2.6
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Malware:Win32/km_28eea.None | 20190527 | 0.3.0.5 |
| Avast | Win32:Evo-gen [Trj] | 20240327 | 23.9.8494.0 |
| Baidu | Win32.Trojan.Kryptik.hd | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20231026 | 1.0 |
| Kingsoft | None | 20230906 | None |
| McAfee | Trojan-FTLR!39A392AFC937 | 20240326 | 6.0.6.653 |
| Tencent | Trojan.Win32.VtFlooder.a | 20240327 | 1.0.0.1 |
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000e00', 'entropy': 7.197834820825048} | entropy | 7.197834820825048 | description | 发现高熵的节 | |||||||||
| entropy | 0.875 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(3 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
| section | UPX2 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 65 个反病毒引擎识别为恶意
(50 out of 65 个事件)
| ALYac | Win32.Hematite.C |
| APEX | Malicious |
| AVG | Win32:Evo-gen [Trj] |
| Acronis | suspicious |
| AhnLab-V3 | Trojan/Win32.Agent.R110400 |
| Alibaba | Malware:Win32/km_28eea.None |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Win32.Hematite.C |
| Avast | Win32:Evo-gen [Trj] |
| Avira | TR/Crypt.XPACK.Gen |
| Baidu | Win32.Trojan.Kryptik.hd |
| BitDefender | Win32.Hematite.C |
| BitDefenderTheta | Gen:NN.ZexaF.36802.cmJfamVUpVh |
| Bkav | W32.AIDetectMalware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Trojan.Downloader-63175 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.fc9374 |
| Cylance | unsafe |
| Cynet | Malicious (score: 100) |
| DeepInstinct | MALICIOUS |
| DrWeb | Trojan.Flood.22062 |
| ESET-NOD32 | Win32/TrojanClicker.Tiny.NAM |
| Elastic | malicious (moderate confidence) |
| Emsisoft | Win32.Hematite.C (B) |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.39a392afc937422a |
| Fortinet | W32/Hematite.C!tr |
| GData | Win32.Trojan.PSE.6FIT59 |
| Detected | |
| Gridinsoft | Trojan.Win32.Agent.bot!s2 |
| Ikarus | Trojan.Win32.Agent |
| Jiangmin | Trojan.Badur.az |
| K7AntiVirus | Trojan ( 0040f8bb1 ) |
| K7GW | Trojan ( 0040f8bb1 ) |
| Kaspersky | Trojan.Win32.Vtflooder.cft |
| Lionic | Trojan.Win32.Generic.m4vu |
| MAX | malware (ai score=100) |
| Malwarebytes | Generic.Malware.AI.DDS |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | Trojan-FTLR!39A392AFC937 |
| MicroWorld-eScan | Win32.Hematite.C |
| Microsoft | Trojan:Win32/Upatre |
| NANO-Antivirus | Trojan.Win32.Crypted.dbpklq |
| Panda | Trj/Genetic.gen |
| Rising | Trojan.Vflooder!1.A171 (CLOUD) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Downloader |
| Sangfor | Trojan.Win32.Save.a |
| SentinelOne | Static AI - Malicious PE |
| Skyhigh | BehavesLike.Win32.Generic.nt |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(3 个事件)
| dead_host | 104.244.42.129:80 |
| dead_host | 74.125.34.46:80 |
| dead_host | 104.244.42.1:80 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 15:50:52
PE Imphash
8c9bb9d690553503983713582e1e58f7
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00000000 | 0.0 |
| UPX1 | 0x00007000 | 0x00001000 | 0x00000e00 | 7.197834820825048 |
| UPX2 | 0x00008000 | 0x00001000 | 0x00000200 | 3.417706440053802 |
Imports
Library KERNEL32.DLL:
• 0x40808c LoadLibraryA
• 0x408090 GetProcAddress
• 0x408094 VirtualProtect
• 0x408098 VirtualAlloc
• 0x40809c VirtualFree
• 0x4080a0 ExitProcess
Library ntdll.dll:
• 0x4080a8 _wtoi
Library ole32.dll:
• 0x4080b0 CreateStreamOnHGlobal
Library SHLWAPI.dll:
• 0x4080b8 StrStrA
Library USER32.dll:
• 0x4080c0 wsprintfA
Library WINHTTP.dll:
• 0x4080c8 WinHttpOpen
L!This program cannot be run in DOS mode.
wy3*3*3*3*6*:4*8*3*(*(:
*0*(::*2*Rich3*
UR+Eo2
WQF*,Cx
mNL.|LZ
PUR!n%j<EZds7s<
0P#aKR
d>7,Y0
*`0Wj%3
x @ah4t!
EPQh(%TH
QUvlVOI(#>
$F{A._
,_|#PCi
T(]5"7f
hl#@2t!
DUR`oYFn@p#
PhxsP!!<
ef%eaPJl
"1d,0t
jchl%p/E
&^B_Y9
P5%~JkuX
Me:}~k
77Gt"6$u
VjYL%F6
-?A%015d
-Dispositi
: form-data; name=
k"apikey"3.Type'
xt[lain
f25133d9068704c2
35fc39a7
1828fa80cxde894d
f8C`ab8569
1.e{k)icaD/x-msd
ownloadransfer-Encod
ary3EN--
/srA=
wu]7.-i]u%toE
N[ m.t )
PYe92cM71
3A8VUsF7{pE//
itKx'b
}rstuvwx
yz{$>?@ABCDEFGHIJKLMNOPQR?STUVW XYZ[\]^_`cD
fghijklmnopq
nACreateTh
VirmtualFe
GetModu'F
TickCo_unt
ExitProcess
izeHAll
seHand
MrtiBy;
oWideCharxwmmA{_wtoi
cpy =;TSt
mOnHGwmpb <
Dwsprig]vfA
Pm{kEttpWaU
onnect
]5$^vive
T7 dy,$
B!`.roh
.&J}J(
XPTPSWXaD$j
KERNEL32.DLL
ntdll.dll
ole32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
CreateStreamOnHGlobal
StrStrA
wsprintfA
WinHttpOpen
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
R�E�S�O�U�R�C�E�_�F�A�T�O�K�E�N�I�Z�E�R�
K�E�R�N�E�L�3�2�.�D�L�L�
s�m�s�c�o�r�e�e�.�d�l�l�
n�r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
Process Tree
- 66e6809ff9ce7e2a83d1bb28a1faaadc0b29d3c35b50f07c200dc17c765ca1c6.exe (2600) "C:\Users\Administrator\AppData\Local\Temp\66e6809ff9ce7e2a83d1bb28a1faaadc0b29d3c35b50f07c200dc17c765ca1c6.exe"
DNS
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49165 | 104.244.42.1 twitter.com | 80 |
| 192.168.56.101 | 49166 | 74.125.34.46 www.virustotal.com | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 65473 | 114.114.114.114 | 53 |
| 192.168.56.101 | 49642 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 114.114.114.114 | 53 |
| 192.168.56.101 | 52215 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62361 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
| Name | 908fd7537ba5e3186f74dae8a988eb6338525e61 |
|---|---|
| Size | 37.7KB |
| Type | data |
| MD5 | bcbd3a09dd08bb2f938cfaaf0e37f179 |
| SHA1 | 908fd7537ba5e3186f74dae8a988eb6338525e61 |
| SHA256 | 411c0e8e572dcb592939f053a453c40b552b607353f6a9a06a31b16cd5764dad |
| CRC32 | B5549106 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |