1.1
低危
61 个模型检测该样本为恶意!
重新分析
更多

172675df4f419e89fd6e81aaa7fcc51f14919d1bf73feeb8b588a30c044a8aeb

172675df4f419e89fd6e81aaa7fcc51f14919d1bf73feeb8b588a30c044a8aeb.exe

分析耗时

195s

最近分析

366天前

文件大小

25.3KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE
鹰眼引擎
DACN 0.12
FACILE 1.00
IMCLNet 0.52
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Heim 20191231 18.4.3895.0
Baidu Win32.Trojan-Downloader.Waski.a 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20191231 2013.8.14.323
McAfee PWSZbot-FQJ!226797FD7FF1 20191231 6.0.6.653
Tencent Malware.Win32.Gencirc.10b31491 20191231 1.0.0.1
静态指标
行为判定
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具 (2 个事件)
section {'name': '.text', 'virtual_address': '0x00001000', 'virtual_size': '0x000011d0', 'size_of_data': '0x00001200', 'entropy': 7.096109749800434} entropy 7.096109749800434 description 发现高熵的节
entropy 0.2727272727272727 description 此PE文件的整体熵值较高
网络通信
与未执行 DNS 查询的主机进行通信 (1 个事件)
host 114.114.114.114
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意 (50 out of 61 个事件)
ALYac Trojan.Ppatre.Gen.1
APEX Malicious
AVG Win32:Heim
Acronis suspicious
Ad-Aware Trojan.Ppatre.Gen.1
AhnLab-V3 Trojan/Win32.Upatre.C255064
Antiy-AVL Trojan[Downloader]/Win32.Agent
Arcabit Trojan.Ppatre.Gen.1
Avast Win32:Heim
Avira TR/ATRAPS.Gen2
Baidu Win32.Trojan-Downloader.Waski.a
BitDefender Trojan.Ppatre.Gen.1
BitDefenderTheta AI:Packer.41FE3D7B1F
CAT-QuickHeal TrojanDownloader.Upatre.A6
ClamAV Win.Trojan.Agent-1125177
Comodo TrojWare.Win32.Agent.IBMG@56rzap
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.d7ff10
Cylance Unsafe
Cyren W32/Trojan.JIMO-8783
DrWeb Trojan.DownLoad.64838
ESET-NOD32 Win32/TrojanDownloader.Waski.B
Emsisoft Trojan.Ppatre.Gen.1 (B)
Endgame malicious (high confidence)
F-Prot W32/Trojan3.HGO
F-Secure Trojan.TR/ATRAPS.Gen2
FireEye Generic.mg.226797fd7ff100c4
Fortinet W32/Kryptik.CF!tr
GData Trojan.Ppatre.Gen.1
Ikarus Trojan-Spy.Zbot
Invincea heuristic
Jiangmin TrojanDownloader.Agent.empt
K7AntiVirus Trojan ( 0040f7411 )
K7GW Trojan ( 0040f7411 )
Kaspersky HEUR:Trojan.Win32.Generic
MAX malware (ai score=82)
Malwarebytes Trojan.Upatre
MaxSecure Trojan.Upatre.Gen
McAfee PWSZbot-FQJ!226797FD7FF1
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.mm
MicroWorld-eScan Trojan.Ppatre.Gen.1
Microsoft TrojanDownloader:Win32/Upatre.A
NANO-Antivirus Trojan.Win32.Agent.cssyav
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM19.1.3F61.Malware.Gen
Rising Trojan.Waski!1.A489 (CLASSIC)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Troj/DwnLdr-LIG
Symantec Trojan.Zbot
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2004-05-22 09:21:53

PE Imphash

76b7e1990d53c9ec00694a75198b580b

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000011d0 0x00001200 7.096109749800434
.data 0x00003000 0x000005d8 0x00000600 6.406604322397849
.rdata 0x00004000 0x00000f9e 0x00001000 5.099648522905398
.idata 0x00005000 0x00000444 0x00000600 3.4920252016647133
.rsrc 0x00006000 0x00001268 0x00001400 3.7928992958275614

