1.9
低危
该样本未表现出任何异常!
重新分析
更多

0c22c9efc73a5c6d83324e7b9eeb413df27939aab8b5ea6aa6c5ef8ac813322d

0c22c9efc73a5c6d83324e7b9eeb413df27939aab8b5ea6aa6c5ef8ac813322d.exe

分析耗时

38s

最近分析

379天前

文件大小

19.4KB
静态报毒 动态报毒 UNKNOWN
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.52
MFGraph 0.00
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
检查进程是否被调试器调试 (2 个事件)
Time & API Arguments Status Return Repeated
1727545334.50025
IsDebuggerPresent
failed 0 0
1727545335.0315
IsDebuggerPresent
failed 0 0
行为判定
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
分配可读-可写-可执行内存(通常用于自解压) (6 个事件)
Time & API Arguments Status Return Repeated
1727545334.50025
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01e50000
region_size: 1314816
allocation_type: 8192 (MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1332
success 0 0
1727545334.50025
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f90000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1332
success 0 0
1727545334.70325
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03380000
region_size: 28672
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1332
success 0 0
1727545335.0315
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01df0000
region_size: 1708032
allocation_type: 8192 (MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2656
success 0 0
1727545335.0315
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f90000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2656
success 0 0
1727545335.1875
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03380000
region_size: 28672
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2656
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545334.85925
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\budha.exe
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\budha.exe
parameters:
show_type: 0
success 1 0
网络通信
一个或多个缓冲区包含嵌入的PE文件 (1 个事件)
buffer Buffer with sha1: dcf320033c3de7ae2ac3ad2efc6430db018fc8e6
与未执行 DNS 查询的主机进行通信 (1 个事件)
host 114.114.114.114
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2004-05-28 17:53:59

PE Imphash

acaae46ef55eac3bd4495e63d2fd2bce

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00001341 0x00001400 6.310551759551022
.data 0x00003000 0x00000e2d 0x00001000 6.799078764642965
.idata 0x00004000 0x00000b24 0x00000c00 4.495939816400721
.rsrc 0x00005000 0x00001268 0x00001400 3.2851543397212217

