魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-01-21 23:14:06 2019-01-21 23:16:31 145 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-01-21 23:14:09 None
魔盾分数

10.0

Carbanak

文件详细信息

文件名 gtr.exe
文件大小 207872 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 7B933E34
MD5 bd0eca8c69f2a5bfb7723f635216646e
SHA1 e0e802618e1ea7d0039c91656df015e9233b5fe2
SHA256 ba607da38f64541c9e77d763979f754f901468edbff4a49c401fe76d2e2ea3e2
SHA512 0cf744eeb21ac548c95eedfe56318f3a6479585ad4af25ca0456325d6d854b76330e821449f34a0670d0078459b2ff7bd4f96e6f140da0919db0d9937d71c420
Ssdeep 3072:2jh9N4a1j712h9Td2+1lxvTeZna8xUhUbT158:2jdFKdoSxvixTxUA
PEiD 无匹配
Yara
  • IsPE32 (Detected 32bit PE signature)
  • IsWindowsGUI ()
  • ImportTableIsBad (ImportTable Check)
  • HasModified_DOS_Message (Detected DOS Message)
  • IsGoLink (www.GoDevTool.com)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks ()
  • ThreadControl__Context ()
  • anti_dbg (Checks if being debugged)
  • inject_thread (Code injection with CreateRemoteThread in a remote process)
  • create_process (Create a new process)
  • create_service (Create a windows service)
  • network_http (Communications over HTTP)
  • network_dns (Communications use DNS)
  • escalate_priv (Detected escalate priviledges function)
  • win_registry (Affect system registries)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_6 (Detects malicious behaviors from a small size app)
  • Maldun_Anomoly_Combined_Activities_7 (Detects malicious behaviors from a small size app)
  • without_attachments (Detected no presence of any attachment)
  • maldoc_find_kernel32_base_method_1 ()
  • maldoc_getEIP_method_1 ()
  • without_images (Detected no presence of any image)
  • with_urls (Detected the presence of an or several urls)
  • Prime_Constants_long (List of primes [long])
  • RijnDael_AES (Look for RijnDael AES)
  • BASE64_table (Look for Base64 table)
  • VC8_Random (Look for Random function)
  • powershell ()
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2019-01-07 12:58:38
扫描结果: 35/69

特征

创建RWX内存
魔盾安全Yara规则检测结果 - 高危
Warning: ImportTable Check
Informational: Detected DOS Message
Informational: www.GoDevTool.com
Warning: Code injection with CreateRemoteThread in a remote process
Informational: Create a new process
Warning: Create a windows service
Informational: Communications over HTTP
Informational: Communications use DNS
Warning: Detected escalate priviledges function
Warning: Affect system registries
Warning: Affect system token
Warning: Affect private profile
Critical: Detects malicious behaviors from a small size app
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Critical: maldoc_find_kernel32_base_method_1
Critical: maldoc_getEIP_method_1
Informational: Detected no presence of any image
Informational: Detected the presence of an or several urls
Warning: List of primes [long]
Warning: Look for RijnDael AES
Warning: Look for Base64 table
Informational: Look for Random function
Informational: powershell
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: DeepScan:Generic.CBL.Carbanak.3.78A60651
CAT-QuickHeal: Trojan.ConbeaPMF.S115671
Cylance: Unsafe
NANO-Antivirus: Virus.Win32.Gen-Crypt.ccnc
F-Prot: W32/S-d757aa55!Eldorado
Symantec: Meterpreter
Avast: Win32:Malware-gen
ClamAV: Win.Tool.CobaltStrike-6336852-0
GData: DeepScan:Generic.CBL.Carbanak.3.78A60651
Kaspersky: HEUR:Trojan.Win32.Cometer.gen
BitDefender: DeepScan:Generic.CBL.Carbanak.3.78A60651
Rising: Downloader.Zlob!8.B37/N3#96% (RDM+:cmRtazq6whXq8r53O7/FlmDnAoi+)
Ad-Aware: DeepScan:Generic.CBL.Carbanak.3.78A60651
Sophos: Mal/Swrort-L
F-Secure: DeepScan:Generic.CBL.Carbanak.3.78A60651
DrWeb: BackDoor.Meterpreter.19
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.VirRansom.dh
Trapmine: malicious.high.ml.score
Emsisoft: DeepScan:Generic.CBL.Carbanak.3.78A60651 (B)
Cyren: W32/S-d757aa55!Eldorado
Avira: TR/Crypt.XPACK.Gen2
MAX: malware (ai score=86)
Endgame: malicious (high confidence)
Arcabit: DeepScan:Generic.CBL.Carbanak.3.78A60651
ZoneAlarm: HEUR:Trojan.Win32.Cometer.gen
Microsoft: VirTool:Win32/Atosev.A
VBA32: BScope.Trojan.Cometer
ALYac: DeepScan:Generic.CBL.Carbanak.3.78A60651
SentinelOne: static engine - malicious
eGambit: Trojan.Generic
AVG: Win32:Malware-gen
Cybereason: malicious.c69f2a
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM19.1.6343.Malware.Gen

