1.2
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20190905 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20190905 | 2013.8.14.323 |
| McAfee | Artemis!10B2F82CC353 | 20190905 | 6.0.6.653 |
| Tencent | Win32.Worm.Eggnog.Dxda | 20190905 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | WZqkObwJ |
| section | EYZtqSKO |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'EYZtqSKO', 'virtual_address': '0x0000d000', 'virtual_size': '0x00007000', 'size_of_data': '0x00006400', 'entropy': 7.889058259176077} | entropy | 7.889058259176077 | description | 发现高熵的节 | |||||||||
| entropy | 0.9803921568627451 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 50 个反病毒引擎识别为恶意
(50 个事件)
| ALYac | Gen:Win32.P2P-Worm.cmIfaOEDADm |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Win32.P2P-Worm.cmIfaOEDADm |
| AhnLab-V3 | Packed/Win32.RL_MultiPacked.R286214 |
| Antiy-AVL | Trojan[Dropper]/Win32.Agent.a |
| Arcabit | Gen:Win32.P2P-Worm.cmIfaOEDADm |
| Avast | Win32:Malware-gen |
| Avira | DR/Delphi.Gen |
| BitDefender | Gen:Win32.P2P-Worm.cmIfaOEDADm |
| CAT-QuickHeal | Worm.Generic |
| Comodo | Heur.Packed.MultiPacked@1z141z3 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.8d4823 |
| Cylance | Unsafe |
| Cyren | W32/Eggnog.B.gen!Eldorado |
| DrWeb | Win32.HLLW.Kazaa.512 |
| ESET-NOD32 | a variant of Win32/Eggnog.E |
| Emsisoft | Gen:Win32.P2P-Worm.cmIfaOEDADm (B) |
| Endgame | malicious (high confidence) |
| F-Secure | Dropper.DR/Delphi.Gen |
| FireEye | Generic.mg.10b2f82cc353679b |
| Fortinet | W32/Parite.C |
| GData | Gen:Win32.P2P-Worm.cmIfaOEDADm |
| Ikarus | Trojan-PWS.SuspectCRC |
| Invincea | heuristic |
| Jiangmin | Worm.Generic.xne |
| K7AntiVirus | Trojan ( 0051918e1 ) |
| K7GW | Trojan ( 0051918e1 ) |
| Kaspersky | HEUR:Worm.Win32.Generic |
| MAX | malware (ai score=80) |
| Malwarebytes | Adware.Yontoo |
| McAfee | Artemis!10B2F82CC353 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.pc |
| MicroWorld-eScan | Gen:Win32.P2P-Worm.cmIfaOEDADm |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Trojan.Win32.Kazaa.fvcxrd |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM11.1.ACC7.Malware.Gen |
| Rising | Worm.Eggnog!8.2E8 (TFE:1:INUvuHGBaYL) |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/Systro-AB |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Win32.Worm.Eggnog.Dxda |
| Trapmine | malicious.high.ml.score |
| VBA32 | Worm.Eggnog |
| VIPRE | BehavesLike.Win32.Malware.tsc (mx-v) |
| Zillya | Worm.Eggnog.Win32.44 |
| ZoneAlarm | HEUR:Worm.Win32.Generic |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
3d3c4a506872e2ba5a8936703fa93f48
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| WZqkObwJ | 0x00001000 | 0x0000c000 | 0x00000000 | 0.0 |
| EYZtqSKO | 0x0000d000 | 0x00007000 | 0x00006400 | 7.889058259176077 |
| .rsrc | 0x00014000 | 0x00001000 | 0x00000200 | 3.437214473540832 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_RCDATA | 0x000100c0 | 0x00000080 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x000100c0 | 0x00000080 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library advapi32.dll:
• 0x414114 RegCloseKey
Library KERNEL32.DLL:
• 0x41411c LoadLibraryA
• 0x414120 ExitProcess
• 0x414124 GetProcAddress
• 0x414128 VirtualProtect
Library oleaut32.dll:
• 0x414130 SysFreeString
Library user32.dll:
• 0x414138 CharNextA
L!This program must be run under Win32
WZqkObwJ
EYZtqSKO
:%M r1
Y NSUu )
%W FE"
2 m+y P
1n< S:[+z%-
^{uHF/
m$rS5b[j1
-w_'w)Q
Y5)dS1.EQ#
k@Io/8uBo
rQshGw%U@
N?TiW}N
b,ok;@d
*^[1Ew
}dxhr2
Pd-4o)
ES{:aYj/G
(i/Zui
FBxES(
/?g9:2|c
.R*kII@
AS*w$]I7Y;')
y] : opECd
uw.YYks
WQ8c $%[CuE-l;
[;4aS
)%p1yu
"PS5z])
rMUJc
Q2\mf=
7keA(ga
kqKq'HY;k
&bm*4Z:yr<_/
Yk[[;60
$zU{bj
T|G7g;
V1Rx(C;r.~(LeH'{mwK
vf5UWJ0
^c+|r'
b5;%D'
D':eqjX0v-
H$TgK`RG,
'\c8/XYR
:s^?4_`CI;
In_~\v%28woo
s$mR\kBfC)R Hr
|.&&)!