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x00005130 0x00000ea8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x00005fd8 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000060c0 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MANIFEST 0x000060d4 0x00000193 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library pdh.dll:
0x404b0c PdhCloseQuery
Library user32.dll:
0x404ab4 GetMessageA
0x404ab8 FindWindowA
0x404abc LoadIconA
0x404ac0 RegisterClassA
Library kernel32.dll:
0x4041f0 ExitProcess
0x404200 FindClose
0x404204 FindFirstFileA
0x404208 FindFirstFileW
0x40420c FindNextFileA
0x404210 FindNextFileW
0x404214 FindResourceW
0x404218 FlushFileBuffers
0x40421c FormatMessageA
0x404220 FormatMessageW
0x404224 FreeConsole
0x404228 GetACP
0x40422c GetCPInfo
0x404230 GetCommandLineA
0x404234 GetCommandLineW
0x404238 GetComputerNameW
0x404244 GetCurrentProcess
0x404248 GetCurrentProcessId
0x40424c GetDiskFreeSpaceA
0x404250 GetDiskFreeSpaceExW
0x404254 GetDiskFreeSpaceW
0x404260 GetExitCodeProcess
0x404264 GetExitCodeThread
0x404268 GetFileAttributesA
0x404270 GetFileAttributesW
0x404278 GetFileSize
0x40427c GetFileTime
0x404280 GetFileType
0x404284 GetFullPathNameW
0x404288 GetLastError
0x40428c GetLocaleInfoW
0x404290 GetModuleFileNameA
0x404294 GetModuleFileNameW
0x404298 GetModuleHandleA
0x40429c GetProcessHeap
0x4042a0 GetProfileStringW
0x4042a8 GetShortPathNameW
0x4042ac GetStartupInfoA
0x4042b0 GetSystemInfo
0x4042b8 GetTempFileNameW
0x4042bc GetTempPathA
0x4042c0 GetTempPathW
0x4042c4 GetUserDefaultLCID
0x4042c8 GetVersion
0x4042cc GetVersionExA
0x4042d0 GetVersionExW
0x4042d4 GetVersionExW
0x4042d8 HeapAlloc
0x4042ec InterlockedExchange
0x4042f8 IsDBCSLeadByteEx
0x4042fc IsValidCodePage
0x404300 IsValidLocale
0x404308 LoadResource
0x40430c LockResource
0x404310 MapViewOfFile
0x404314 MoveFileA
0x404318 MoveFileExA
0x40431c MoveFileExW
0x404320 MulDiv
0x404324 MultiByteToWideChar
0x404328 OpenEventA
0x40432c OpenFileMappingA
0x404330 OutputDebugStringA
0x404334 OutputDebugStringW
0x404338 PeekNamedPipe
0x404340 PulseEvent
0x404348 ReleaseMutex
0x40434c VirtualUnlock
0x404354 WaitForSingleObject
0x404358 WideCharToMultiByte
0x40435c WriteConsoleA
0x404360 WriteConsoleW
0x404364 WriteFile
L!This program cannot be run in DOS mode.
.idata
gCT>>Am4
L=$Q)F
#CJyV>m`
?<tuVh
1=Rer+jg
~"poBt
GIu}!-<H
6*MBq ?
+'# NG0YW
6g7P#IB
xo,~^|N
L&DS =
7&QMKx
E/aE/a
w$5rDW
w$7eDW
w$93DW
ew$;.DW
w$=lDW
Hm@3x?
w$5rDW
w$7uDW
w$9lDW
w$;rDW
w$=tDW
w$?cDW
WP2u#Hm@3
w$5rDW
w$7uDW
w$9lDW
tw$;lDW
w$=oDW
WP2u#Hm@3
m@3UCx3
w$5dDW
w$7lDW
aw$9dDW
w$;lDW
j3j3P2
w$5lDW
ww$7eDW
w$9oDW
w$;pDW
w$=eDW
w$?sDW
uw$AuDW
w$CfDW
w$ErDW
2u;2U+2
(\W,E
3Z22E/2x2
2E'/2x2
2E//2x
802j7h3
j3Hm@3u8"
2u+2u'2u
3/2tUP2u/
3tGu<4
U?jsh3
2u?j3Hm@3u5
3cx2p7x2u/2u'
3`U;u<4
339F|u-u
6E;j3j3S2
6E;xBC
7)fB512
#2#2Zu\
5fpMuLu<4
3U7`U;f
3U7`MG
yYAfgc
,R:FF?lqJ+)
D,J<(FD+
B}!@*@
C@=i6[Y
HSWH$aE
Srwe65
m^/ K<jQJ0/ib'&Rq
KV$V)2
T2?wC54FN@ovM@Q3
]/?Hn1
SU=^vk
ku\9{%!
6m+Ln(/
>V-\<iW
S@%S@
"@0eIp+rMa\eHMaXATlWcPWs\Q]i\MMs[aOeDMf?iVdWw8rWc)
.rMe4iJrIra
/e\PZoKALdZe[sLWaLC]r[oZATZaVsTa\e5e[sIgM
;uVSPiVemKi;eVd;tZiVg)
mXeO \yXeCZeItMWQnLo_E`ArWQnUm
dTlLWaLLQbZaZy-x)
dTlP:O.T7RUqke
N'MBuM
?<N"P-uA=sB`
qE( E-
;iktAsE($E1fs
Pr>.'Gr
8"@t:(
Y@hP3(
Y@"@h2(
Y@"@jjh_3(
8q"@XPL
67/L{w
LT U)rna
39{,DSR
]_*Jn '"
c3Ijg>jo
N1%i'RmP:},Qx 6
rRIHx%~$lP
7+eX?Kb6
,naY\Mi
PH}^(!BW5
"X!C(08f
hX~HCRM
H=K^_P
;&(:@8@O
+/`-B}
nRy<sh!n
)cHH~Y&y0#)\
*OdvZdQ
joy&*2|`
IW-XDlF@
tu#@\ry
Z9]?3
4kA)6oK
?SB'lRKXQ$G~S\
pdh.dll
user32.dll
kernel32.dll
ExitProcess
FileTimeToLocalFileTime
FileTimeToSystemTime
FillConsoleOutputCharacterW
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FlushFileBuffers
FormatMessageA
FormatMessageW
FreeConsole
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameW
GetConsoleScreenBufferInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetDiskFreeSpaceA
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileSize
GetFileTime
GetFileType
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetProcessHeap
GetProfileStringW
GetQueuedCompletionStatus
GetShortPathNameW
GetStartupInfoA
GetSystemInfo
GetSystemTimeAsFileTime
GetTempFileNameW
GetTempPathA
GetTempPathW
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVersionExW
GetVersionExW
HeapAlloc
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
IsDBCSLeadByteEx
IsValidCodePage
IsValidLocale
LeaveCriticalSection
LoadResource
LockResource
MapViewOfFile
MoveFileA
MoveFileExA
MoveFileExW
MulDiv
MultiByteToWideChar
OpenEventA
OpenFileMappingA
OutputDebugStringA
OutputDebugStringW
PeekNamedPipe
PostQueuedCompletionStatus
PulseEvent
QueryPerformanceCounter
ReleaseMutex
VirtualUnlock
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
GetMessageA
FindWindowA
LoadIconA
RegisterClassA
PdhCloseQuery
QQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQ--Q5
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQMY;#
QQQQQQQQQQQQQQ
QQQQQQQQQB.I(
QQQQQQQQQQQQQ
QQQQQQQQ
QQQQQQQQQQQQ
QQQQQQQQZ
H!!!66U@[QQQQQQQQQQQ
QQQQQQQQ8)2GG!U6(T,QQQQQQQQQQQ
QQQQQQQQM)N/
QQQQQQQQQQQ
QQQQQQQQQ")))/
&[=#[QQQQQQQQ
QQQQQQQQQQM%%RZO
S[R#QQQQQQQQ
QQQQQQQQQQQQ[Q9!
QQQQQQQ
QQQQQQQQQQQQQQQQ:
,Q[K+QQQQQQQ
QQQQQQQQQQQQQQQQ:
Q[K4QQQQQQQ
QQQQQQQQQQQQQQQQ:
QQQQQQQ
QQQQQQQQQQQQQQQQ:
QJ4QQQQQQQ
QQQQQQQQQQQQQQQQ:
QQQQQQQ
QQQQQQQQQQQQQQQQZ
QQQQQQQ
QQQQQQQQQQQQQQQQZC3P$
QQQQQQQQ
QQQQQQQQQQQQQQQQ"RZ*
QQQQQQQQ
QQQQQQQQQQQQQQQQ")))=QQQQQQQQQ
QQQQQQQQQQQQQQQQ"))=QQQQQQQQQQ
QQQQQQQQQQQQQQQQ")DQQQQQQQQQQQ
QQQQQQQQQQQQQQQQ"OQQQQ,
QQQQQQQQQQQQQQQQ"MQQQQ
QQQQQQQQQQQQQQQQQQQQQQDQQQ
QQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQD[W
QQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
437337
MS Shell Dlg
Cancel
F&Help
C:\Downloads\4db2c82f41a6aa67c9decb7a78c2b337.exe
C:\92ed389d761158446c2014e0d844e8f0b4c8032088d16cc5a33ba8a8f91e5a1a
C:\666784e6377232d5735e2d02f15b027592bf6726ba185c98192e1009f2bf3a22
C:\03f3d2954d7a27b4580e2b33dc3671f29064c3bd8338e6b36e9d67e5a171aed5
C:\aD00v1Is.exe
C:\sXVxbk_0.exe
C:\STuV51P5.exe
C:\wcE4bZQR.exe
C:\g5Sq9Wbz.exe
C:\slLyD0gi.exe
C:\3tTxpt89.exe
C:\lOhmdOuN.exe
C:\rwAhXy5F.exe
C:\Woak_1m2.exe
C:\R1FowPPR.exe
C:\R6Aw6u4x.exe
C:\FXZ02KNd.exe
C:\WY9LX9BF.exe
C:\AryP8xAy.exe
C:\Users\admin\Downloads\bce3debb8b8e57a334009ee8000f33cf.virus.exe
C:\8df1748a207b069b369801fc8f2ffb13a0e1c3e9fb307e215ffdae91b3b9255e
C:\8Z0ypl79.exe
C:\Users\admin\Downloads\7cea5c9fd35eb80ab2e5669c0e1720e9.virus.exe