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x00006130 0x00000ea8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x00006fd8 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000070c0 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MANIFEST 0x000070d4 0x00000193 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library kernel32.dll:
0x4050b4 GetTempPathW
0x4050b8 FlushFileBuffers
0x4050bc CreateFileW
0x4050c0 IsBadReadPtr
0x4050c4 HeapAlloc
0x4050c8 GetCurrentProcessId
0x4050cc GlobalUnlock
0x4050d0 GlobalLock
0x4050d4 GetModuleHandleW
0x4050d8 RaiseException
0x4050dc SetStdHandle
0x4050e0 WriteConsoleW
0x4050ec SetEvent
0x405100 lstrcpyW
0x405104 ExitProcess
0x405108 GetModuleHandleA
Library user32.dll:
0x4052f0 GetMessageA
0x4052f4 InvalidateRect
0x4052f8 SetWindowPos
0x4052fc GetWindowTextA
0x405304 GetClientRect
0x405308 SetWindowTextA
0x40530c CreateCaret
0x405310 FlashWindow
0x405314 GetClipboardData
0x405318 CloseClipboard
0x40531c SetCaretPos
0x405320 GetKeyboardState
0x405324 SetClassLongA
0x405328 LoadIconA
0x40532c RegisterClassA
L!This program cannot be run in DOS mode.
.rdata
.idata
11111111111111111111111111111111111111111111111111111111111111111111111111111111
.F`OJN@:a`g[U
B||aLz
p #=Z"l&v
_thU#Q
-OK*@1
]P=90zbx(
r#/gM\
,y]'vU<k
($.O(i
ZF3k/?V(
ILH'(!
t7VoX}
Cb~qGN
)GmfO[8
NeEt9$
9Ku~ H
op^'A*
^`U.DW
'YpY.g
K}K#Oo
gX&g_.
gdiG1Y
E`1&1/XG
Up)$PY
Md1&rs
i9@T`@
xPSuDiI@T
xPSuDiI@T
T4jTjTPS
Su\SULS
9@(\x,
PSS%SEP
PS<8QSjXhT
Su4jTi5@T
E01&1/E4XGPE<il
E0iR6S
SE0SuLSuHSu08S
E8Su0Su8S<)PS
tvPSuP<
Su`jTi5@T
EHtP<RV
TSpXSuPSuH
T`U\<UX
TTZFuNu@3h
jTjTSS
]`),}\
MPRSSu`
VfMum<U
TUX`U\f
TK\'Y}Mdu2
TUX`Mh
m@TT11
Q9@h2*
uE$uE.$/
uE.$Q9@
HOaZC\eKtO
2eKp+lVoM
:o]t;uSt7e]sKgO
.ePWSnNoaP\oMAF\eOLSb\a\yGOt:rYc+dNrOs]
6oKd-u\sYr+
>rKn]lKtOMOs]aQeS_n=hSnO
WcSSOnNS^rSnQArOcYrN \eM
-rOa^eAiXdYw/x+
AiXmW.NlV
6oKd6iLrKrcEbAu]e\3
:R9F>O<
u}fk?7Z_esW&fk::E_YsU
,xE/u@
sE1?%J
1:(Fr?1_Ft
1F1D)Z<jjhB3*
-9@jjh@3*
@99@h2*
@Y9@h2*
@99@PR
:bE9@^Q^
:@:@:@:@:@:@:@:@:@:@:@:@:@:@:@:@:@:@
FIi ul
6`-]6d
MQ(EQI
9YGS[=^T
kaeo@z[
'pn)wAd
u0}l|9\o"D)
wN,kE'm@
z|g3]20c
>$-wK_.F~#G
onW,-iOW
u:,aG8>
*`3Jn8V
vj&\3CZw
Ku&=&e0
K53,%5h`*%
e=HaPD_#
kernel32.dll
user32.dll
GetTempPathW
FlushFileBuffers
CreateFileW
IsBadReadPtr
HeapAlloc
GetCurrentProcessId
GlobalUnlock
GlobalLock
GetModuleHandleW
RaiseException
SetStdHandle
WriteConsoleW
DeleteCriticalSection
WaitForMultipleObjects
SetEvent
TryEnterCriticalSection
GetPrivateProfileIntW
GetPrivateProfileStringW
GetVolumeInformationW
lstrcpyW
ExitProcess
GetModuleHandleA
GetMessageA
