1.3
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.60
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Malware:Win32/Dorpal.ali1000029 | 20190527 | 0.3.0.5 |
| Baidu | Win32.Worm-Email.Mydoom.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200919 | 2013.8.14.323 |
| McAfee | None | 20200918 | 6.0.6.653 |
| Tencent | Worm.Win32.Mydoom.l | 20200919 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00005000', 'size_of_data': '0x00004600', 'entropy': 7.897902341253568} | entropy | 7.897902341253568 | description | 发现高熵的节 | |||||||||
| entropy | 0.8974358974358975 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意
(50 out of 63 个事件)
| ALYac | Worm.Mydoom |
| APEX | Malicious |
| AVG | Win32:Mydoom-EG [Trj] |
| Acronis | suspicious |
| Ad-Aware | Worm.Generic.23834 |
| AhnLab-V3 | Win32/Mydoom.worm.22020.H |
| Alibaba | Malware:Win32/Dorpal.ali1000029 |
| Antiy-AVL | Worm[Email]/Win32.Mydoom |
| Arcabit | Worm.Generic.D5D1A |
| Avira | TR/BAS.Samca.zictf |
| Baidu | Win32.Worm-Email.Mydoom.a |
| BitDefender | Worm.Generic.23834 |
| BitDefenderTheta | AI:Packer.446218C71F |
| Bkav | W32.MyDoomLB.Worm |
| CAT-QuickHeal | Worm.Mydoom |
| Comodo | Worm.Win32.Mydoom.Q@308v |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.98c721 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Mydoom.CJDZ-5239 |
| DrWeb | Win32.HLLM.MyDoom.33808 |
| ESET-NOD32 | Win32/Mydoom.Q |
| Elastic | malicious (high confidence) |
| F-Secure | Email-Worm:W32/Mydoom.gen!A |
| FireEye | Generic.mg.1adf18f98c7219fd |
| Fortinet | W32/MyDoom.M@mm |
| GData | Worm.Generic.23834 |
| Ikarus | Email-Worm.Win32.Mydoom |
| Invincea | Mal/Generic-R + W32/MyDoom-N |
| Jiangmin | I-Worm/Zhelatin.sq |
| K7AntiVirus | EmailWorm ( 0000439f1 ) |
| K7GW | EmailWorm ( 0000439f1 ) |
| Kaspersky | Email-Worm.Win32.Mydoom.l |
| Lionic | Worm.Win32.Mydoom.tpmO |
| MAX | malware (ai score=85) |
| Malwarebytes | Worm.Agent |
| MaxSecure | Trojan.Malware.300983.susgen |
| MicroWorld-eScan | Worm.Generic.23834 |
| Microsoft | Worm:Win32/Mydoom.L@mm |
| NANO-Antivirus | Trojan.Win32.Mydoom.cuyllc |
| Paloalto | generic.ml |
| Panda | W32/Mydoom.DN.worm |
| Qihoo-360 | Worm.Win32.Mydoom.A |
| Rising | Worm.Mail.Win32.Mydoom.l (CLASSIC) |
| SUPERAntiSpyware | Worm.MyDoom |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/MyDoom-N |
| Symantec | W32.Mydoom.gen@mm |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
5d02f6de12eb07fb22fe87e05e50d6a0
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00000000 | 0.0 |
| UPX1 | 0x00007000 | 0x00005000 | 0x00004600 | 7.897902341253568 |
| .rsrc | 0x0000c000 | 0x00001000 | 0x00000800 | 2.6495694551935207 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0000c4f0 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library ADVAPI32.dll:
• 0x80c59c RegCloseKey
Library MSVCRT.dll:
• 0x80c5a4 time
Library USER32.dll:
• 0x80c5ac wsprintfA
Library WS2_32.dll:
• 0x80c5b4 gethostname
L!This program cannot be run in DOS mode.
iiiiM,
hPD4e4(
M4M4M4|tld\4MTLD803M(
`XPD;@
IEFrame
ATH_Note
rctrl_renwn
c:\sDec
nSep3ug
/%s, %u
.2u:um
nkmrnetG
{Staiex
Kazaa Lk
ry P6I
W0RAR.v.3Z.od.key#
p 5.0 () C
lcomhdeRe$tvor.
