware ( 0055ddc51 )
Cybereason	malicious.2d91c7
Arcabit	Trojan.Mint.Regotet.1
BitDefenderTheta	Gen:NN.ZexaF.34670.oq2@a4VfMwfe
Cyren	W32/S-a2efaf18!Eldorado
Symantec	Packed.Generic.459
ESET-NOD32	Win32/Spy.Ursnif.CZ
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
BitDefender	Gen:Heur.Mint.Regotet.1
NANO-Antivirus	Trojan.Win32.Gozi.hkvgxm
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.10cdd0f7
Ad-Aware	Gen:Heur.Mint.Regotet.1
Emsisoft	Gen:Heur.Mint.Regotet.1 (B)
Comodo	Malware@#3u9vgu1qolda3
F-Secure	Trojan.TR/AD.UrsnifDropper.xapkh
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R066C0DIA20
McAfee-GW-Edition	GenericRXKU-DV!CF04C482D91C
Sophos	Mal/Generic-R + Troj/Agent-BESR
Ikarus	Trojan-Spy.Agent
Jiangmin	Trojan.Banker.Gozi.aod
Webroot	W32.Trojan.Gen
Avira	TR/AD.UrsnifDropper.xapkh
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Kingsoft	Win32.Troj.Banker.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.ba
Microsoft	Trojan:Win32/Gozi.GM!MTB
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
GData	Gen:Heur.Mint.Regotet.1
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Gozi.R338798
Acronis	suspicious
McAfee	GenericRXKU-DV!CF04C482D91C
MAX	malware (ai score=85)
VBA32	BScope.TrojanBanker.Gozi
Malwarebytes	Trojan.Ursnif

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-29 00:02:09

Imports

Library KERNEL32.dll:

• 0x4378cc GetModuleHandleA

• 0x4378d0 LoadLibraryA

• 0x4378d4 GetProcAddress

• 0x4378d8 VirtualAlloc

Library USER32.dll:

• 0x4378e0 LoadIconA

• 0x4378e4 IsGUIThread

• 0x4378e8 IsCharAlphaA

• 0x4378ec IsCharLowerA

• 0x4378f0 IsCharAlphaNumericW

• 0x4378f4 IsCharAlphaNumericA

• 0x4378f8 IsCharLowerW

• 0x4378fc IsCharAlphaW

• 0x437900 IsCharUpperA

• 0x437904 IsClipboardFormatAvailable

• 0x437908 IsCharUpperW

• 0x43790c IsWindowUnicode

• 0x437910 GetDesktopWindow

• 0x437914 GetMenu

Library ADVAPI32.dll:

• 0x43791c RegQueryValueExA

• 0x437920 GetUserNameA

Library MSVCRT.dll:

• 0x437928 __p__commode

• 0x43792c __p__fmode

• 0x437930 __set_app_type

• 0x437934 _controlfp

• 0x437938 _adjust_fdiv

• 0x43793c __setusermatherr

• 0x437940 _initterm

• 0x437944 __getmainargs

• 0x437948 __initenv

• 0x43794c exit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
r4---sn-j5o76n7l.gvt1.com	A 58.63.233.69 CNAME r4.sn-j5o76n7l.gvt1.com	58.63.233.69
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o76n7e.gvt1.com	CNAME r1.sn-j5o76n7e.gvt1.com A 113.108.239.130	113.108.239.130
redirector.gvt1.com	A 203.208.41.65	203.208.41.65
update.googleapis.com	A 203.208.40.34	203.208.40.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49177	113.108.239.130 r1---sn-j5o76n7e.gvt1.com	80
192.168.56.101	49175	203.208.40.34 update.googleapis.com	443
192.168.56.101	49176	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49178	58.63.233.69 r4---sn-j5o76n7l.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619884101&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619884101&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6bfed6bfe715bfd0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619884338&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6bfed6bfe715bfd0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619884338&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r4---sn-j5o76n7l.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619884101&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619884101&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com

http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6bfed6bfe715bfd0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619884338&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6bfed6bfe715bfd0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619884338&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.