InvalidateRect
SetWindowPos
GetWindowTextA
GetWindowTextLengthA
GetClientRect
SetWindowTextA
CreateCaret
FlashWindow
GetClipboardData
CloseClipboard
SetCaretPos
GetKeyboardState
SetClassLongA
LoadIconA
RegisterClassA
88888888888888888888888888888888
88888888888888888888888888888888
88888888888888888888888888888888
(08888888888888888888888888
9,3888888888888888888888888
881(@2
88888888888888888888888
88802,
208888888888888888888888
88880VX26/8888888888888888888888
888881(X@#
888888888888888888888
8888888
@23Z[888888881Z3?
888888881/&"H
Z11[0N\@6X@
888888888^RHN/H
888888888[:
:8[0TR&"J
#38888
8888888888
81%RIY
188888
88888888881:I41
1888888888888
88888888888
.*4.I%88888888888888
888888888881:
188888888888888
8818[8[
3888888888888888
888188888888ZO>
1888888888888888
O=48888888888888888
8888883
8888888888888
888888888888888
88888888888
088888
888888888
8888888
888888888
8888888
77;7;7;777)3
9999999999
777777
@6@@@@@,3@
A!!
@@@6@@6#1@@@21
^/@/%@@@6@@@6@
!''''' -
3"/?@@
;888887
E*ZV]%I$%
A78888
.8[ZCO8[]*
7887
))))))
)))77
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555
MS Shell Dlg
Cancel
F&Help
C:\DOCUME~1\Nilminij\LOCALS~1\Temp\Temporary Directory 5 for GB3621898.zip\GB001231401.exe
C:\24833b885295ede08bd110867cefeeb09e0a209ef2645133195ffc464e4ea1ea
C:\0f819c83502d274dc8add21ba76097cbce52d4a9b62f80b6bd76a8b0f50f1f36
C:\K8gyzqyc.exe
C:\2lUzG4AA.exe
C:\zeiXTMoP.exe
C:\gS0hE435.exe
C:\_n5LAKfT.exe
C:\veZbGdIH.exe
C:\mcnLudFB.exe
C:\P7aSazKm.exe
C:\NvMa_XiI.exe
C:\aMpRkbMc.exe
C:\jUxMZleG.exe
C:\DZHhbyWd.exe
C:\LOUHSVKm.exe
C:\wqmENDb1.exe
C:\3hzEkSjm.exe
C:\UVM2WpZA.exe
C:\Y6yR2KkP.exe
C:\sf42QA4E.exe
C:\xw4ooKQQ.exe
C:\tgreQW9d.exe
C:\0oen8HtD.exe
C:\58cd4c69e59a648b86007a4fb79502641e24de40cf7c72e831d8f1cd174bc3d7
C:\c7098d08ee8db93f92c2caf9e2e7cb7fe159077ac1f40cfeabe0154a1689e02d
C:\nsQ8SjUy.exe
C:\k7FL3dNC.exe
C:\RdQLmS_S.exe
C:\AoQzXGlz.exe
C:\eQws_25f.exe
C:\SwU0tfqg.exe
C:\vyeUHUxf.exe
C:\czJzO1Ap.exe
C:\luwKpzdy.exe
C:\1f2461065356b18e97055c5cd2038ba0fae367b48bd71f62e6d34a19a5efeba1
C:\4df7140251569c2f6c4af10d0c35aaa854f3f73c880137cf467b408a70053180
C:\fb9f1b51a772af775f061759b1306d0c1d3ebe4c76048bee0ab2954a572adccb
C:\4f3361db5e28a3ed42c7d198ee61a4a01de71748b168954bad3224ea56cc4c3c
C:\nirQ4_PH.exe
C:\ZxAV6bEm.exe
C:\okw596aN.exe
C:\_ARmfpvW.exe
C:\XNfmEkgT.exe
C:\9ktCF2i8.exe
C:\J0loGQ3p.exe
C:\bC5r23On.exe
C:\4f86f9c6c35432f4dc35c4b666dd099e578d8c1a09864214a052f3be805561ba
C:\n1ILGfyq.exe
C:\UcDBig_F.exe
C:\f6dfa023b376913ba9132242347401e2704e724c482892b694508c6328b926a4