.kCK {Y
R O0\2V
AzQK.W
PkgK|N.wd$x7X
X;Q&wtGU
;D!Cd/ s#A;X
e?x$1QL9b G7
V*V1Z5Y
#Vku(]s
)#GR$w2
xU\ _z
_.6`GN[<
E7ej= b8
7Fm3Zi[9 o
wTiC[bE {#]%
BVz*$F%
'kzSS]x
:Th[[k
TYi7q8Cc
-3B+X|$eO
EjFu^3Q"YwO
tgD(D`oYl8@;
\h#tS`
W3d%x<~ojs)
hJxW/("z;<
gVKY{B
%}<A+cS
J*"n}RT_CC'6
p%Gab-
+0Iqoc[&$
\\v68_h5
or~GO%*
` y x.
_K9:wc5
v~U(#nz{k*[
*zPK5%"K
:_26QS
_B71BS@pd-u?Q
u~[hTR
Y7KC,g$
Yd%6@Sg
';:/T -g`fp
o~!eye@
gT"km=
\=Yjs;Jm
/ipCWtA}y
S{BQ 9}nM8;T?
7;RL6Z(|&9'{+sw
/^Z)P_r/@1 "s'
HT-uiN0qY4A^~7R?qequ||8c
{7K[oh3A
SBoKw5'>
LDoW;<oV7
,9y`~r
2}eEQ8H]
%g]l
om$-tkt#&xxG&
ob?-IN
y\:d*CLVVk
M%#BRl-
~uKxLw
:S&n-uRg
g|)P{Qg.t+
KF18~Gc7
@\:y0z
b'_5cr;&
_@'uTq
$}*aZ9GaY_W
jeNEoW*U
)L,[E-
RWCmRo
rXC},?O>J"w`[W&TZ*Z3<[7
QhAQBu;q?
k+;Zu[/H"
7Qde%]hJ
2v*w;rP_L
Yk+pDk
TA-B@3A
R)YuY&
EsyCVQk
N1ss%Dg
wEU/ B+
-p1cCk]r
kgqwBx&r
;i^!#gZ1Fd
L 3 YJ
tG1LQ;*G,
_+7`)pkn
+uK`Ah
7.F\W[>RI
b;Yef[/m5hP8
?kRQQE
`0;TA0
>[-ro:Z
qSw;aD
[wFY0y1
&>~39a?4
mo@mjK
oeD^kq
k'*B--#!
_{D"jssV9@M!
QY10DW
l{+*|A-bIsiGu
<_a,FK
}#v~)g
KtSE?q
b,YgKO?|.u)$$U[
~d{4%z
Y4uR'n/
V^?($ X
Jr(N*oC
q*M>\b
sdtpy:
(SZ;(y
[V[7E/
$*+P1M/?!A?
l77P=6m
ep7OC'?
]2Noe]|
7;kOm9
/%ovSj
w87/}~3Wy|+
9b)w[z/
`5k<+^
1Y{E[e?y
;wifK4h[
OdMP^F
T8 Gc$
xe'qVRivKxJu
i.}{#?b/G8
^A{hI.mW-
FTgT#(-^C
i+aWF|8'Rd;
,ym{a91W
w#";QjS
/?QC\|F
';+_sy
fQvQRR.-w
SYuh)n8
%.j*1S2#
qi+NRuGS
_c4$_xS8I
U iP}N5
n-G%5EA
}K} bYq$!{&OUrQk
3A_tc^f5!WM
X?c;0mY|
znX*ZQ:3/}
coz9r)C
UM?3;G-
eK%'}D#O
W[pXSL
xP;6w}
] 5F;#}^
|>PdM\k
`#[V6p E<
;-x~VY
u\Qgu'
JAGeG>s
C{_o/@_3T&vA1?
