6.8
高危
16 个模型检测该样本为恶意!
重新分析
更多

77b795889974932d7e4cf0fa4b5a4392f5ff96dd15a86c3c3d6b8ba0b2693339

d2599a5cbc936cc486479f8c646e5dfb.exe

分析耗时

136s

最近分析

文件大小

122.6KB
静态报毒 动态报毒 ARTEMIS ELDORADO FILEREPMALWARE GENERIC PUA BO HELPER MALICIOUS R346636 TFFQA 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!D2599A5CBC93 20200824 6.0.6.653
Alibaba Downloader:Win32/tffqa.b2cad6a5 20190527 0.3.0.5
Avast 20200824 18.4.3895.0
Tencent 20200825 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200825 2013.8.14.323
CrowdStrike 20190702 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features HTTP version 1.0 used suspicious_request GET http://dl.iwin.com/games/GamesManagerInstaller.exe
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:919707991&cup2hreq=5319f1cf233d4c8656f9d65e39fd9e91daeb1026047e8b910c7942a5eddfbd58
Performs some HTTP requests (6 个事件)
request GET http://dl.iwin.com/games/GamesManagerInstaller.exe
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619907720&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=1f535ae1b120921&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619908093&mv=m
request GET http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=1f535ae1b120921&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619908093&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:919707991&cup2hreq=5319f1cf233d4c8656f9d65e39fd9e91daeb1026047e8b910c7942a5eddfbd58
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:919707991&cup2hreq=5319f1cf233d4c8656f9d65e39fd9e91daeb1026047e8b910c7942a5eddfbd58
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619910854.472081
NtProtectVirtualMemory
process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10004000
success 0 0
1619937156.68
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04170000
success 0 0
Creates executable files on the filesystem (8 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsn98DC.tmp\StdUtils.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsn98DC.tmp\nsProcess.dll
file C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsc5A51.tmp\NSISdl.dll
file C:\Program Files (x86)\GMInstaller\ugm_installer.exe
file C:\Program Files (x86)\GMInstaller\iWinLauncher.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsc5A51.tmp\GamesManagerInstaller.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsc5A51.tmp\System.dll
Drops an executable to the user AppData folder (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsn98DC.tmp\StdUtils.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsc5A51.tmp\NSISdl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsc5A51.tmp\GamesManagerInstaller.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsc5A51.tmp\System.dll
An executable file was downloaded by the process d2599a5cbc936cc486479f8c646e5dfb.exe (1 个事件)
Time & API Arguments Status Return Repeated
1619910856.488081
recv
buffer: HTTP/1.1 200 OK Content-Type: application/x-msdos-program Content-Length: 60117488 Connection: close Last-Modified: Fri, 17 Nov 2017 13:38:08 GMT Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 01 May 2021 13:16:01 GMT ETag: "226fc92ebb57d478737801b277830eb1-9" X-Cache: Hit from cloudfront Via: 1.1 71b823a6540719c6a0d625109e7c58b9.cloudfront.net (CloudFront) X-Amz-Cf-Pop: NRT51-C2 X-Amz-Cf-Id: 3VyqefscivvmOMuCMKP66t2OafZ4M08vHrjxbPaJ8X5DtEcaa0OTEg== Age: 33378 MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $A{Ñk¿8¿8¿8 b<8¿8 b,8¿8¾8©¿8‡8 ¿8‡%8¿8‡"8¿8Rich¿8PELäâGOà  t|B¯8@ 9v•@…@¬´€Ô @(•°)`” Ð.textŒrt `.rdatan+,x@@.dataœ+À¤@À.ndatað€À.rsrcÔ €¦@@.reloc֐º@BU‹ìƒì\ƒ} t+ƒ} F‹Eu ƒH‹ ´êG‰HPÿuÿu ÿuÿŒ’@éKSV‹5¼êGWE¤Pÿuÿ’@ƒeô‰E EäPÿuÿ”’@‹}ðƒeð‹D@鉶FR¶VV¯Uè‹Ï+Mè¯Á™÷ÿ‰M¶ÀÁà‰E¶FQ¯Á¶NU¯MèÁ™÷ÿ‹M¶VT¯Uè¶À ȶFP¯E™÷ÿÁá¶À ȍEôP‰MøÿH@ƒEðP‰EEäPÿu ÿ˜’@ÿuÿӃEè9}èŒnÿÿÿƒ~Xÿteÿv4ÿL@‰E…ÀtU‹} jWÇEäÇEèÿP@ÿvXWÿT@ÿu‹5X@WÿÖh ‰E EäPjÿh jGWÿœ’@ÿu WÿÖÿuÿӍE¤Pÿuÿ ’@_^3À[ÉÂ
received: 1894
socket: 548
success 1894 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 124.225.105.97
host 172.217.24.14
File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 个事件)
FireEye Generic.mg.d2599a5cbc936cc4
McAfee Artemis!D2599A5CBC93
K7AntiVirus Adware ( 0054f14d1 )
Alibaba Downloader:Win32/tffqa.b2cad6a5
K7GW Adware ( 0054f14d1 )
Invincea heuristic
Cyren W32/Downware.X.gen!Eldorado
Kaspersky not-a-virus:HEUR:Downloader.Win32.Generic
F-Secure Trojan.TR/Dldr.Agent.tffqa
Sophos Generic PUA BO (PUA)
Avira TR/Dldr.Agent.tffqa
ZoneAlarm not-a-virus:HEUR:Downloader.Win32.Generic
AhnLab-V3 PUP/Win32.Helper.R346636
VBA32 suspected of Trojan.Downloader.gen.h
APEX Malicious
AVG FileRepMalware
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-12-06 06:50:41