Process Tree

0c22c9efc73a5c6d83324e7b9eeb413df27939aab8b5ea6aa6c5ef8ac813322d.exe, PID: 1332, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

budha.exe, PID: 2656, Parent PID: 1332

default registry file network process services synchronisation iexplore office pdf

TCP

Source Source Port Destination Destination Port
192.168.56.101 49164 207.148.248.143 aatextiles.com 80
192.168.56.101 49165 207.148.248.143 aatextiles.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 0b1babd6d5d917e0_budha.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\budha.exe
Size 19.7KB
Processes 1332 (0c22c9efc73a5c6d83324e7b9eeb413df27939aab8b5ea6aa6c5ef8ac813322d.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6494bc75d343bd7e02a5fbf44d04ab78
SHA1 4546d2ba0b54218448f2b8103427905cbaba6378
SHA256 0b1babd6d5d917e07f36e73f937e0a08718ae16419925e759ced6117586e59ab
CRC32 88F8B875
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name dcf320033c3de7ae2ac3ad2efc6430db018fc8e6
Size 5.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b440f3268256cbbdcd7335209e12f84a
SHA1 dcf320033c3de7ae2ac3ad2efc6430db018fc8e6
SHA256 3fa6f274eb5dbbf6b95f51cd8f5a1fdc0230c9fb9a2f037bd0a8ad0d0a9eed8d
CRC32 7EA486DD
ssdeep None
Yara None matched
VirusTotal Search for analysis