1.3
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.74
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Baidu | Win32.Worm-Email.Mydoom.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200606 | 2013.8.14.323 |
| McAfee | W32/Mydoom.c.n@MM | 20200606 | 6.0.6.653 |
| Tencent | Worm.Win32.Mydoom.l | 20200606 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00005000', 'size_of_data': '0x00004600', 'entropy': 7.897902341253568} | entropy | 7.897902341253568 | description | 发现高熵的节 | |||||||||
| entropy | 0.8974358974358975 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意
(50 out of 63 个事件)
| ALYac | Worm.Mydoom |
| APEX | Malicious |
| AVG | Win32:Mydoom-EG [Trj] |
| Acronis | suspicious |
| Ad-Aware | Worm.Generic.23834 |
| AhnLab-V3 | Win32/Mydoom.worm.22020.H |
| Antiy-AVL | Worm[Email]/Win32.Mydoom |
| Arcabit | Worm.Generic.D5D1A |
| Avira | TR/Agent.Blkhl.dam |
| Baidu | Win32.Worm-Email.Mydoom.a |
| BitDefender | Worm.Generic.23834 |
| BitDefenderTheta | AI:Packer.406806241F |
| Bkav | W32.MyDoomLB.Worm |
| CAT-QuickHeal | Worm.Mydoom |
| CMC | Email-Worm.Win32.Mydoom!O |
| ClamAV | Win.Worm.Mydoom-5 |
| Comodo | Worm.Win32.Mydoom.Q@308v |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.f7e683 |
| Cyren | W32/Mydoom.CJDZ-5239 |
| DrWeb | Win32.HLLM.MyDoom.33808 |
| ESET-NOD32 | Win32/Mydoom.Q |
| Emsisoft | Worm.Generic.23834 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Mydoom.M |
| F-Secure | Email-Worm:W32/Mydoom.gen!A |
| FireEye | Generic.mg.167a7e9f7e683845 |
| Fortinet | W32/MyDoom.M@mm |
| GData | Worm.Generic.23834 |
| Invincea | heuristic |
| Jiangmin | I-Worm/Zhelatin.sq |
| K7AntiVirus | EmailWorm ( 0000439f1 ) |
| K7GW | EmailWorm ( 0000439f1 ) |
| Kaspersky | Email-Worm.Win32.Mydoom.l |
| MAX | malware (ai score=86) |
| Malwarebytes | Worm.Agent |
| McAfee | W32/Mydoom.c.n@MM |
| McAfee-GW-Edition | BehavesLike.Win32.Mydoom.kc |
| MicroWorld-eScan | Worm.Generic.23834 |
| Microsoft | Worm:Win32/Mydoom.L@mm |
| NANO-Antivirus | Trojan.Win32.Mydoom.cuyllc |
| Panda | W32/Mydoom.DN.worm |
| Qihoo-360 | Worm.Win32.Mydoom.A |
| Rising | Worm.Mail.Win32.Mydoom.l (RDMK:cmRtazraxjHf5ENWSePy207SGPLj) |
| SUPERAntiSpyware | Worm.MyDoom |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/MyDoom-N |
| Symantec | W32.Mydoom.gen@mm |
| Tencent | Worm.Win32.Mydoom.l |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
5d02f6de12eb07fb22fe87e05e50d6a0
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00000000 | 0.0 |
| UPX1 | 0x00007000 | 0x00005000 | 0x00004600 | 7.897902341253568 |
| .rsrc | 0x0000c000 | 0x00001000 | 0x00000800 | 2.6495694551935207 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0000c4f0 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library ADVAPI32.dll:
• 0x80c59c RegCloseKey
Library MSVCRT.dll:
• 0x80c5a4 time
Library USER32.dll:
• 0x80c5ac wsprintfA
Library WS2_32.dll:
• 0x80c5b4 gethostname
L!This program cannot be run in DOS mode.
iiiiM,
hPD4e4(
M4M4M4|tld\4MTLD803M(
`XPD;@
IEFrame
ATH_Note
rctrl_renwn
c:\sDec
nSep3ug
/%s, %u
.2u:um
nkmrnetG
{Staiex
Kazaa Lk
ry P6I
W0RAR.v.3Z.od.key#
p 5.0 () C
lcomhdeRe$tvor.
