1.7
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.52
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | TrojanDownloader:Win32/Upatre.2c270d61 | 20190527 | 0.3.0.5 |
| Avast | Win32:Downloader-WID [Trj] | 20200318 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Downloader.Waski.k | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200318 | 2013.8.14.323 |
| McAfee | GenericRXFK-DD!3AAC603F049A | 20200318 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b8766b | 20200318 | 1.0.0.1 |
静态指标
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\retln.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\retln.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\retln.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意
(50 out of 63 个事件)
| ALYac | Generic.Malware.dld!!.E80A475E |
| APEX | Malicious |
| AVG | Win32:Downloader-WID [Trj] |
| Acronis | suspicious |
| Ad-Aware | Generic.Malware.dld!!.E80A475E |
| AhnLab-V3 | Trojan/Win32.Dloader.R87521 |
| Alibaba | TrojanDownloader:Win32/Upatre.2c270d61 |
| Antiy-AVL | Trojan[Downloader]/Win32.Waski.a |
| Arcabit | Generic.Malware.dld!!.E80A475E |
| Avast | Win32:Downloader-WID [Trj] |
| Avira | TR/Crypt.XPACK.Gen7 |
| Baidu | Win32.Trojan-Downloader.Waski.k |
| BitDefender | Generic.Malware.dld!!.E80A475E |
| BitDefenderTheta | Gen:NN.ZexaF.34100.auX@aehhJ9ei |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Downloader.Upatre-7598844-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Small.CDC@8mzsfr |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.f049aa |
| Cylance | Unsafe |
| Cyren | W32/S-dd480c14!Eldorado |
| DrWeb | Trojan.DownLoader25.56634 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Waski.A |
| Emsisoft | Generic.Malware.dld!!.E80A475E (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-dd480c14!Eldorado |
| FireEye | Generic.mg.3aac603f049aa6d7 |
| Fortinet | W32/Waski.A!tr |
| GData | Generic.Malware.dld!!.E80A475E |
| Ikarus | Trojan-Downloader.Win32.Upatre |
| Invincea | heuristic |
| Jiangmin | Trojan/Generic.azrzv |
| K7AntiVirus | Trojan-Downloader ( 0055f33b1 ) |
| K7GW | Trojan-Downloader ( 0048f6391 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Lionic | Trojan.Win32.Generic.lY5V |
| MAX | malware (ai score=88) |
| Malwarebytes | Trojan.Downloader |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXFK-DD!3AAC603F049A |
| MicroWorld-eScan | Generic.Malware.dld!!.E80A475E |
| Microsoft | TrojanDownloader:Win32/Upatre.A |
| NANO-Antivirus | Trojan.Win32.DownLoad3.cnbuup |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | Trojan.Downloader.Win32.Agent.ED |
| Rising | Dropper.Generic!8.35E (TFE:dGZlOgPqI1TWNgPuNQ) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-10-04 15:49:01
PE Imphash
e836076a09dba03e4d6faa46dda0fefc
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00000388 | 0x00000400 | 5.249821276290757 |
| .rdata | 0x00002000 | 0x00000414 | 0x00000600 | 3.6336443474486817 |
| .data | 0x00003000 | 0x00000004 | 0x00000000 | 0.0 |
| .rsrc | 0x00004000 | 0x000001b4 | 0x00000200 | 5.097979088823027 |
| .reloc | 0x00005000 | 0x000000a6 | 0x00000200 | 1.393720064288099 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x00004058 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library WININET.dll:
• 0x402050 HttpSendRequestW
• 0x402054 InternetSetOptionW
• 0x402058 InternetQueryOptionW
• 0x40205c HttpOpenRequestW
• 0x402060 HttpQueryInfoW
• 0x402064 InternetReadFile
• 0x402068 InternetConnectW
• 0x40206c InternetOpenW
Library KERNEL32.dll:
• 0x402000 GetTempPathW
• 0x402004 GetFileSize
• 0x402008 GetCurrentDirectoryW
• 0x40200c DeleteFileW
• 0x402010 CloseHandle
• 0x402014 WriteFile
• 0x402018 lstrcmpW
• 0x40201c ReadFile
• 0x402020 GetModuleHandleW
• 0x402024 ExitProcess
• 0x402028 HeapCreate
• 0x40202c HeapAlloc
• 0x402030 GetModuleFileNameW
• 0x402034 CreateFileW
• 0x402038 lstrlenW
Library USER32.dll:
• 0x402048 wsprintfW
Library SHELL32.dll:
• 0x402040 ShellExecuteW
L!This program cannot be run in DOS mode.
898k8k8Rich8
`.rdata
@.data
@.reloc
uEWuEV
_3^@[VP
BVMQuPu
VuVuh @
tVVVVh @
EV;t=\ @
0EPVVh !@
_EPEPj u}
WEPj u
tVEPEPh
uEPuuu
WPh`!@
vhvSv!Svv
vtv-w5vv
InternetOpenW
InternetConnectW
HttpOpenRequestW
InternetQueryOptionW
InternetSetOptionW
HttpSendRequestW
HttpQueryInfoW
InternetReadFile
WININET.dll
GetModuleHandleW
ExitProcess
HeapCreate
HeapAlloc
GetModuleFileNameW
GetTempPathW
CreateFileW
GetFileSize
lstrlenW
ReadFile
lstrcmpW
WriteFile
CloseHandle
DeleteFileW
GetCurrentDirectoryW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
10>0L0R0t00000000
1N1u1~1111111
2!232F2M2T2j22222
3*313E3L3^3k3r3
r�e�t�l�n�.�e�x�e�
U�p�d�a�t�e�s� �d�o�w�n�l�o�a�d�e�r�
s�t�o�r�a�g�e�-�c�a�b�i�n�e�t�s�.�i�n�f�o�
t�e�x�t�/�*�
a�p�p�l�i�c�a�t�i�o�n�/�*�
/�w�p�-�f�o�l�d�e�r�/�4�m�o�r�.�e�x�e�
r�e�d�k�u�f�.�e�x�e�
Process Tree
-
0539992933a3377890d9ad739b8d980316bee0e1d1ec6b56ce97d5caf3682480.exe (1932)
"C:\Users\Administrator\AppData\Local\Temp\0539992933a3377890d9ad739b8d980316bee0e1d1ec6b56ce97d5caf3682480.exe"
- retln.exe (2160) "C:\Users\ADMINI~1\AppData\Local\Temp\retln.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| storage-cabinets.info |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 6dba3ad7ca93aa60_retln.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\retln.exe |
| Size | 8.2KB |
| Processes | 1932 (0539992933a3377890d9ad739b8d980316bee0e1d1ec6b56ce97d5caf3682480.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 13f540178ef1ee2a07d440814aeb0678 |
| SHA1 | 84efe90d7c6160cf9b2bb7b23b0fbec647be71b7 |
| SHA256 | 6dba3ad7ca93aa605fdebde1212520ba2857dc0d9ecb23828d40b53a54c62d1c |
| CRC32 | 45B7EAE7 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.