1.0
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.66
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20190920 | 18.4.3895.0 |
| Baidu | Win32.Adware.Kryptik.h | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190920 | 2013.8.14.323 |
| McAfee | GenericRXHB-SZ!2006B28B2B72 | 20190920 | 6.0.6.653 |
| Tencent | None | 20190920 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .ap0x |
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 41 个反病毒引擎识别为恶意
(41 个事件)
| ALYac | Trojan.Agent.VB.CAT |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.VB.CAT |
| AhnLab-V3 | Malware/Win32.RL_Generic.R259209 |
| Antiy-AVL | Trojan/Win32.VB.cuvt |
| Arcabit | Trojan.Agent.VB.CAT |
| Avast | Win32:Malware-gen |
| Avira | TR/VB.Agent.dleuig |
| Baidu | Win32.Adware.Kryptik.h |
| BitDefender | Trojan.Agent.VB.CAT |
| CAT-QuickHeal | Trojan.Agent.S5534944 |
| ClamAV | Win.Trojan.Agent-1388662 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.b2b728 |
| Cylance | Unsafe |
| DrWeb | Trojan.VbCrypt.250 |
| Emsisoft | Trojan.Agent.VB.CAT (B) |
| Endgame | malicious (high confidence) |
| F-Secure | Trojan.TR/VB.Agent.dleuig |
| FireEye | Generic.mg.2006b28b2b7285b8 |
| Fortinet | W32/Agent.CAT!tr |
| GData | Trojan.Agent.VB.CAT |
| Ikarus | Trojan-Downloader.Win32.VB.auq |
| Invincea | heuristic |
| MAX | malware (ai score=86) |
| Malwarebytes | Trojan.VBClone |
| McAfee | GenericRXHB-SZ!2006B28B2B72 |
| McAfee-GW-Edition | BehavesLike.Win32.VBObfus.pt |
| MicroWorld-eScan | Trojan.Agent.VB.CAT |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Trojan.Win32.VB.fnrisw |
| Panda | Trj/GdSda.A |
| Qihoo-360 | HEUR/QVM03.0.0435.Malware.Gen |
| Rising | Trojan.Win32.VBClone.a (CLASSIC) |
| SentinelOne | DFI - Malicious PE |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.moderate.ml.score |
| VBA32 | BScope.Trojan.VBKryjetor |
| Zillya | Trojan.Agent.Win32.1076006 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2012-06-24 14:09:09
PE Imphash
56f6502f5b2292e04bc0e535f0cb2ac4
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000065c8 | 0x00007000 | 5.628343820073602 |
| .data | 0x00008000 | 0x000009ec | 0x00001000 | 3.161546516182495 |
| .rsrc | 0x00009000 | 0x00004000 | 0x00000000 | 0.0 |
| .ap0x | 0x0000d000 | 0x0000049c | 0x00001000 | 1.6137461961326465 |
Imports
Library MSVBVM60.DLL:
• 0x401000 _CIcos
• 0x401004 _adj_fptan
• 0x401008 __vbaStrI4
• 0x40100c __vbaFreeVar
• 0x401010 __vbaFreeVarList
• 0x401014 _adj_fdiv_m64
• 0x401018 __vbaFreeObjList
• 0x40101c _adj_fprem1
• 0x401020 __vbaStrCat
• 0x401024 __vbaHresultCheckObj
• 0x401028 _adj_fdiv_m32
• 0x40102c rtcRandomNext
• 0x401030 rtcRandomize
• 0x401034 rtcMsgBox
• 0x401038 _adj_fdiv_m16i
• 0x40103c _adj_fdivr_m16i
• 0x401040 _CIsin
• 0x401044 __vbaChkstk
• 0x401048 __vbaFileClose
• 0x40104c EVENT_SINK_AddRef
• 0x401050 __vbaGenerateBoundsError
• 0x401054 __vbaStrCmp
• 0x401058 __vbaPutOwner4
• 0x40105c _adj_fpatan
• 0x401060 __vbaRedim
• 0x401064 EVENT_SINK_Release
• 0x401068 __vbaUI1I2
• 0x40106c _CIsqrt
• 0x401070 EVENT_SINK_QueryInterface
• 0x401074 __vbaExceptHandler
• 0x401078 _adj_fprem
• 0x40107c _adj_fdivr_m64
• 0x401080 rtcVarBstrFromAnsi
• 0x401084 __vbaFPException
• 0x401088 __vbaInStrVar
• 0x40108c rtcStrConvVar2
• 0x401090 __vbaVarCat
• 0x401094 __vbaGetOwner4
• 0x401098 rtcDir
• 0x40109c _CIlog
• 0x4010a0 __vbaErrorOverflow
• 0x4010a4 __vbaFileOpen
• 0x4010a8 __vbaNew2
• 0x4010ac rtcFileLength
• 0x4010b0 _adj_fdiv_m32i
• 0x4010b4 _adj_fdivr_m32i
• 0x4010b8 __vbaFreeStrList
• 0x4010bc _adj_fdivr_m32
• 0x4010c0 _adj_fdiv_r
• 0x4010c4 ThunRTMain
• 0x4010c8 __vbaVarTstNe
• 0x4010cc __vbaI4Var
• 0x4010d0 __vbaVarDup
• 0x4010d4 __vbaR8IntI2
• 0x4010d8 _CIatan
• 0x4010dc __vbaStrMove
• 0x4010e0 _allmul
• 0x4010e4 _CItan
• 0x4010e8 _CIexp
• 0x4010ec __vbaFreeObj
L!This program cannot be run in DOS mode.
