5.2
中危
51 个模型检测该样本为恶意!
重新分析
更多

15d47435173ed8788662b97ca3ceaa5301dd1f42d9e460f4aeed11e0e4032ffc

d293f0480cc96d2a39d67ca63325e715.exe

分析耗时

23s

最近分析

文件大小

590.7KB
静态报毒 动态报毒 AGEN AI SCORE=100 BSCOPE CHINAD CONFIDENCE DANGEROUSSIG EGRKTM ELEX FIREUP GENASA GENCIRC GENERICRXEP GHOKSWA HPDEFENDER I4HIMXHCN3O JIANGLIU JOHNNIE LGAOOFVQEVH MALWARE@#1JSEZ833QPHFB MUTABAHA OBFUSCATED OBFUSCATEDCRTD R066C0DI920 R187117 SCORE UNSAFE WINZIPPER 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/FireUp.157ec5b2 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:DangerousSig [Trj] 20201031 20.10.5736.0
Kingsoft 20201031 2013.8.14.323
McAfee GenericRXEP-LL!D293F0480CC9 20201031 6.0.6.653
Tencent Malware.Win32.Gencirc.114b953e 20201031 1.0.0.1
CrowdStrike win/malicious_confidence_60% (D) 20190702 1.0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://xa.firefox1.com/v4/ffffff/VBOXXHARDDISK_VB4d3bbc8a-fd72b187?action0=download.rebooter.4&update0=version,47.0.34.201
Performs some HTTP requests (1 个事件)
request GET http://xa.firefox1.com/v4/ffffff/VBOXXHARDDISK_VB4d3bbc8a-fd72b187?action0=download.rebooter.4&update0=version,47.0.34.201
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620897723.025662
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 个事件)
Time & API Arguments Status Return Repeated
1620897721.791662
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620897721.791662
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620897721.791662
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620897721.807662
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620897725.604662
RegSetValueExA
key_handle: 0x00000354
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620897725.604662
RegSetValueExA
key_handle: 0x00000354
value: À_:ÖH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620897725.604662
RegSetValueExA
key_handle: 0x00000354
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620897725.604662
RegSetValueExW
key_handle: 0x00000354
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620897725.604662
RegSetValueExA
key_handle: 0x0000036c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620897725.604662
RegSetValueExA
key_handle: 0x0000036c
value: À_:ÖH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620897725.604662
RegSetValueExA
key_handle: 0x0000036c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620897725.635662
RegSetValueExW
key_handle: 0x00000350
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620897726.572662
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620897726.572662
RegSetValueExA
key_handle: 0x000003d0
value: @…ÐÖH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620897726.572662
RegSetValueExA
key_handle: 0x000003d0
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620897726.572662
RegSetValueExW
key_handle: 0x000003d0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620897726.572662
RegSetValueExA
key_handle: 0x000003d4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620897726.572662
RegSetValueExA
key_handle: 0x000003d4
value: @…ÐÖH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620897726.572662
RegSetValueExA
key_handle: 0x000003d4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Expresses interest in specific running processes (2 个事件)
process: potential process injection target lsass.exe
process: potential process injection target explorer.exe
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
MicroWorld-eScan Gen:Variant.Johnnie.245275
FireEye Generic.mg.d293f0480cc96d2a
CAT-QuickHeal PUA.Jiangliu.Gen
ALYac Gen:Variant.Johnnie.245275
Cylance Unsafe
Zillya Trojan.ObfuscatedCRTD.Win32.8324
SUPERAntiSpyware Adware.ChinAd/Variant
K7AntiVirus Unwanted-Program ( 004fc5611 )
Alibaba Trojan:Win32/FireUp.157ec5b2
K7GW Unwanted-Program ( 004fc5611 )
Cybereason malicious.80cc96
Arcabit Trojan.Johnnie.D3BE1B
Invincea Ghokswa (PUA)
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:DangerousSig [Trj]
Kaspersky Trojan.Win32.FireUp.a
BitDefender Gen:Variant.Johnnie.245275
NANO-Antivirus Riskware.Win32.Mutabaha.egrktm
Rising Trojan.Ghokswa!8.1CEE (TFE:5:lgaoofvQEvH)
Ad-Aware Gen:Variant.Johnnie.245275
Emsisoft Gen:Variant.Johnnie.245275 (B)
Comodo Malware@#1jsez833qphfb
DrWeb Adware.Mutabaha.1894
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R066C0DI920
McAfee-GW-Edition GenericRXEP-LL!D293F0480CC9
Sophos Ghokswa (PUA)
Jiangmin AdWare.Hpdefender.ch
Webroot W32.Adware.Gen
Avira HEUR/AGEN.1124067
MAX malware (ai score=100)
Gridinsoft Adware.ELEX.vl!c
Microsoft Trojan:Win32/Ghokswa
ZoneAlarm Trojan.Win32.FireUp.a
GData Gen:Variant.Johnnie.245275
AhnLab-V3 PUP/Win32.Agent.R187117
McAfee GenericRXEP-LL!D293F0480CC9
VBA32 BScope.Adware.Ghokswa
Malwarebytes Adware.ChinAd
ESET-NOD32 a variant of Win32/Obfuscated.NIS
TrendMicro-HouseCall TROJ_GEN.R066C0DI920
Tencent Malware.Win32.Gencirc.114b953e
Yandex Trojan.GenAsa!i4hIMXhcN3o
Ikarus Trojan.Win32.Obfuscated
eGambit Unsafe.AI_Score_63%
Fortinet W32/Generic.AC.214538
AVG Win32:DangerousSig [Trj]
Panda PUP/Winzipper
CrowdStrike win/malicious_confidence_60% (D)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-08-29 11:43:54