运行截图

网络分析

访问主机记录

直接访问 IP地址 国家名
31.13.69.86 Ireland

域名解析

域名 响应
msedgesecure.appspot.com A 31.13.69.86

UDP连接

IP地址 端口
192.168.122.1 53

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00401000
声明校验值 0x00034bca
实际校验值 0x00034bca
最低操作系统版本要求 4.0
编译时间 2019-01-04 18:36:00

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
foo 0x00001000 0x00032810 0x00032a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.71

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

gtr.exe PID: 2424, 上一级进程 PID: 2296

访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.MoveFileA
  • kernel32.dll.FindNextFileA
  • kernel32.dll.DeleteProcThreadAttributeList
  • kernel32.dll.HeapAlloc
  • kernel32.dll.UpdateProcThreadAttribute
  • kernel32.dll.HeapFree
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.CreateRemoteThread
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.VirtualProtectEx
  • kernel32.dll.VirtualAllocEx
  • kernel32.dll.ProcessIdToSessionId
  • kernel32.dll.VirtualProtect
  • kernel32.dll.DuplicateHandle
  • kernel32.dll.InitializeProcThreadAttributeList
  • kernel32.dll.WriteProcessMemory
  • kernel32.dll.GetThreadContext
  • kernel32.dll.SetThreadContext
  • kernel32.dll.FreeLibrary
  • kernel32.dll.VirtualFree
  • kernel32.dll.Thread32First
  • kernel32.dll.Thread32Next
  • kernel32.dll.SetLastError
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.OpenThread
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.SuspendThread
  • kernel32.dll.ResumeThread
  • kernel32.dll.PeekNamedPipe
  • kernel32.dll.WaitNamedPipeA
  • kernel32.dll.SetNamedPipeHandleState
  • kernel32.dll.LocalAlloc
  • kernel32.dll.LocalFree
  • kernel32.dll.GetComputerNameA
  • kernel32.dll.FindClose
  • kernel32.dll.TerminateProcess
  • kernel32.dll.Process32Next
  • kernel32.dll.CopyFileA
  • kernel32.dll.FindFirstFileA
  • kernel32.dll.FileTimeToSystemTime
  • kernel32.dll.GetFileAttributesA
  • kernel32.dll.ExpandEnvironmentStringsA
  • kernel32.dll.GetLogicalDrives
  • kernel32.dll.SystemTimeToTzSpecificLocalTime
  • kernel32.dll.GetFullPathNameA
  • kernel32.dll.CreateThread
  • kernel32.dll.GetVersionExA
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.CreateNamedPipeA
  • kernel32.dll.GetProcAddress
  • kernel32.dll.ReadFile
  • kernel32.dll.GetCurrentThread
  • kernel32.dll.ConnectNamedPipe
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.CloseHandle
  • kernel32.dll.GetFileTime
  • kernel32.dll.GetCurrentDirectoryA
  • kernel32.dll.CreatePipe
  • kernel32.dll.GetCurrentDirectoryW
  • kernel32.dll.GetLastError
  • kernel32.dll.GetStartupInfoA
  • kernel32.dll.SetCurrentDirectoryA
  • kernel32.dll.FlushFileBuffers
  • kernel32.dll.DisconnectNamedPipe
  • kernel32.dll.GetEnvironmentVariableA
  • kernel32.dll.CreateProcessA
  • kernel32.dll.OpenProcess
  • kernel32.dll.WriteFile
  • kernel32.dll.SetFileTime
  • kernel32.dll.WaitForSingleObject
  • kernel32.dll.SetEnvironmentVariableA
  • kernel32.dll.CompareStringW
  • kernel32.dll.CompareStringA
  • kernel32.dll.SetEndOfFile
  • kernel32.dll.SetEnvironmentVariableW
  • kernel32.dll.VirtualQuery
  • kernel32.dll.GetModuleFileNameW
  • kernel32.dll.SetStdHandle
  • kernel32.dll.WriteConsoleW
  • kernel32.dll.GetConsoleOutputCP
  • kernel32.dll.WriteConsoleA
  • kernel32.dll.GetStringTypeW
  • kernel32.dll.GetStringTypeA
  • kernel32.dll.LCMapStringW
  • kernel32.dll.LCMapStringA
  • kernel32.dll.GetLocaleInfoA
  • kernel32.dll.HeapSize
  • kernel32.dll.DebugBreak
  • kernel32.dll.RaiseException
  • kernel32.dll.QueryPerformanceCounter