Project1
FSY<u:O3f
U<.}0;
`eW\TH'2 sl
^}yokuvy
ld`bigrnhc
~|~nww
yraorql
rz|~~~
}pnodf]g
T`_VKN
To_abb^i
3vVU:y
`HD fc:)zcg
V]MG(z
w3;E1l
XW`COXKB@A.? 0&
wtuy}tv{u
21*!>{855H7
HeM|DIP{SR@X~WTt^wSczSv]<
53@:??7
5540#%'5
~mt[R`bf]faUb
m\RXffjcgXZe[]`
ahhker
xq`kmj
g_Telmg
gd}djc
#7KPILSHC683~(<{0q*d#
_dWkd_kcXq
0S3U.}
2d&g12
Qbwpmo
2O,w"dBA
YCA5M
=\Gn)3[X0z7
T#0aE!
ZKD gS
NiQ9vLM60B
TkP~xzT!Nd
0NGX[-A"q
m\[ZDA877884(xA
NuV-{q
zr{akihUDgSXJIR6p\
_RKXCCJHH?E;6=;4*)"2-i
{syqu~|vutrqyln[e
VB5! *
Icon_Morphic
Project1
Project1
Project1
HAX MjVeBD
+3q"=h
VBA6.DLL
__vbaVarDup
__vbaGetOwner4
__vbaRedim
__vbaFreeObjList
__vbaUI1I2
__vbaGenerateBoundsError
__vbaR8IntI2
__vbaI4Var
__vbaFreeVarList
__vbaVarCat
__vbaInStrVar
__vbaVarTstNe
__vbaErrorOverflow
__vbaFileClose
__vbaPutOwner4
__vbaFileOpen
__vbaFreeVar
__vbaFreeObj
__vbaFreeStrList
__vbaStrI4
__vbaHresultCheckObj
__vbaNew2
__vbaStrCat
__vbaStrMove
__vbaStrCmp
XSVWeE
UQERMPUQRj
pYM3hb[@
ERMPUQERPj
EEEEEp`P@0
p`P@0
REMPQPUERP
pP`QRPP@PQP0 RP
QRPPQPRP
PQRPPQPp`RP
PP@QRP0 PQ
Q R0P@QPR`PpQRPQRPQRP
R P0Q@RPP`QpRMPUQERMPUQRPj
ERMPQURPEMPQPp`RP
PP@QRP0 PQP
PQRPPQPRP
PQRPp`PQPP@RP
0P QRP
Q R0P@QPR`PpQRPQRPQRP
R P0Q@RPP`QpRMPUQERMPUQRPj
C8t+f8
C4t/f8
K8t)f9
C4t/f8
UQERMPQPUERP
pP`QRPP@PQP0 RP
QRPPQPRP
PQRPPQPp`RP
PP@QRP0 PQP
Q R0P@QPR`PpQRPQRPQRP
R P0Q@RPP`QpRMPUQERMPUQRPj
RPUQERP
MPUQRPp`PQPP@RP
0P QRP
PQRPPQPRP
pP`QRPP@PQP0 RP
R P0Q@RPP`QpRPQRPQRPQ
P Q0R@PPQ`RpPUQERMPUQERPQj
C8t+f8
C4t/f8
K8t)f9
C4t/f8
R P0Q@RPP`QpRPQRPQRPQ
P Q0R@PPQ`RpPUQERMPUQERMPQj
SVWeE
U]R]]]]
ERMPUQERPj
MMMUMEEEEDV@
MUQERPMj
UERMPUQRj
MPUQERMPQj
MUQERMPQj
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaStrI4
__vbaFreeVar
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaPutOwner4
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaInStrVar
__vbaVarCat
__vbaGetOwner4
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaI4Var
__vbaVarDup
__vbaR8IntI2
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
CsCsdOsdOsDsDsT