dnsapi%{.dllphlp
w@kPa_9le
{cabu'mass
vGubm{l
crosoftd
the.bgold-Uk;s}ca
"Z+cre
iWKQg^
foG+lc-
zcWxrrsf.)OW
+rr ,ar+
og3gnu
.m{6Ov
;WRdN`do8a0;oa
lekk5bnda
ymav_-!'5b_
8o@d0(
@e*.*KAdtpRN
USERPROFILE
:\yaha0
`v.;D
7 e ig;`
lud A
nvQl\+n
:gb puw2D
k3Srb\2aqFqh
5'%i~Ba.=x|
\c$Yf/j
n*ikyQA9
"p3f,FoeSA
\k,Nv EXZrr
naht%w.^
aF:H$Wh'i|s W-1MTc
Ei+!d/.s
Z@vU<$t>?Pl,e%p>0|Bcts@$F
amsQaeA
(`r[a<b
1w-f6}
!b []=-
G_n!CZ]y
lbAs9Y2
Z Lkn,$T.
F:$f]
,YS5dG
;hjX>\lmpt
[STkMdbMHK66-3
L82:tt
+Djg9!?]:Fm1f
Ve-DAE
"MONWz
$<("P"C"8
N&!Vo<SDj=
tQ"K O4"a
x14c;<#n
ABCDEFGHIJK
6LMNOPQRSTUVWXYZ cfgt
jklmFpq
!_vwxyz23456789+/qsX-P
zExp 6.00.26
3IMEO,4P
uTBy@Mfid;
V9Jw,t6-Ty@m-PDt/xP
9Zr="R"s
q-V51O
48X.5sNPs+a^vI?Gp}appmI/%Gk
[mnOf&4nfn-EdAbMv64"DDi{QHL
\HC=u'%Zu>i7bk\2,
'-$uhjp
>a{QUIT
>'PTZ5
-xYIHEL
LO87`+
nTPS&)\\*
|2~^]H+
:.] KlhJ
of.twa
rer\\MicM/s7n5'O'n dYO+ CkfCu_+5
/eu]G? ;P_6OIX]
8*P7Sh
C_^w7[
_'F$3^D
|lfk=Pj
pxeDSE
c|pLh$;x
%pX+>u
wu&q<GG5Wqoh
Pi6twaire\Miicrosofiit\Winidows\iCurren
itVrsiion\RuH
p$Trl6y
I2\CSW|$
ldcC-o^S
jZY-i`;WR
6-F.;_
$j<_RP3
jh`OJ?b4q
fdg4u|`
YCppcM;u
u?IH+Sn
#<Kf#F
B0 ;xv+PV;tQ
3 @F;|/
wiiniGniet.dll[-
5PEKef9ut_
3$tv3Wj(-
B;POi8/x
6~W"B;}
8@le(7loC
WbPV$v5
\;C}0
>F@JuD.F'
V)$Y;t0Y|
b1?mp ,
K?GOGSU~m3f
ne,<};u<)Zt
Q0^]8PU
{;_t$@SDIC1\
U~R/('Rf4;
}e%Y-b$I0
nGUqtv
!cs_0?b
A$]~% {
pzw{ok
jd7FF6|=~
tVe;?Vd;t$hFBn
*gu;r_ipWl
JS:S>}tG
QSZxOO+N!
W*Xp0,
\<<@t?(T
+CY<Jo=B@9zO
Kyd+7h%
-0vYC1-NO/&<
'xqf,wOy/UH]
tb0UE,
0"8d5^7-S;1YU2vHf
x 0|8<
2+SJNr
F}.RU8
cbf0d_
x5FG['@
hv$~,\ l\t3D
Qm {+8
.5a>3K
Hy FQ~
J6f2/Xp
?GLa`;
bx3*oo
+KICY`D
h^ddk3T
o';Wto*9
vt\kQS
'UY3SQ g
g%vAa+qYDW\&^
]G7F(O
=khY(QR
h~8ZnQ;t
GWSYf;
j2.`h
r2Ojx26hR<P
f+eqkNdw "Z
?I7\d;
@ZA{+[
H_tu(n
}8h+|-;O
;}e;}a;WZ
;~C;~?+b
M-JSQaH
P=/sSu
V|Ehmd
[GdlcO`1vUMp6l:p
jQ4Mhp
> Fzr?0
1EpDMlu[4EP`
djk7&s
04Sof,
,\Micro
,sof\W,
,AB\WAP
,ab bF
,ile NaP,m
#*u=9kY1d
8F,ZF>h=
<U<puY6ql_
buG:uCR<hu
sup>Y<s
btN<db7x
75<w_u
Kfuc['{8
\P#NYsYZ
Pu%8.@+u
#<8P>|f
&P2 jKk
\.ocal 6rSeti\.Qngs-V=TemFp5fr
yJ5fI:F/Wu]
]4Mbk$b
=#Lf$a
LLa7PP1d[
CYRtg-
+0S6-h
.5PfO5
guj,(,
g*<u?m
0<Q'Fzd|s0K
zV5Xme
P9d{Vj.