C:\a12eb56da66117d5fa8a26fe2f1f8276e395ac880486cca060a7e26c96c2afc0
C:\d3200f15fc9c36709bea0c94cb3ed608aade6ae3eeb4a27c184ac72ff1adaf7d
C:\8414716b67329e177eaa602b2236c1f1de70982ceb609c1373cd998efa2e905d
C:\023e27107239c8630bd4ba81f0bf67012738b0f6b1e9bc0d317f6ea72c972d2e
C:\81307feeb05d4faea59224a85c74c8d844fee4495a90724b8830b115074d4977
C:\a65026a78fb264e5688200133ef5a0b6c142d8094e610d4319f4b3bd705bee69
C:\ce580036d93e0ca29f6563d4ed67b96e8a913a4ab43fd48f7976cc84b5c969b3
C:\823aefa1b4d15e8bee844aeb36f1d87e3e4382c393c1e4db0110b98a5d978219
c:\task\9D4A87FA41A73ACE0B8D6382CF925FB7.exe
C:\279622fd564838b9e4dce7e39e3d8f015b97cd011449464c698716a9883f4429
C:\afc38a2b53e36fc1506ffa909a35d18dbbf9be3c5de612df410eb66bad48534a
C:\Users\admin\Downloads\budha.exe
C:\e794301e94659c1443c3c1e50212c204f55431cf1134c23420ac218c9726d2b9
C:\Users\admin\Downloads\budha.exe
C:\c8e7f7f0b669870057fd30c1bdb887db0215f06f0e8f68e1658d9ff43733d589
C:\Users\admin\Downloads\budha.exe
C:\9ec31d99023987111bbd01e44f301332ee28b15338a570445f082c1cd4d4aefc
C:\Users\admin\Downloads\budha.exe
C:\12979194ee072a67417e72a8eab9acdd66a3137d127367a18138c6fad9aaa0a6
C:\Users\admin\Downloads\budha.exe
C:\e7e230815e96b21c3d0eaf73e10fde1eeb44ca05f88140d4bc6b17b7f1335199
C:\b0f30ad62d9363e3ee4c6511905f4799e73b249473fb0e381db10e5f15476fac
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\5ad6f9e63823020d839f33ef63aaf57e6f17763f03db1010ec733a65a9486c16
C:\941d7c7d47a64d6e95055177126f77a21e48eba4cf842c560e519a4c8a1bac03
C:\b9676b206ed7d4449e144b07b5486868df3dc6c629e4d0c4beeabf4d7ce68f3d
C:\Users\admin\Downloads\budha.exe
C:\5c73aeb7a87d46875467010cc40fdbf5d480c292b66c2663bd4c6b6975dfd244
C:\bd86ecbdb2b0da9ddef4695aeae01b125d3ddd31cb4eca5c17913d8a4f6693f3
C:\2bd9b704936a338db04a22b63cd462011405c938c6a10357d6ef76fbab74d248
C:\Users\admin\Downloads\budha.exe
C:\3d8ae4140ee5680b3190ef5788f790e49e5f8c4848f72331279c695af4c16595
C:\Users\admin\Downloads\budha.exe
C:\2191131aafbbd5e81f9c1b55453f0d9b1934a29cd373497840d9939f6f9cc9be
C:\Users\admin\Downloads\budha.exe
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\06574c954dc0a274107969f9e33efde4c6f6c8c364bd942b5d71354334f73a0d
C:\Users\admin\Downloads\budha.exe
C:\34e9f9a51ec01784ef1d61da256882ca74af4f22ac45f07d9e7029c67255143f
C:\3be750c0b794af4ef37c8cbc91cd702e4985d2bf8e93c684872c7c35175596da
C:\Users\admin\Downloads\budha.exe
C:\d6cc5c44ee38d6a1092b40e104ed4374bac703cab37e5ff9bf18cbea050f8d58
C:\Users\admin\Downloads\budha.exe

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255 131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.