Imports

Library KERNEL32.dll:
0x477008 CreateFileW
0x47700c CloseHandle
0x477010 GetLastError
0x477014 FindFirstFileW
0x477024 CreateDirectoryW
0x477028 SizeofResource
0x47702c HeapFree
0x477030 GetCurrentProcess
0x47703c WaitForSingleObject
0x477040 HeapSize
0x477044 Sleep
0x477048 TerminateThread
0x47704c LockResource
0x477050 DeleteFileW
0x477054 HeapReAlloc
0x477058 RaiseException
0x47705c CreateThread
0x477060 FindResourceExW
0x477064 LoadResource
0x477068 FindResourceW
0x47706c HeapAlloc
0x477070 DecodePointer
0x477074 HeapDestroy
0x477078 GetProcAddress
0x47707c GetFileSize
0x477084 GetProcessHeap
0x477088 GetModuleHandleW
0x47708c WideCharToMultiByte
0x477090 GetTempFileNameW
0x477094 IsWow64Process
0x477098 CreateFileA
0x47709c CopyFileW
0x4770a0 GetFileTime
0x4770a4 SetLastError
0x4770a8 FindNextFileW
0x4770ac TerminateProcess
0x4770b0 RemoveDirectoryW
0x4770b4 GetProcessId
0x4770bc FindClose
0x4770c0 GetFileAttributesW
0x4770c4 GetCurrentThreadId
0x4770c8 OpenProcess
0x4770cc SetFileAttributesW
0x4770dc Process32NextW
0x4770e0 Process32FirstW
0x4770e4 LoadLibraryW
0x4770ec MoveFileExW
0x4770f0 CreateProcessW
0x4770f4 FreeLibrary
0x4770f8 GetExitCodeProcess
0x477100 lstrcmpW
0x477108 DeviceIoControl
0x47710c GlobalAlloc
0x477110 GlobalFree
0x477118 WriteFile
0x477120 SetFilePointer
0x477124 SetEndOfFile
0x477128 CreateMutexW
0x47712c ReleaseMutex
0x477130 OpenMutexW
0x477134 SetFileTime
0x477144 GetCommandLineW
0x477148 GetModuleFileNameW
0x47714c OutputDebugStringW
0x477150 QueueUserWorkItem
0x477154 GetShortPathNameW
0x477158 lstrcatW
0x47715c WriteProcessMemory
0x477160 VirtualProtect
0x477164 lstrlenW
0x477168 LocalFree
0x47716c VerSetConditionMask
0x477174 VerifyVersionInfoW
0x477178 lstrcmpiW
0x47717c GetModuleFileNameA
0x477180 MultiByteToWideChar
0x477184 GetTempPathW
0x477188 WriteConsoleW
0x47718c SetStdHandle
0x477190 FindFirstFileExW
0x477194 GetCommandLineA
0x4771a0 GetOEMCP
0x4771a4 IsValidCodePage
0x4771a8 ReadConsoleW
0x4771ac SetFilePointerEx
0x4771b0 GetConsoleMode
0x4771b4 GetConsoleCP
0x4771b8 FlushFileBuffers
0x4771bc EnumSystemLocalesW
