0.9
低危

0f12ac8ea123528fce4ab811df59b1f4fde18879fdb23307e52ba08547b9e6c1

0f12ac8ea123528fce4ab811df59b1f4fde18879fdb23307e52ba08547b9e6c1.exe

分析耗时

193s

最近分析

371天前

文件大小

37.0KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN BACKDOOR ABINDI
鹰眼引擎
DACN 0.12
FACILE 1.00
IMCLNet 0.50
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:MSIL/Bladabindi.8c5255e9 20190527 0.3.0.5
Avast MSIL:Bladabindi-JK [Trj] 20210212 21.1.5827.0
Baidu MSIL.Backdoor.Bladabindi.a 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Kingsoft None 20210212 2017.9.26.565
McAfee Trojan-FIGN 20210212 6.0.6.653
Tencent Msil.Worm.Bladabindi.Dygm 20210212 1.0.0.1
静态指标
行为判定
动态指标
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
文件已被 VirusTotal 上 62 个反病毒引擎识别为恶意 (50 out of 62 个事件)
ALYac Generic.MSIL.Bladabindi.00654DBE
APEX Malicious
AVG MSIL:Bladabindi-JK [Trj]
Acronis suspicious
Ad-Aware Generic.MSIL.Bladabindi.00654DBE
AhnLab-V3 Trojan/Win32.Korat.R207428
Alibaba Backdoor:MSIL/Bladabindi.8c5255e9
Antiy-AVL Trojan[Backdoor]/MSIL.Bladabindi.as
Arcabit Generic.MSIL.Bladabindi.D28EDBE
Avast MSIL:Bladabindi-JK [Trj]
Avira TR/AD.Bladabindi.wqrej
Baidu MSIL.Backdoor.Bladabindi.a
BitDefender Generic.MSIL.Bladabindi.00654DBE
BitDefenderTheta Gen:NN.ZemsilF.34804.cmW@aSp0fdc
CAT-QuickHeal Backdoor.Bladabindi.B3
ClamAV Win.Trojan.B-468
Comodo TrojWare.MSIL.Spy.Agent.CP@4pqytu
CrowdStrike win/malicious_confidence_100% (W)
Cybereason malicious.8cbbee
Cylance Unsafe
Cynet Malicious (score: 100)
Cyren W32/MSIL_Troj.AP.gen!Eldorado
DrWeb Trojan.MulDrop6.42253
ESET-NOD32 a variant of MSIL/Bladabindi.AR
Elastic malicious (high confidence)
Emsisoft Generic.MSIL.Bladabindi.00654DBE (B)
F-Secure Trojan.TR/AD.Bladabindi.wqrej
FireEye Generic.mg.19505718cbbeef85
Fortinet MSIL/Bladabindi.AS!tr
GData MSIL.Trojan-Spy.Bladabindi.BQ
Ikarus Worm.MSIL.Bladabindi
Jiangmin TrojanDropper.Autoit.dce
K7AntiVirus Trojan ( 700000121 )
K7GW Trojan ( 700000121 )
Kaspersky HEUR:Trojan.Win32.Generic
Lionic Trojan.Win32.Generic.4!c
MAX malware (ai score=100)
Malwarebytes Bladabindi.Backdoor.Njrat.DDS
MaxSecure Trojan.Malware.300983.susgen
McAfee Trojan-FIGN
McAfee-GW-Edition BehavesLike.Win32.Backdoor.nm
MicroWorld-eScan Generic.MSIL.Bladabindi.00654DBE
Microsoft Backdoor:MSIL/Bladabindi.B
NANO-Antivirus Trojan.Win32.Autoruner2.ebrjyu
Paloalto generic.ml
Panda Trj/CI.A
Qihoo-360 Generic/HEUR/QVM03.0.4076.Malware.Gen
Rising Backdoor.MSIL.Bladabindi!1.9E49 (CLOUD)
Sangfor Trojan.Win32.Save.a
SentinelOne Static AI - Malicious PE
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-14 02:51:41

PE Imphash

f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00002000 0x00008ba4 0x00008c00 5.6015928475143415
.rsrc 0x0000c000 0x00000240 0x00000400 4.968771659524424
.reloc 0x0000e000 0x0000000c 0x00000200 0.07763316234324169

Resources

Name Offset Size Language Sub-language File type
RT_MANIFEST 0x0000c058 0x000001e7 LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library mscoree.dll:
0x402000 _CorExeMain