+ U%kn
u(p1&(LR(
\3_c+8uJ
;[7@E2+|g
Snw wB.
nJ&7heA
|X8KYL
;n#. H
Q-IMYp
]x}+"?w/+db<
0A+~;4
Yu~a@[
u2%MTaoV/1
$;x$IY*t
d?s'r7
jI&`-,|
s)FptR
'vI/{ig w
qxXP<<K
km8P[-
malQM]M>l[
*I}@RtF%9Y
]3Kgtk w
>kAKmj
Q'Y/uY
Kt^vz5V
O}2G7w(yo
9Rh/ka6_
[`ga~k[`c<5F
wK V[&, mHt
o?7B+&
7zSE.U!vn "-6
RoBFTs
mWqKnv
Ma>unN+
[Jh^8@}Q.
dY})6x
767.&h
@U8^.<
*J)\aP
P*:YJcU
V!i@owbfd
-;4g7[)**
Q-<:~J}
!r@J7<4)
3jtGn-3!
xcH+)0'
wq#o<EWlO
y0|WhDqc(iMKj#U/Y
MFO~9wlc
RB7t*8
CdyVl#
oP"U/Y8n
KZ];sEi#
n\L]t#Z[1VZ'6/
.>R]Yz
C lJEI\6
Vo_*^s:p
^u0wOl`)y
ecOawowFb
5z)44ucaQ7
7W#0#r
nXA_4g_x
&0-0)w
pcO>d[|
#Tbtt'1Ew
}LpH3`
&E=}fj
V3cKl_
(1-<u%
dW46Yffm|Vw
xFx-6"&gnVU>Jse[3
m9fD]u
o-!h[mTL/-
/$*Pi;
/O)JxeK/;
cd)PLa
(u;q2R
n/yvmcKh
Vpg)5f
VexTl'g.L Gn->Q4/
Xi+B768
^aemIsG
=a+36KZBuONEJ
SkTkd_;0!7z
<_%~M'
^JDoU`05/4
62`/<wDS_t+a
748_iYKx
wTF92(8
o,|{Bs
cFjvi]
Cs7jS/4^s0
T~^s!&x
-)7}Z.Z
)2-J;`e7
wN0x ,[
Ji /I\m
(f/|5)!kr
i[+Yde
e,2px!
S6'TS0B+^"
+7b0799aGrTi7
e0Di G26a
.dLM~R
]CE{-eMQ
uJ-rs|>7u
ZA<HT!A_h;
"1o+~Y
djK`HU
, nOHt
A 4V-k}:
'2Uow;k] a
:`5iE7[
nKb!q7
IIwK>hgP?@
Z~D1w|B+;+5QuO'a
DcE#G)"Y
y\{w}k;bFt
;"@_E/l\RZ
\1C~;&]
nT{@eYV)n~
A UCM#PkR
xI"@ Kw$
t%#y~W
yZIe4cKQ
&^AI[{fF
--:;Qsa
|1`%1E2k.@
wy1iSK
bOc /+I1)p/;soDg;K
tefv/A.`Z
L>pdOx
'{~1iK
/_0|%(n ;oA)
o7vwDK
=D#w7Apc
hQIg5%
;z]/9
QcjPZa
]?7N\q
aWkh$+
Yute 9xCIR
rM(Ob-
vY F,p)o
P+2;}Fj}
]|,(B)
A@Z(Q7SN
}O`9AV
7^IA}uk
7\hfgY
\O)=v\7t
7et4&l
PiI%cDG|TT/*#
HFhMDI
GvT;8-!8_
ToJNS[^Jj(yQb
3(`0u6gKpbkop
t)~_<**K}
+E(rt34
V=gIB|w
j66@T8+
2*/>og3
Va)gQmg
N}CWHeg
CYM_*!)u
(;oMFLu
OOx|W@i)DsRV
Y{qAF`Q)
/P8YZi)
j%nw|@
"W;h:-9;'q;w9r
,CvxO+=
kError
gRuntime e
at 0 012345678m
9ABCDEF
8P$Q`Ur\D]k,`L4d\
U%QdTUU2*
:Vdt4M
(i8JXfrii
Google
System
Init*KWindow
8Regi4
SClaU}.GF
K0hoD@vU
;KWaitForSinAObject
GetVersionExA
StdHandle
ProcAddrm
/DiskFn} eSpac
msicalS|s
iz0Virt
n[TBkCouk
CurI,6
ThdIdF
[naB3AapMA4ONal
m6/#Lastw,B
2gom+4T.