0x4771c0 GetUserDefaultLCID
0x4771c4 IsValidLocale
0x4771c8 GetFileType
0x4771cc GetACP
0x4771d0 GetStdHandle
0x4771d4 GetModuleHandleExW
0x4771d8 ExitProcess
0x4771e0 ReadFile
0x4771e4 GetSystemInfo
0x4771e8 VirtualQuery
0x4771ec LoadLibraryExA
0x4771f0 GetStringTypeW
0x4771f4 EncodePointer
0x4771f8 CreateEventW
0x4771fc TlsAlloc
0x477200 TlsGetValue
0x477204 TlsSetValue
0x477208 TlsFree
0x477210 LCMapStringW
0x477214 GetLocaleInfoW
0x477218 GetCPInfo
0x47721c SetEvent
0x477220 ResetEvent
0x477234 IsDebuggerPresent
0x477238 GetStartupInfoW
0x477240 GetCurrentProcessId
0x477244 InitializeSListHead
0x477248 RtlUnwind
0x47724c LoadLibraryExW
Library USER32.dll:
0x477268 SetThreadDesktop
0x47726c OpenDesktopW
0x477270 CreateDesktopW
0x477274 wsprintfW
0x477278 CharLowerW
0x47727c GetThreadDesktop
Library ole32.dll:
0x47729c CoUninitialize
0x4772a0 CoTaskMemFree
0x4772a4 CoCreateInstance
0x4772a8 PropVariantClear
0x4772ac CoInitialize
Library OLEAUT32.dll:
0x477254 SysFreeString
Library USERENV.dll:
Library VERSION.dll:
0x477290 GetFileVersionInfoW
0x477294 VerQueryValueW
Library Secur32.dll:
Library CRYPT32.dll:

Exports

Ordinal Address Name
1 0x43a200 ?iourtr_457389435_4395723_349875943_439754395_498@@YAXXZ
2 0x43a1f0 ?itutw_897437843_458739754895_4573974835_39438975@@YAXXZ
3 0x43a220 ?iutrjfgd_43859743985_569479324_439751932_3587439@@YAXXZ
4 0x43a210 ?opueroitr_4978594375_54385983498_34598493275_349@@YAXXZ
5 0x43a230 ?uioerut_53947857_4538974832_43759349875_45788945@@YAXXZ
6 0x43a1f0 ?yrta_3864738_4578934_874584_4598723_385789454221@@YAXXZ

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49174 107.6.74.76 xa.firefox1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53238 239.255.255.250 3702
192.168.56.101 53240 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://xa.firefox1.com/v4/ffffff/VBOXXHARDDISK_VB4d3bbc8a-fd72b187?action0=download.rebooter.4&update0=version,47.0.34.201 
GET /v4/ffffff/VBOXXHARDDISK_VB4d3bbc8a-fd72b187?action0=download.rebooter.4&update0=version,47.0.34.201 HTTP/1.1
Host: xa.firefox1.com
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.