  • kernel32.dll.GetEnvironmentStringsW
  • kernel32.dll.FreeEnvironmentStringsW
  • kernel32.dll.GetEnvironmentStrings
  • kernel32.dll.FreeEnvironmentStringsA
  • kernel32.dll.CreateFileA
  • kernel32.dll.GetCurrentProcessId
  • kernel32.dll.GetLocalTime
  • kernel32.dll.Sleep
  • kernel32.dll.Process32First
  • kernel32.dll.GetTickCount
  • kernel32.dll.SetFilePointer
  • kernel32.dll.GetFileType
  • kernel32.dll.SetHandleCount
  • kernel32.dll.GetConsoleMode
  • kernel32.dll.GetModuleHandleW
  • kernel32.dll.ExitProcess
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.DeleteFileA
  • kernel32.dll.CreateDirectoryA
  • kernel32.dll.RemoveDirectoryA
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.GetCommandLineA
  • kernel32.dll.GetSystemTimeAsFileTime
  • kernel32.dll.UnhandledExceptionFilter
  • kernel32.dll.SetUnhandledExceptionFilter
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.HeapCreate
  • kernel32.dll.HeapDestroy
  • kernel32.dll.DeleteCriticalSection
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.GetStdHandle
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.TlsGetValue
  • kernel32.dll.TlsAlloc
  • kernel32.dll.TlsSetValue
  • kernel32.dll.TlsFree
  • kernel32.dll.InterlockedIncrement
  • kernel32.dll.InterlockedDecrement
  • kernel32.dll.InitializeCriticalSectionAndSpinCount
  • kernel32.dll.GetCPInfo
  • kernel32.dll.GetACP
  • kernel32.dll.GetOEMCP
  • kernel32.dll.IsValidCodePage
  • kernel32.dll.RtlUnwind
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.GetConsoleCP
  • advapi32.dll.GetUserNameA
  • advapi32.dll.CloseServiceHandle
  • advapi32.dll.OpenProcessToken
  • advapi32.dll.CreateProcessWithLogonW
  • advapi32.dll.DeleteService
  • advapi32.dll.CryptReleaseContext
  • advapi32.dll.CryptAcquireContextA
  • advapi32.dll.CryptGenRandom
  • advapi32.dll.LogonUserA
  • advapi32.dll.CheckTokenMembership
  • advapi32.dll.FreeSid
  • advapi32.dll.RevertToSelf
  • advapi32.dll.AllocateAndInitializeSid
  • advapi32.dll.DuplicateTokenEx
  • advapi32.dll.LookupAccountSidA
  • advapi32.dll.GetTokenInformation
  • advapi32.dll.SetSecurityDescriptorDacl
  • advapi32.dll.InitializeSecurityDescriptor
  • advapi32.dll.CreateProcessAsUserA
  • advapi32.dll.AdjustTokenPrivileges
  • advapi32.dll.ControlService
  • advapi32.dll.QueryServiceStatusEx
  • advapi32.dll.ImpersonateNamedPipeClient
  • advapi32.dll.ImpersonateLoggedOnUser
  • advapi32.dll.LookupPrivilegeValueA
  • advapi32.dll.OpenThreadToken
  • advapi32.dll.OpenServiceA
  • advapi32.dll.OpenSCManagerA
  • advapi32.dll.QueryServiceStatus
  • advapi32.dll.CreateProcessWithTokenW
  • advapi32.dll.StartServiceA
  • advapi32.dll.CreateServiceA
  • wininet.dll.HttpQueryInfoA
  • wininet.dll.InternetConnectA
  • wininet.dll.InternetQueryDataAvailable
  • wininet.dll.InternetReadFile
  • wininet.dll.InternetSetOptionA
  • wininet.dll.HttpOpenRequestA
  • wininet.dll.HttpSendRequestA
  • wininet.dll.InternetCloseHandle
  • wininet.dll.InternetQueryOptionA
  • wininet.dll.InternetOpenA
  • dnsapi.dll.DnsFree
  • dnsapi.dll.DnsQuery_A
  • iphlpapi.dll.GetIfEntry
  • iphlpapi.dll.GetIpAddrTable
  • secur32.dll.LsaCallAuthenticationPackage
  • secur32.dll.LsaConnectUntrusted
  • secur32.dll.LsaLookupAuthenticationPackage
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsFree
  • cryptsp.dll.CryptAcquireContextA
  • cryptsp.dll.CryptGenRandom
  • cryptsp.dll.CryptReleaseContext
  • kernel32.dll.IsWow64Process
  • rasapi32.dll.RasConnectionNotificationW
  • sechost.dll.NotifyServiceStatusChangeA
  • cryptbase.dll.SystemFunction036