Unhdak
-%t"Poin
`d\Of7Rtl:winRF
t[wTlsVue
G0BBj@3
d#5l2tX
.(brdO
3BoKCrNUFtA1Ihow[a
DATA'
hO.ide`
eTKwr'B
z'tvzzqy
XPTPSWXaD$j
advapi32.dll
KERNEL32.DLL
oleaut32.dll
user32.dll
RegCloseKey
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
SysFreeString
CharNextA
w@nF:YWn+
04]X2P[A
9O^,IU
z-cxC2
ro*KL8
f^>e6*1|
R?rr }O
[ 9FPm
?&5UBp
,QExF0V!
Hy=RGLpGm&%
XNbxnl[2
Dt0e7Zg
oV@H-O
dg*,G>AE`
?Z'HxK
8/nC]d/
pb1:Hkz}
{N\@T-6ZwPD}Q
O e<8_B%
Xq{-q9-*\2pv
;oBc?i
<u>BB_G
K=*V3~fS
WmGcPK5
1Z$82B#Sb8NAw
p~\\ZH
"FMHy+?Dwy;<
,E0(;8
5$Dp,JA:a
|ej}&]:#
4we;!80dN8/49
S>a&a%1
p40YAdB
w@nF:YWn+
04]X2P[A
9O^,IU
z-cxC2
ro*KL8
f^>e6*1|
R?rr }O
[ 9FPm
?&5UBp
,QExF0V!
Hy=RGLpGm&%
XNbxnl[2
Dt0e7Zg
oV@H-O
dg*,G>AE`
?Z'HxK
8/nC]d/
pb1:Hkz}
{N\@T-6ZwPD}Q
W6*.\'N3d7MZTRqNU
1|/$#Z8H
%'WQS%J
{OwX}t
GbUdBc
R&KRC:Y@
I/vbhy
Wk~ `|iO
5TDxB+8
7x0&rk
t$.R1|W_s{
m/yQ7M]2>]8
r*'KYd
vfw'5<0Lq
44lr=p{9bJ<~^k7;
{st-3Hfq){
d"a#dA
YlSDrh*\@x
h!&hr&B
4=Z!Vu5m5rnTsM(p
HP*4,b?u
#ZduWi1~1W5F
>Z\bWj_N
v?\Ge^
mMG+f>6=Kn'"FH0
S% f|i55
=@~01#f){yA
'#XWs@.Y1
_6rYQJ"
^Pz0pPT x
|<{x8\hwW
`YU RY
VHVvX#"_
42Z5oh
n~0vy*,
aZi"Yhq9
-s}']
NyDYRqX8MQ"F
H uY)L?d
BjxybRJ\
t""vN S3~Tw
*08Jgu
sT]D~(od
NGnU[-Dao&Xc-
o?qNS\a*
_2L]E(
8BR4Bg2VNEh|
3\yOgN
3V66}f
X=9#rP
k} '~qp!r/nZ+:s?
ajghzA
*|Q'Uf[l
<1EO#7
eLO_v;0
g(sWPn
N;8XOvUC
L/^ *l`q
qu(^?b
<:'liOTbM
cuIaU3
HBS<~>
wiVahHY
&i"ds9+
w/bNvkjNIH\_$}d^eK
VIQ`Y^ dX\HN=
1>"9JiJF
Q/,U,('
p92JA0
UPqgoV
G3/;co$
Orz{@p
$vd95{1O
"JGvGKoBf
PtBak3t
5RU[<
7~}6H
m;g|0G
wXuIJcC
!SRhZ
<6fLC*
@?.O9
;>DK'ix
*!#q.y[;
kh5cBZ^J
aCv 5Ln^* 3|v}U@Aj6j
@0o 3@
%GWn/<@XFD
Xm#iahP`/
cG;^u=AC^|?