dnsapi%{.dllphlp
w@kPa_9le
{cabu'mass
vGubm{l
crosoftd
the.bgold-Uk;s}ca
"Z+cre
iWKQg^
foG+lc-
zcWxrrsf.)OW
+rr ,ar+
og3gnu
.m{6Ov
;WRdN`do8a0;oa
lekk5bnda
ymav_-!'5b_
8o@d0(
@e*.*KAdtpRN
USERPROFILE
:\yaha0
`v.;D
7 e ig;`
lud A
nvQl\+n
:gb puw2D
k3Srb\2aqFqh
5'%i~Ba.=x|
\c$Yf/j
n*ikyQA9
"p3f,FoeSA
\k,Nv EXZrr
naht%w.^
aF:H$Wh'i|s W-1MTc
Ei+!d/.s
Z@vU<$t>?Pl,e%p>0|Bcts@$F
amsQaeA
(`r[a<b
1w-f6}
!b []=-
G_n!CZ]y
lbAs9Y2
Z Lkn,$T.
F:$f]
,YS5dG
;hjX>\lmpt
[STkMdbMHK66-3
L82:tt
+Djg9!?]:Fm1f
Ve-DAE
"MONWz
$<("P"C"8
N&!Vo<SDj=
tQ"K O4"a
x14c;<#n
ABCDEFGHIJK
6LMNOPQRSTUVWXYZ cfgt
jklmFpq
!_vwxyz23456789+/qsX-P
zExp 6.00.26
3IMEO,4P
uTBy@Mfid;
V9Jw,t6-Ty@m-PDt/xP
9Zr="R"s
q-V51O
48X.5sNPs+a^vI?Gp}appmI/%Gk
[mnOf&4nfn-EdAbMv64"DDi{QHL
\HC=u'%Zu>i7bk\2,
'-$uhjp
>a{QUIT
>'PTZ5
-xYIHEL
LO87`+
nTPS&)\\*
|2~^]H+
:.] KlhJ
of.twa
rer\\MicM/s7n5'O'n dYO+ CkfCu_+5
/eu]G? ;P_6OIX]
8*P7Sh
C_^w7[
_'F$3^D
|lfk=Pj
pxeDSE
c|pLh$;x
%pX+>u
wu&q<GG5Wqoh
Pi6twaire\Miicrosofiit\Winidows\iCurren
itVrsiion\RuH
p$Trl6y
I2\CSW|$
ldcC-o^S
jZY-i`;WR
6-F.;_
$j<_RP3
jh`OJ?b4q
fdg4u|`
YCppcM;u
u?IH+Sn
#<Kf#F
B0 ;xv+PV;tQ
3 @F;|/
wiiniGniet.dll[-
5PEKef9ut_
3$tv3Wj(-
B;POi8/x
6~W"B;}
8@le(7loC
WbPV$v5
\;C}0
>F@JuD.F'
V)$Y;t0Y|
b1?mp ,
K?GOGSU~m3f
ne,<};u<)Zt
Q0^]8PU
{;_t$@SDIC1\
U~R/('Rf4;
}e%Y-b$I0
nGUqtv
!cs_0?b
A$]~% {
pzw{ok
jd7FF6|=~
tVe;?Vd;t$hFBn
*gu;r_ipWl
JS:S>}tG
QSZxOO+N!
W*Xp0,
\<<@t?(T
+CY<Jo=B@9zO
Kyd+7h%
-0vYC1-NO/&<
'xqf,wOy/UH]
tb0UE,
0"8d5^7-S;1YU2vHf
x 0|8<
2+SJNr
F}.RU8
cbf0d_
x5FG['@
hv$~,\ l\t3D
Qm {+8
.5a>3K
Hy FQ~
J6f2/Xp
?GLa`;
bx3*oo
+KICY`D
h^ddk3T
o';Wto*9
vt\kQS
'UY3SQ g
g%vAa+qYDW\&^
]G7F(O
=khY(QR
h~8ZnQ;t
GWSYf;
j2.`h
r2Ojx26hR<P
f+eqkNdw "Z
?I7\d;
@ZA{+[
H_tu(n
}8h+|-;O
;}e;}a;WZ
;~C;~?+b
M-JSQaH
P=/sSu
V|Ehmd
[GdlcO`1vUMp6l:p
jQ4Mhp
> Fzr?0
1EpDMlu[4EP`
djk7&s
04Sof,
,\Micro
,sof\W,
,AB\WAP
,ab bF
,ile NaP,m
#*u=9kY1d
8F,ZF>h=
<U<puY6ql_
buG:uCR<hu
sup>Y<s
btN<db7x
75<w_u
Kfuc['{8
\P#NYsYZ
Pu%8.@+u
#<8P>|f
&P2 jKk
\.ocal 6rSeti\.Qngs-V=TemFp5fr
yJ5fI:F/Wu]
]4Mbk$b
=#Lf$a
LLa7PP1d[
CYRtg-
+0S6-h
.5PfO5
guj,(,
g*<u?m
0<Q'Fzd|s0K
zV5Xme
P9d{Vj.