L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
(  (
v2.0.50727
#Strings
<Module>
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
Microsoft.VisualBasic.ApplicationServices
ApplicationBase
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
System.CodeDom.Compiler
GeneratedCodeAttribute
System.Diagnostics
DebuggerNonUserCodeAttribute
Microsoft.VisualBasic.Devices
Computer
DebuggerHiddenAttribute
System
Object
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
Microsoft.VisualBasic
HideModuleNameAttribute
MyGroupCollectionAttribute
RuntimeHelpers
GetObjectValue
Equals
GetHashCode
RuntimeTypeHandle
GetTypeFromHandle
ToString
Activator
CreateInstance
System.Runtime.InteropServices
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
m_ThreadStaticValue
get_GetInstance
System.ComponentModel.Design
HelpKeywordAttribute
STAThreadAttribute
System.Net.Sockets
TcpClient
System.IO
FileStream
FileInfo
MemoryStream
Conversions
ToBoolean
System.Reflection
Assembly
GetEntryAssembly
get_Location
Microsoft.Win32
SessionEndingEventArgs
Exception
IntPtr
op_Equality
op_Explicit
Strings
String
get_Length
ProjectData
SetProjectError
ClearProjectError
System.Text
Encoding
get_UTF8
GetString
DirectoryInfo
get_Name
ToLower
Operators
CompareString
get_Directory
get_Parent
System.Threading
Thread
Monitor
Stream
Dispose
set_ReceiveBufferSize
set_SendBufferSize
Socket
get_Client
set_SendTimeout
set_ReceiveTimeout
ToInteger
NewLateBinding
LateCall
ConditionalCompareObjectEqual
Concat
Convert
FromBase64String
Microsoft.VisualBasic.MyServices
RegistryProxy
ServerComputer
get_Registry
RegistryKey
get_CurrentUser
OpenSubKey
DeleteValue
ToBase64String
GetValue
Interaction
Environ
Conversion
CompareMethod
Registry
CurrentUser
SetValue
System.Net
WebClient
System.Windows.Forms
MessageBoxButtons
MessageBoxIcon
IPEndPoint
System.Drawing
Bitmap
Rectangle
Graphics
Process
AppWinStyle
DialogResult
MessageBox
CreateObject
Boolean
ChangeType
RegistryValueKind
Cursor
GetTempPath
WriteAllBytes
get_Audio
AudioPlayMode
IPAddress
AddressFamily
SocketType
ProtocolType
EndPoint
SendTo
Exists
DownloadFile
ReadAllText
ConcatenateObject
get_Chars
ToArray
DownloadData
GetTempFileName
get_Message
LateSet
LateGet
CompareObjectEqual
OrObject
Screen
get_PrimaryScreen
get_Bounds
get_Width
get_Height
System.Drawing.Imaging
PixelFormat
FromImage
CopyPixelOperation
CopyFromScreen
get_Position
Cursors
get_Default
DrawImage
ImageFormat
get_Jpeg
WriteByte
EndApp
FileSystemInfo
get_FullName
DateTime
Environment
get_MachineName
get_UserName
get_LastWriteTime
get_Date
ComputerInfo
get_Info
get_OSFullName
Replace
OperatingSystem
get_OSVersion
get_ServicePack
SpecialFolder
GetFolderPath
Contains
RegistryKeyPermissionCheck
CreateSubKey
GetValueNames
FileAttributes
StreamWriter
Application
get_ExecutablePath
SetAttributes
Delete
get_LocalMachine
FileMode
FileSystemProxy
get_FileSystem
SpecialDirectoriesProxy
get_SpecialDirectories
get_ProgramFiles
Directory
GetLogicalDrives
TextWriter
WriteLine
Command
ThreadStart
SessionEndingEventHandler
SystemEvents
add_SessionEnding
DoEvents
GetCurrentProcess
set_MinWorkingSet
ConditionalCompareObjectNotEqual
System.Security.Cryptography
MD5CryptoServiceProvider
HashAlgorithm
ComputeHash
Module
GetModules
GetTypes
EndsWith
get_Assembly
get_Handle
get_Available
SelectMode
NetworkStream
GetStream
ReadByte
ToLong
SocketFlags
Receive
ParameterizedThreadStart
GetBytes
DeleteSubKey
System.IO.Compression
GZipStream
CompressionMode
set_Position
BitConverter
ToInt32
GetProcessById
get_MainWindowTitle