Imports

Library KERNEL32.dll:
0x407060 CompareFileTime
0x407064 SearchPathA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CreateDirectoryA
0x407084 SetFileAttributesA
0x407088 Sleep
0x40708c GetTickCount
0x407090 GetFileSize
0x407094 GetModuleFileNameA
0x407098 GetCurrentProcess
0x40709c CopyFileA
0x4070a0 ExitProcess
0x4070a8 SetFileTime
0x4070ac GetCommandLineA
0x4070b0 SetErrorMode
0x4070b4 LoadLibraryA
0x4070b8 lstrcpynA
0x4070bc GetDiskFreeSpaceA
0x4070c0 GlobalUnlock
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc CreateProcessA
0x4070d0 RemoveDirectoryA
0x4070d4 CreateFileA
0x4070d8 GetTempFileNameA
0x4070dc lstrlenA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 GetVersion
0x4070ec CloseHandle
0x4070f0 lstrcmpiA
0x4070f4 lstrcmpA
0x4070fc GlobalFree
0x407100 GlobalAlloc
0x407104 WaitForSingleObject
0x407108 GetExitCodeProcess
0x40710c GetModuleHandleA
0x407110 LoadLibraryExA
0x407114 GetProcAddress
0x407118 FreeLibrary
0x40711c MultiByteToWideChar
0x407128 WriteFile
0x40712c ReadFile
0x407130 MulDiv
0x407134 SetFilePointer
0x407138 FindClose
0x40713c FindNextFileA
0x407140 FindFirstFileA
0x407144 DeleteFileA
0x407148 GetTempPathA
Library USER32.dll:
0x40716c EndDialog
0x407170 ScreenToClient
0x407174 GetWindowRect
0x407178 EnableMenuItem
0x40717c GetSystemMenu
0x407180 SetClassLongA
0x407184 IsWindowEnabled
0x407188 SetWindowPos
0x40718c GetSysColor
0x407190 GetWindowLongA
0x407194 SetCursor
0x407198 LoadCursorA
0x40719c CheckDlgButton
0x4071a0 GetMessagePos
0x4071a4 LoadBitmapA
0x4071a8 CallWindowProcA
0x4071ac IsWindowVisible
0x4071b0 CloseClipboard
0x4071b4 SetClipboardData
0x4071b8 EmptyClipboard
0x4071bc RegisterClassA
0x4071c0 TrackPopupMenu
0x4071c4 AppendMenuA
0x4071c8 CreatePopupMenu
0x4071cc GetSystemMetrics
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 DestroyWindow
0x4071ec CreateDialogParamA
0x4071f0 SetTimer
0x4071f4 SetWindowTextA
0x4071f8 PostQuitMessage
0x4071fc SetForegroundWindow
0x407200 wsprintfA
0x407204 SendMessageTimeoutA
0x407208 FindWindowExA
0x407210 CreateWindowExA
0x407214 GetClassInfoA
0x407218 DialogBoxParamA
0x40721c CharNextA
0x407220 OpenClipboard
0x407224 ExitWindowsEx
0x407228 IsWindow
0x40722c GetDlgItem
0x407230 SetWindowLongA
0x407234 LoadImageA
0x407238 GetDC
0x40723c EnableWindow
0x407240 InvalidateRect
0x407244 SendMessageA
0x407248 DefWindowProcA
0x40724c BeginPaint
0x407250 GetClientRect
0x407254 FillRect
0x407258 DrawTextA
0x40725c EndPaint
0x407260 ShowWindow
Library GDI32.dll:
0x40703c SetBkColor
0x407040 GetDeviceCaps
0x407044 DeleteObject
0x407048 CreateBrushIndirect
0x40704c CreateFontIndirectA
0x407050 SetBkMode
0x407054 SetTextColor
0x407058 SelectObject
Library SHELL32.dll:
0x407154 SHBrowseForFolderA
0x407158 SHGetFileInfoA
0x40715c ShellExecuteA
0x407160 SHFileOperationA
Library ADVAPI32.dll:
0x407000 RegQueryValueExA
0x407004 RegSetValueExA
0x407008 RegEnumKeyA
0x40700c RegEnumValueA
0x407010 RegOpenKeyExA
0x407014 RegDeleteKeyA
0x407018 RegDeleteValueA
0x40701c RegCloseKey
0x407020 RegCreateKeyExA
Library COMCTL32.dll:
0x407028 ImageList_AddMasked
0x40702c ImageList_Destroy
0x407030
0x407034 ImageList_Create
Library ole32.dll:
0x407278 CoTaskMemFree
0x40727c OleInitialize
0x407280 OleUninitialize
0x407284 CoCreateInstance
Library VERSION.dll:
0x40726c GetFileVersionInfoA
0x407270 VerQueryValueA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49223 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49222 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49221 203.208.41.66 update.googleapis.com 443
192.168.56.101 49224 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80
192.168.56.101 49177 99.86.217.83 dl.iwin.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=1f535ae1b120921&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619908093&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=1f535ae1b120921&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619908093&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6720
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://dl.iwin.com/games/GamesManagerInstaller.exe 
GET /games/GamesManagerInstaller.exe HTTP/1.0
Host: dl.iwin.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619907720&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619907720&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=1f535ae1b120921&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619908093&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=1f535ae1b120921&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619908093&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.