$Pt7lK
Y`f[ 5g;Pl
^:#CYx
bD^:3rS
@PA`Wz
/h(ht!h`
JbG!=!!++
~$k/&;t
}d4H1A|(}.
3*HWS.
Y]G2~
_`EPF0
|$3FP;
[mx#(|
pe\#kkV^S&Y
hXPkWPQ
,>kA&5
54oE'J
Z(MrSPPY
lJS^8
#[=9"E@
K8!PxC
Q"FhWQ"Yz72G
^$cG|$l
xo?~E< r8<=t4<+t0<,<
t(<v aULv7GR<Y
Od3GX%dy
,l_HHt
"}5vBR
+D5uUtm1Oh\9
VRG-'(
vm-!+_|
D#NQPWNy
KDDBS}g^Y
1@&o4,;[;
@5~)XZP;
7l[fW!c
bFO><:t9.5
$8&4E?ao8:ua
0}9-G^u
abM*^&
/dV!IV'LYs
-SRg@C
'Y1Hh<
=+(~.*%8g
,X3+(J-
;t. .u
|#eXrk }
p&hh.`
9\X]$l
U3B@$`W
JIJHp`m
W{WP'O
RKhc4
ebKtW66
k|v*(\/#Rh
FAS5Cp"Y$
^xW0vvP
Je&"TnQra
+;rMSK%nv
J-TmtQ
$pPrYH;\y
.noj8f
wnYE;r
sm@f=AB
hh6Gfpn|#
|&^bBA+ZS
}^WB_X@
_(5^*'_
tSEFtP7
, aNM~XX
nl9YJ.u+YtV[i
X.Abvl7(d
_xFZ h
WN_KMe
CS;~S[`+{
Qr(`T,oYt>)
lOPuDHL%db
>q70}:
;?| 4l
w__;}a
YP"z'GC
lR tSMpW?xp5
hncaH0
wu)P/xAl
y@*-&@'_Z
!5&#cD
pBmu=i
fgT@EH5
[P71/}
&xE[f;
U`eb{[m&
&T#zW*
P]p=V^^Y[@~
n("F$A
l)>7`03V4i
G]%Djd
bNT!E"
~#6"azp
.l( G;(|
~k;~!,
rjv(k Nhu
9t&ET`
lsc:qRH
PGtop&0=
At-^(Eehz{
GF?x\G
HYWWh>x=I
U,TempFNAU
ve;GMGlobalAl
Cas[M$g+
ZgViewOfUnm
vHtked
von)Vaab{
sCopyx
]ESl$lqAP/h
De;y-amc
%[audeChl4M]UByt"A[s
RnIPoi
;i6`H.
3l0Ao 'Gg
g`VueE
_um{@0s
d#m{[1
,`BuffA
Low3lGwvr#w
#EAYMbp
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
wsprintfA
AN!N_0A
`~PpQaA
MM:M}S
&<!B^S
'zrSQfs
D ~*BO'
]DK?Vc
}QeWMtD
yxMgfM
?@Al.? xBD6?
C*DKAuaAf_
{N@D;QR
#eln#;
L^rdyl
jw1nEx
XIB8Mo2
CxfM`"
PkDtrM
(JE=?`
>> PZ`
PQ@D~@
HaQpC+
mKA?dd
PfRtBT^D
pMk@H?sBA)
KZ+D-04WAS9D
sDCu"J`Fu
aQB\t@f
7g$ f)PE]?
4D2`D92
n"I}KD'
2#DXD\J
JBC\>Z<E
`BA~uB+:Q
RBRhB!*
KDX4Do*@\+
(D0LMiB}`n
-@S}:B
"@CMY2.
oDHzMk
>&.U6Mh
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.