SmartHawk

1.7

低危

62 个模型检测该样本为恶意！

重新分析

下载样本

074120ae158aceb1a60f1ad55e0f3421114de901758047095e7a04f17ce0a263

074120ae158aceb1a60f1ad55e0f3421114de901758047095e7a04f17ce0a263.exe

分析耗时

133s

最近分析

387天前

文件大小

7.9KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE

DACN 0.14

FACILE 1.00

IMCLNet 0.53

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.14	Unknown	0.05s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.53	Unknown	0.17s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Downloader-WID [Trj]	20200403	18.4.3895.0
Baidu	Win32.Trojan-Downloader.Waski.k	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20200404	2013.8.14.323
McAfee	GenericATG-FKM!0A2D703ADDB2	20200404	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b0cbcc	20200404	1.0.0.1

在文件系统上创建可执行文件 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\vitra.exe

投放一个二进制文件并执行它 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\vitra.exe

将可执行文件投放到用户的 AppData 文件夹 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\vitra.exe

一个进程创建了一个隐藏窗口 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545309.4525 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\vitra.exe filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\vitra.exe parameters: show_type: 0	success	1	0

与未执行 DNS 查询的主机进行通信 (2 个事件)

host	114.114.114.114
host	8.8.8.8

文件已被 VirusTotal 上 62 个反病毒引擎识别为恶意 (50 out of 62 个事件)

ALYac	Trojan.Ppatre.Gen.1
APEX	Malicious
AVG	Win32:Downloader-WID [Trj]
Acronis	suspicious
Ad-Aware	Trojan.Ppatre.Gen.1
AhnLab-V3	Trojan/Win32.Dloader.R87521
Antiy-AVL	Trojan[Downloader]/Win32.Upatre
Arcabit	Trojan.Ppatre.Gen.1
Avast	Win32:Downloader-WID [Trj]
Avira	TR/Crypt.ZPACK.Gen8
Baidu	Win32.Trojan-Downloader.Waski.k
BitDefender	Trojan.Ppatre.Gen.1
BitDefenderTheta	Gen:NN.ZexaF.34104.aqX@aSzRtMd
Bkav	W32.AIDetectVM.malware
CAT-QuickHeal	Trojan.Mauvaise.SL1
ClamAV	Win.Downloader.Upatre-7598844-0
Comodo	TrojWare.Win32.TrojanDownloader.Small.CDC@8mzsfr
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.addb2a
Cylance	Unsafe
Cyren	W32/Upatre.KG.gen!Eldorado
DrWeb	Trojan.DownLoad3.28161
ESET-NOD32	a variant of Win32/TrojanDownloader.Waski.A
Emsisoft	Trojan.Ppatre.Gen.1 (B)
Endgame	malicious (high confidence)
F-Prot	W32/Upatre.KG.gen!Eldorado
F-Secure	Trojan.TR/Crypt.ZPACK.Gen8
FireEye	Generic.mg.0a2d703addb2a7ee
Fortinet	W32/Waski.A!tr
GData	Trojan.Ppatre.Gen.1
Ikarus	Trojan-Downloader.Win32.Upatre
Invincea	heuristic
Jiangmin	Trojan/Generic.azrzv
K7AntiVirus	Trojan-Downloader ( 0055f33b1 )
K7GW	Trojan-Downloader ( 0048f6391 )
Kaspersky	HEUR:Trojan.Win32.Generic
MAX	malware (ai score=87)
Malwarebytes	Trojan.Upatre
MaxSecure	Trojan.Upatre.Gen
McAfee	GenericATG-FKM!0A2D703ADDB2
McAfee-GW-Edition	BehavesLike.Win32.Generic.zz
MicroWorld-eScan	Trojan.Ppatre.Gen.1
Microsoft	TrojanDownloader:Win32/Upatre.A
NANO-Antivirus	Trojan.Win32.DownLoad3.cnbuup
Panda	Trj/Genetic.gen
Qihoo-360	Trojan.Downloader.Win32.Agent.ED
Rising	Dropper.Generic!8.35E (TFE:dGZlOgPqI1TWNgPuNQ)
Sangfor	Malware
SentinelOne	DFI - Malicious PE
Sophos	Mal/EncPk-ACO

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2013-10-10 02:19:12

PE Imphash

e836076a09dba03e4d6faa46dda0fefc

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00000388	0x00000400	5.249146705729428
.rdata	0x00002000	0x00000410	0x00000600	3.5993689325374705
.data	0x00003000	0x00000004	0x00000000	0.0
.reloc	0x00004000	0x000000a6	0x00000200	1.393720064288099

Imports

Library WININET.dll:

• 0x402050 HttpSendRequestW

• 0x402054 InternetSetOptionW

• 0x402058 InternetQueryOptionW

• 0x40205c HttpOpenRequestW

• 0x402060 HttpQueryInfoW

• 0x402064 InternetReadFile

• 0x402068 InternetConnectW

• 0x40206c InternetOpenW

Library KERNEL32.dll:

• 0x402000 GetTempPathW

• 0x402004 GetFileSize

• 0x402008 GetCurrentDirectoryW

• 0x40200c DeleteFileW

• 0x402010 CloseHandle

• 0x402014 WriteFile

• 0x402018 lstrcmpW

• 0x40201c ReadFile

• 0x402020 GetModuleHandleW

• 0x402024 ExitProcess

• 0x402028 HeapCreate

• 0x40202c HeapAlloc

• 0x402030 GetModuleFileNameW

• 0x402034 CreateFileW

• 0x402038 lstrlenW

Library USER32.dll:

• 0x402048 wsprintfW

Library SHELL32.dll:

• 0x402040 ShellExecuteW

L!This program cannot be run in DOS mode.
898k8k8Rich8
`.rdata
@.data
.reloc
uEWuEV
_3^@[VP
BVMQuPu
VuVuh @
tVVVVh @
EV;t=\ @
0EPVVh
_EPEPju}
WEPju
tVEPEPh
uEPuuu
WPh\!@
w&YwPI
QuAwPu~PuBJQuu\Qu
Pu,IQuQu
InternetOpenW
InternetConnectW
HttpOpenRequestW
InternetQueryOptionW
InternetSetOptionW
HttpSendRequestW
HttpQueryInfoW
InternetReadFile
WININET.dll
GetModuleHandleW
ExitProcess
HeapCreate
HeapAlloc
GetModuleFileNameW
GetTempPathW
CreateFileW
GetFileSize
lstrlenW
ReadFile
lstrcmpW
WriteFile
CloseHandle
DeleteFileW
GetCurrentDirectoryW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
10>0L0R0t00000000
1N1u1~1111111
2!232F2M2T2j22222
3*313E3L3^3k3r3
vitra.exe
Updates downloader
grupodolcearte.com
text/*
application/*
/wp-config/sao9.exe
vetred.exe
C:\Users\admin\Downloads\invoice.exe
C:\H0PG6w_F.exe
C:\295bf490d6233ede096650ecadc4257f1165ebddd1dc168ee875149f1852bde8
C:\8zmbxGDU.exe
C:\Users\admin\Downloads\invoice.exe
C:\yD7YFX7u.exe
C:\ttV9bHtP.exe
C:\K5lTkh4o.exe
C:\8H9rLXV8.exe
C:\74q7T69A.exe
C:\WWvcx3l2.exe
C:\839b9ccfeed1739babefb20c2c9c33776780d460900e081138a83b5b6a010188
C:\a727ad29ee671b4eb6fda287da1f8537e0b41a80fd17bbe38e16f098ed4631ba
C:\53f0003fb689990aef9891edbcd794c329a0bca2162138bf825fcf0c589ad6ff
C:\Users\admin\Downloads\vitra.exe
C:\da0f6fc7d6f8c4591b9457b4c717c946762ffceed3e075575336751224f62849
C:\0f6eafd169b767dba6a6b66827c8546d8ea67bb75c36057d2a336eab9da34ed2
C:\3wYirXAj.exe
C:\Documents and Settings\Administrator\Desktop\P7pRYsT1.exe
C:\Users\admin\Downloads\9fa5279abbb0dfbaf75bf26121cb60ee7d14b458bd892b8873751a3cef1cf5aa.exe
C:\24c066d8d19d440dd640ea3500bf0f4dc44c45e1dd1636e950c2474931fc19fc
C:\Users\admin\Downloads\vitra.exe
C:\Users\Petra\AppData\Local\Temp\vitra.pe32
C:\Users\admin\Downloads\1fd90aefd9de4480_vitra.exe
C:\e88185a7478cb381caeb4b1c63f8ece86c899a5e2083cedbd24bb571c5af44e9
C:\Documents and Settings\Administrator\Desktop\B13Mvcif.exe
C:\21d33a3a0f413879cb4ae746dd1d36433a5ff1ca73255e701d751e35bbb6176c
C:\8274546c2f0bfbc441ae56cfd8f72418cc67052ab1988772efc482f2588ebfeb
C:\1319b26e3cb489a479ae625a3f63780301b0e24ad0ecb7c73e45b16af40c0839
C:\Users\admin\Downloads\vitra.exe
C:\0ddc86667d3175a2b307714e3a9f7571fbfb576f88564cecf3010e4ad6fe844d
C:\bj0Ixrps.exe
C:\BewVHqum.exe
C:\2759b3be1d2e1d8acc366bd193a6405f395f64352a17f04b16d9cc38cb26d0ff
C:\Users\admin\Downloads\vitra.exe
C:\604a6ebc836e60c088ad11580df91f01859e2d8abdd1c75ae811f9e90fd565e4
C:\Users\admin\Downloads\vitra.exe
C:\Users\Petra\AppData\Local\Temp\vitra.pe32
C:\Users\admin\Downloads\448a6caae9c6f544_vitra.exe
C:\Users\Petra\AppData\Local\Temp\vitra.pe32
C:\589e6f36fa803e210926e8391e76e950ca16b22f11032c388c35d879878825b1
C:\847a1fa41eacbd87f88d1d35b7a2198a62a6165d30103e5f13399fe7dafeaa9a

Process Tree

074120ae158aceb1a60f1ad55e0f3421114de901758047095e7a04f17ce0a263.exe (3012) "C:\Users\Administrator\AppData\Local\Temp\074120ae158aceb1a60f1ad55e0f3421114de901758047095e7a04f17ce0a263.exe"
- vitra.exe (2660) "C:\Users\ADMINI~1\AppData\Local\Temp\vitra.exe"

074120ae158aceb1a60f1ad55e0f3421114de901758047095e7a04f17ce0a263.exe, PID: 3012, Parent PID: 2236

default registry file network process services synchronisation iexplore office pdf

vitra.exe, PID: 2660, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
8.8.8.8

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255 A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
grupodolcearte.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	58485	8.8.8.8	53
192.168.56.101	57665	114.114.114.114	53
192.168.56.101	51758	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	b720f2e5595c9254_vitra.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\vitra.exe
Size	8.1KB
Processes	3012 (074120ae158aceb1a60f1ad55e0f3421114de901758047095e7a04f17ce0a263.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3a612fd23bd7f934514b0a57f263da4a`
SHA1	`b94736c3434111a721c8c870d9bbed8a1828fa0f`
SHA256	`b720f2e5595c9254e080e0ea2dde527a4eeff3bbcd6ccac5be21d92f6db89b30`
CRC32	`2CA06B57`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.