$Pt7lK
Y`f[ 5g;Pl
^:#CYx
bD^:3rS
@PA`Wz
/h(ht!h`
JbG!=!!++
~$k/&;t
}d4H1A|(}.
3*HWS.
Y]G2~
_`EPF0
|$3FP;
[mx#(|
pe\#kkV^S&Y
hXPkWPQ
,>kA&5
54oE'J
Z(MrSPPY
lJS^8
#[=9"E@
K8!PxC
Q"FhWQ"Yz72G
^$cG|$l
xo?~E< r8<=t4<+t0<,<
t(<v aULv7GR<Y
Od3GX%dy
,l_HHt
"}5vBR
+D5uUtm1Oh\9
VRG-'(
vm-!+_|
D#NQPWNy
KDDBS}g^Y
1@&o4,;[;
@5~)XZP;
7l[fW!c
bFO><:t9.5
$8&4E?ao8:ua
0}9-G^u
abM*^&
/dV!IV'LYs
-SRg@C
'Y1Hh<
=+(~.*%8g
,X3+(J-
;t. .u
|#eXrk }
p&hh.`
9\X]$l
U3B@$`W
JIJHp`m
W{WP'O
RKhc4
ebKtW66
k|v*(\/#Rh
FAS5Cp"Y$
^xW0vvP
Je&"TnQra
+;rMSK%nv
J-TmtQ
$pPrYH;\y
.noj8f
wnYE;r
sm@f=AB
hh6Gfpn|#
|&^bBA+ZS
}^WB_X@
_(5^*'_
tSEFtP7
, aNM~XX
nl9YJ.u+YtV[i
X.Abvl7(d
_xFZ h
WN_KMe
CS;~S[`+{
Qr(`T,oYt>)
lOPuDHL%db
>q70}:
;?| 4l
w__;}a
YP"z'GC
lR tSMpW?xp5
hncaH0
wu)P/xAl
y@*-&@'_Z
!5&#cD
pBmu=i
fgT@EH5
[P71/}
&xE[f;
U`eb{[m&
&T#zW*
P]p=V^^Y[@~
n("F$A
l)>7`03V4i
G]%Djd
bNT!E"
~#6"azp
.l( G;(|
~k;~!,
rjv(k Nhu
9t&ET`
lsc:qRH
PGtop&0=
At-^(Eehz{
GF?x\G
HYWWh>x=I
U,TempFNAU
ve;GMGlobalAl
Cas[M$g+
ZgViewOfUnm
vHtked
von)Vaab{
sCopyx
]ESl$lqAP/h
De;y-amc
%[audeChl4M]UByt"A[s
RnIPoi
;i6`H.
3l0Ao 'Gg
g`VueE
_um{@0s
d#m{[1
,`BuffA
Low3lGwvr#w
#EAYMbp
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
wsprintfA
Md_|d_d_
d_Ld] d_f{
<odcdd
'^BEE7Dh4Bn|
D^d?D&Q-@p"M
'%tM?mB6
PQA6=M
sf'MhM^A
?" -3EsqMb
MEk_?k[c
CLCWB}MD@
DEPEBy
dyHMoC_
dC!?TxC
lo P1\
fTDX4DQM
Pp2fA`L
mLZ&A;C
I1Z&f;
AG1 Py
skTJDE
18 f~B
PYlDl8
:B[x ORI
thC@zZ+?sAg
DyxDR }
EE?$C-?sv?3
E9@mC%
@${P!7TR&G8=
C5OS\D
1dd;CSDBDvjd`
^dbQdb
eydb8dd
dPddbdbLddddSE
ddddd_Bd_
%C#qDSh
r0dcSdd
AN!N,AP
:5N4ED
)QB5ASZMPB
B |ME(
TQ><fQ
MhD `
vARrD-
D ~*vl
HQB AB
C'xCsMgB
b$C*8b
BE-? x
TBD6CN
MMAoj?tA
N(\{D@}.
]QeD1HV4"
{Q^!Da
-gQ%bDH+?
sCp@`}
eabQ@Z
?MM9""|
ND'JTD1
H;>WCr
SVCyUMs
~*2BYF
~J#P=-H
(eH/1$
\%6*{&*f
8Nv^'g.
/ED}tN)'mro
PS +A{`Qs
iR]MuB
L#Mo.D
CHAoV@QE
[D\2Mi
f=bD'-Cy^
4?IEhm
9t#p'@p
P >.n P
$A^Z^XD65tA
QQ~B?SBRb_e6Zs
N@Ax/V?