A-+_mTnL
GOR2VJ=BM
m-t5JB
c_Q$>9Va 8
KOMnow
JQL|R"$>Y.1
~L}h@9:
mt9uZVb
pG;J BIFl/9
t84L=[/+
Uyp,%DqI E
r"!=|?
q7fa$j.V+{hOKj
tM }4[%A!
n5$VxpT-ER7b
\fQPK_PRU2
S!@7Z})8f
f8yb#]<
+%- #HE.>qgz
\~2J,NqR
1lS`Yk)!w(+ -Rc
Qb $66Ih
UJ<V>&L8PL9U)*-
jIS9^NI&
*fNTAk%}|o?
K#/3+TgF.6
Fva_(:
'$@ YG9
L..:UA&
[hnr]e
Y}Vw2
.v2R|J}X2
q<E5&;]>S2hDb%WEmh{ef`f
J2pb#D
]@g3D9
-:k!Nx
S>Us%z
;QFeiD
#CEXQ{0
QH0U]y
T(T=n$8P'
^Dae!r
fe+fx%Og
Sw92ia
%Hli6l,
,?h{z~ mS]
< `IW'\fD0t
>yoCy[
iSvoV^
`v<Oe`
Fep$:yn^t-:x
;0s3D[eJC}x
W{B`F-q$
3lUMcBy
L}X zid\*`
`YOnbL`
_zs$9G
#B#Yb,{
d$'tryrt
>@[R-zg
%~SkM}
}}19$09F
22#wC 95XXp6
hE@,yjCvv2b_
-QG6_%TM
Z@Flu)@
U+F*:*j
?Uq>Q7E
K9g;((
0{SJKm%|eP
@F4.4jemkM
/~Yt~-cZCs/o.B\_I
pHJufE
g,dk$7m
/c4{SHh>
{+;I,u:B
w2G(fT
^YYaXK,yca{h
o#+neJM;
-3X,Suji#2
4n+PO g
"U_x&?Vy-
#9"j0U
ucZ`,$
$*1P@z
,PrICJ
h,3o8(sKEh
(]4 ;zIh
#8]8rI#R
7w}u=44
P>P~LX>1
DOuq0"
P}zIRrX
uObqip&RJ
[q3DI[tDr|2tLwE
H5%:=3n
8Uj?4j
.K=A(o _r}t<Ba
oL~QC=
shVwGfB
M?ISR;==}
Wtz+"e[
E5.}l\<;tZU
n>U/h)
aq "AEj
Hz<GC2
o}#2{+./pdq\|B&!
0eOV'?8|
.8B)p22
N}\1>yf
X?GU)R
bq&`Lr0P3t
?0F7= U
bM}MHDU
dj}~s;!gS
3BOcir
SG_b(Bv
SPvE)&
=r-v.HG=2Z;Z:
"hvzo-n
OnOM]X
$ZaE4!
1w\|)T_4x$$
kElU2C
gqCtZ^
G,{oYx
#09oj"
L3k[J+
?QLXZJ
IUnb6__
^kpfO>
eyh>fI
&(8/NmKh
K$&Qwu9./
ir!"$Q0
fZ@07^
wr(DW d
5;DJ/bIJ
!~7Ftl139DyKGlM@D+$>ueWY<3
E9h2b%
j c_Z%m.&&{
.2$@."'%
hn%7lp.
q9fG NkaF#
b%FZcn;
O/DNE"`V
W_L3tS/n
n1NzMBl&e
7!SSLTBao
jgp=X!7Fh*~'
=i*|=+r
U<.V$k 6=
3gvo:u`iM\=Bm
?=LnM$olK
^19HZR/'
kn`k<'
l14_vO
JG,`,7z
BZ(h{i0.hq#
D,<)"+
OkMl78r
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
Process Tree
- 860773060b5e0de51ccac9f12e38a6d0543496d8f29b1ea231cfe32c23e873c4.exe (1612) "C:\Users\Administrator\AppData\Local\Temp\860773060b5e0de51ccac9f12e38a6d0543496d8f29b1ea231cfe32c23e873c4.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
|
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.