DateAndTime
get_Now
get_ProcessName
Keyboard
get_Keyboard
get_ShiftKeyDown
get_CapsLock
ToUpper
StringBuilder
get_CtrlKeyDown
Remove
MulticastDelegate
IAsyncResult
AsyncCallback
System.Collections.Generic
List`1
get_Capacity
get_Count
get_Item
user32
user32.dll
winmm.dll
avicap32.dll
kernel32
KERNEL32.DLL
mscorlib
MyApplication
MyComputer
MyProject
MyWebServices
ThreadSafeObjectProvider`1
EnumWindProc
EnumChildWindProc
m_ComputerObjectProvider
m_AppObjectProvider
m_UserObjectProvider
m_MyWebServicesObjectProvider
.cctor
get_Computer
get_Application
get_User
get_WebServices
GetType
Create__Instance__
instance
Dispose__Instance__
lastcap
GetForegroundWindow
GetVolumeInformation
GetVolumeInformationA
lpRootPathName
lpVolumeNameBuffer
nVolumeNameSize
lpVolumeSerialNumber
lpMaximumComponentLength
lpFileSystemFlags
lpFileSystemNameBuffer
nFileSystemNameSize
GetWindowText
GetWindowTextA
WinTitle
MaxLength
GetWindowTextLength
GetWindowTextLengthA
capGetDriverDescriptionA
wDriver
lpszName
cbName
lpszVer
CompDir
connect
apiBlockInput
BlockInput
fBlock
SwapMouseButton
SendMessage
wParam
lparam
SetWindowPos
hWndInsertAfter
wFlags
mciSendString
mciSendStringA
lpCommandString
lpReturnString
uReturnLength
hwndCallback
AddHome
NtSetInformationProcess
hProcess
processInformationClass
processInformation
processInformationLength
Plugin
LastAS
LastAV
lastKey
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardState
GetWindowThreadProcessId
MapVirtualKey
ToUnicodeEx
VKCodeToUnicode
EnableWindow
bEnable
lpdwProcessID
GetClassName
GetClassNameA
lpClassName
nMaxCount
SendMessageA
lParam
lpString
EnumChildWindows
lpEnumFunc
EnumChild
protect
GetChild
TargetObject
TargetMethod
BeginInvoke
DelegateCallback
DelegateAsyncState
EndInvoke
DelegateAsyncResult
Invoke
WebServices
GetInstance
MyTemplate
8.0.0.0
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
My.Computer
My.Application
My.User
My.WebServices
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
7JU]dkr
server.exe
127.0.0.1
165d6ed988ac1dbec1627a1ca9899d84
Software\Microsoft\Windows\CurrentVersion\Run
SGFjS2Vk
Exsample.exe
svchost.exe
Connect
Software\
SystemDrive
Software\Microsoft\Internet Explorer\Main
Start Page
IEhome
shutdowncomputer
shutdown -s -t 00
restartcomputer
shutdown -r -t 00
logoff
shutdown -l -t 00
ErorrMsg
SAPI.Spvoice
OpenCD
set CDAudio door open
CloseCD
set CDAudio door closed
DisableKM
EnableKM
TurnOffMonitor
TurnOnMonitor
NormalMouse
ReverseMouse
DisableCMD
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
EnableCMD
DisableRegistry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
EnableRegistry
DisableRestore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
EnableRestore
DisableTaskManager
DisableTaskMgr
EnableTaskManager
CursorShow
CursorHide
sendmusicplay
OpenSite
udpstp
pingstop
taskkill /F /IM PING.EXE
/pass.exe
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
/temp.txt
getvalue
Execute ERROR
Download ERROR
Executed As
Execute ERROR
Update ERROR
Updating To
Update ERROR
yy-MM-dd
??-??-??
Microsoft
Windows
netsh firewall add allowedprogram "
" ENABLE
taskkill /F /IM
autorun.inf
[autorun]
shellexecute=
netsh firewall delete allowedprogram "
Software
cmd.exe /k ping 0 & del "
" & exit
yy/MM/dd
[ENTER]
taskmgr
processviewer
processhacker
process explorer
button
static
directuihwnd
End process

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255
dns.msftncsi.com

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 58485 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.