A*SD#+GC
[nA0oM
#A&"DU`
BlDlBI'
+N>$B>
%U}D(B#
;|ET:E
f#OE%+G
AE}9aFA
;QwA\)@
Z%Bgcg
Qf anZv,?
C!1AC`
DP}:?E(/
yEAQp1DJ!$Csv
D_RF@s}6aBk
EH&A\v
E%MkM]:@H
OELSA`B
jD"j7DM
>#)/D}
2J`F?s
Pm^h|D
PD#$:8?o\
6w@1SD2`D92
*r2(V2:
\g[Cr-jC
D4 EhZ
sAd-E4
e*DvC0
F\^APG
$4e8+9
Rt;A!XE
?7!ED(}Dq~Q-
~8J.;ZR5H
V@E6L&B
:A@{*A@]
+zl~D6
kD'\+D"(&^a
&w.BUC@h@
ExkC\>D
cQD% Q
FD5tWB
-~AT34]%@EA~u@5}OCQ
M?s-dcD~t
daadd@
)dcda/
dcdcdbN
D@.[ECR
f.Jd`7db
q&db~E
edddbddjdds
Fdd]d]
Y/dd9ddu&~db
db[da%dd
d_bda(
ddldddd
>FOdd'dd?
XEP4dd
da-db1dd"db d_db
Pj5q!1
$N"uBJ
D:M}55
PGpQR?s@s/
s]BvmQd
p)dc~!
eaDd"K
<$T<6x
Pwe,`(@q
STDX}D
WdFd_B@
=ZBJ;mCQ
sI_ddPd`.
"B%3Z<
C`d_dddb
|(AuQD
<O/fE"#BH0dbP
JpD^Cud`5db]dbD
R?D87>0
\^!d\k
iB%}flR
q)j'B0
A:M{?\C
% >>DgZg
D3Ce$}t
Az"+3M
SWF,/fEvB
ddCdbKddkd_jdd5
d_Ad[y
M5}Db[
MInD?d
Sf=+E(;
(s2dcdb
r)5@f!
,4Qsd\ddd\[
mKE"s=
`BB+:`n
mgdc}Ddb!
dc[ddM91E@
yddfdd6dd0
Sdbd_/ddyd[d[mddddRdd dddb*d_3d_#dd1dddbkd_d_dbdcxdZ
d_d[d\dd}dZd\
Ajx@<TreK
WTdbvAZ
s7?LK&=
?@AD5Y
(1#XE$
<db_qd_
U6ddJA
HE&AE7I`
4En#hE=
fDnD^A
d[qdbPpC,
Kp@`>CkO
d\d\d_
;{Qdb5l[ dbdb
/eE]?jAeE
OdbddddX
d1;Af;z
#[De-E
od\rMdcdZtd[xE<
w1eH[B0
GDRAfgpMo2O
sE"D$;eB
dZd[v?
PqC3alA
b$D2dZ
DnDrg`
;|ddTddd\\dbMdddZdcdc
d_8dddd^
Pdddd\ddd2
d\nDB!
dapda{
Y-8d]#?
,<nB T
b_0F=tN
~{dbdb#pdcd
dchvEK
~9GqdcT?
, dBT^am@Z
lWdbJS
u;"g.j4
B#1D\e
cTuC+?
T=BL|db
"ZDJSdZ
9:d`-'I
^da.d[zd_(
Xdag?1
daiE":
0d_d_
d[@frd_dd
dbdaxddd]]
ddd_d_Gdd_d_}
D5dadaddn
fd_dd)d[
Xwd[d_dad_
d]yd_kdbBdcdd<Qf
-5DlL@
F^B7CU^
dy%CfU
eMBHO?)
3 ?KBJ
p)'Ejh@O
6`D'dddP
dahY~)^
f*ZA[NDM
UC&SgCO
'd`fC~e
D:gd_w
daeAbu
^d]d_d[}
y<CB\to[
e)K.%B
nlAidd
"!QtBZC4
ddNd]adaTd]^
dad_d_dd*d_-
=DCC>04
BjXv1$F
&daddA
dQcd[dP
dd#d_d_
D~Bdddc<!>@6H/db
d_Md_sd_ed]
~A(z"uD
BdddWFdaWdd
5+4u^
45d]dakl
N&d]d]
dazddddd_dd
d_Rd_2da
daX}dd3d
4&Db1AuPd[
s;d[d\Z
qBxdd'd]
[d\[dboTVZ]
db&dZd_dadbdPY$I
iBf@d_~dPUda
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.