Rs$ Rs, Rs4 Rs< RsD RsL RsT Rs\ Rsd Rsl Rst Rs| Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs
Rs$ Rs, Rs4 Rs< RsD RsL RsT Rs\ Rsd Rsl Rst Rs| Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs Rs
!Rs$!Rs,!Rs4!Rs<!RsD!RsL!RsT!Rs\!Rsd!Rsl!Rst!Rs|!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs!Rs
"Rs$"Rs,"Rs4"Rs<"RsD"RsL"RsT"Rs\"Rsd"Rsl"Rst"Rs|"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs"Rs
#Rs$#Rs,#Rs4#Rs<#RsD#RsL#RsT#Rs\#Rsd#Rsl#Rst#Rs|#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs#Rs
$Rs$$Rs,$Rs4$Rs<$RsD$RsL$RsT$Rs\$Rsd$Rsl$Rst$Rs|$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs$Rs
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaStrI4
__vbaFreeVar
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
rtcRandomNext
rtcRandomize
rtcMsgBox
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaPutOwner4
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
rtcVarBstrFromAnsi
__vbaFPException
__vbaInStrVar
rtcStrConvVar2
__vbaVarCat
__vbaGetOwner4
rtcDir
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaNew2
rtcFileLength
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ThunRTMain
__vbaVarTstNe
__vbaI4Var
__vbaVarDup
__vbaR8IntI2
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
5�;�K�O�:�3�
2�A�>�R�8�@�
=�4�M�6�S�I�
5�4�;�7�B�@�
n�8�F�?�B�@�0�9�G�
<�8�D�@�9�F�0�@�A�7�A�E�:�?�H�B�?�8�:�H�L�8�B�A�?�J�>�=�4�G�7�@�5�E�@�G�C�:�B�F�A�9�>�;�3�/�=�:�K�0�D�E�O�7�B�F�E�<�D�F�:�2�?�A�@�A�E�5�<�2�'�?�D�9�I�
:�<�4�J�@�E�>�8�/�A�0�;�4�H�
<�G�>�B�<�,�B�L�C�K�9�>�5�/�
>�9�J�D�?�=�G�A�;�?�7�D�:�A�
9�3�=�>�B�;�I�5�5�@�H�7�;�M�
8�6�E�E�M�B�C�4�9�D�@�E�H�G�
9�G�@�E�)�L�D�D�L�9�G�9�6�:�
7�D�L�D�=�G�?�B�:�6�7�D�A�7�
<�A�F�5�B�@�4�D�4�<�5�:�<�B�
5�4�'�C�;�@�4�8�6�9�B�9�=�A�
@�>�F�6�<�?�A�@�;�A�(�J�B�?�
=�F�?�=�>�8�A�J�7�I�E�?�B�J�
<�L�E�5�7�K�
9�K�;�@�B�8�8�L�
A�E�A�3�K�6�G�<�>�5�A�G�3�?�K�8�<�A�;�6�
>�?�F�D�?�B�I�D�C�1�A�C�:�G�9�L�F�/�J�C�B�8�
?�J�?�'�B�C�G�E�I�<�8�=�<�K�C�7�C�<�A�H�7�C�4�F�<�A�A�:�;�R�2�=�D�?�>�;�K�;�<�D�D�8�5�:�<�A�>�5�8�;�C�D�A�L�I�Q�@�A�A�<�0�D�@�J�G�I�M�N�A�I�G�G�?�=�1�D�
[�?�D�5�;�@�B�J�B�?�F�A�9�=�2�B�?�;�;�4�9�G�=�Q�:�3�J�3�:�D�K�*�C�>�A�E�>�<�>�7�=�M�5�H�;�;�:�F�8�:�6�>�E�2�2�=�;�4�2�J�,�L�/�E�8�B�6�7�<�C�<�7�F�9�;�<�D�<�:�=�7�B�@�6�8�<�B�;�1�=�7�9�F�F�I�C�5�;�M�<�@�7�G�?�:�3�<�>�?�B�/�E�;�:�L�G�A�
<�8�:�4�9�3�M�@�G�5�F�9�=�G�A�A�<�F�8�@�
W�?�K�F�F�9�A�7�?�>�A�6�C�F�;�1�@�9�,�>�
I�I�?�5�6�C�7�8�:�9�C�C�8�9�:�.�D�3�O�A�
B�;�@�K�>�=�?�7�>�G�.�@�>�H�I�G�9�>�H�;�
:�A�?�?�=�?�?�H�=�9�N�G�>�9�K�7�>�3�K�J�
@�J�H�A�=�>�;�?�4�J�G�G�:�?�<�9�;�@�4�K�
@�;�?�4�E�?�:�D�I�G�=�@�:�?�,�5�A�E�H�>�
E�H�?�A�/�N�B�F�;�6�C�8�5�=�=�I�5�:�G�=�
7�B�=�G�:�K�?�B�C�I�J�?�(�>�@�>�D�3�:�<�
@�?�A�G�@�?�H�C�Z�?�:�B�C�A�<�8�2�<�B�@�
3�K�C�A�2�4�C�E�@�N�@�:�?�7�;�D�K�A�3�C�
:�D�9�<�8�3�>�>�F�9�G�J�E�A�9�2�9�:�>�<�
B�@�B�0�I�A�9�A�A�1�A�>�D�B�:�5�H�7�=�F�
A�:�8�C�4�>�I�B�:�@�<�8�5�7�2�A�<�7�P�7�
I�5�J�B�:�2�6�2�;�G�-�F�I�>�;�F�=�6�3�F�
1�:�?�>�K�J�:�<�>�@�J�:�<�B�:�M�@�D�I�9�
7�8�8�I�I�/�.�A�;�K�G�:�>�4�F�@�=�A�;�9�
F�6�F�B�A�4�>�R�B�1�?�3�;�@�?�4�9�D�@�;�
;�?�>�>�4�9�H�B�@�B�=�<�8�B�1�G�?�>�?�G�
<�=�<�2�7�D�F�:�:�=�:�8�=�7�A�@�.�I�>�0�A�A�:�;�
7�1�E�4�H�P�8�7�G�7�8�B�1�?�8�9�;�?�B�:�=�9�>�=�D�8�
3�O�>�2�?�>�G�?�?�@�+�B�>�8�5�7�5�A�C�@�?�9�E�B�8�;�I�@�
F�I�M�>�H�@�5�=�;�J�7�E�J�I�:�>�C�I�H�K�=�@�E�8�8�B�8�=�<�<�
5�>�=�=�H�5�9�E�D�F�:�D�8�G�7�/�4�?�;�I�>�9�=�J�J�6�H�D�=�B�I�/�
6�;�>�3�B�V�2�2�=�=�A�7�B�2�>�A�?�F�3�@�I�I�B�J�?�9�?�M�/�=�M�I�8�<�7�0�C�6�8�;�;�J�D�4�E�8�F�;�5�K�B�@�;�8�I�1�@�I�2�F�;�=�7�A�>�<�<�B�;�M�9�C�G�@�Q�M�=�J�<�:�;�8�D�=�>�D�9�9�>�/�A�?�3�A�3�3�H�C�1�C�D�=�H�4�D�8�G�;�?�A�
@�*�\�A�C�:�\�U�s�e�r�s�\�d�a�r�k�a�\�D�e�s�k�t�o�p�\�U�n�t�i�t�l�e�d�\�A�n�t�i� �H�e�u�r� �I�c�o�n�\�S�o�u�r�c�e�_�C�o�d�e�\�P�r�o�j�e�c�t�1�.�v�b�p�
\�C�l�o�n�e�F�_�
F�i�n�i�s�h�!�
@�*�\�A�C�:�\�U�s�e�r�s�\�d�a�r�k�a�\�D�e�s�k�t�o�p�\�U�n�t�i�t�l�e�d�\�A�n�t�i� �H�e�u�r� �I�c�o�n�\�S�o�u�r�c�e�_�C�o�d�e�\�P�r�o�j�e�c�t�1�.�v�b�p�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.