SmartHawk

0.9

低危

58 个模型检测该样本为恶意！

重新分析

下载样本

1895b3ef434d49c968e64e6253174a833cabc81f1aa3c456ad00a8a3e510a35d

1895b3ef434d49c968e64e6253174a833cabc81f1aa3c456ad00a8a3e510a35d.exe

分析耗时

193s

最近分析

380天前

文件大小

8.1KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE

DACN 0.12

FACILE 1.00

IMCLNet 0.51

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.08s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.05s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.51	Unknown	0.17s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20200229	18.4.3895.0
Baidu	None	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20200301	2013.8.14.323
McAfee	Downloader-FBVU!4B72A360F40A	20200229	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b0cf7e	20200301	1.0.0.1

与未执行 DNS 查询的主机进行通信 (1 个事件)

host

114.114.114.114

文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意 (50 out of 58 个事件)

ALYac	Trojan.Ppatre.Gen.1
APEX	Malicious
AVG	Win32:TrojanX-gen [Trj]
Acronis	suspicious
Ad-Aware	Trojan.Ppatre.Gen.1
AhnLab-V3	Trojan/Win32.Upatre.R158192
Antiy-AVL	Trojan[Downloader]/Win32.Upatre
Arcabit	Trojan.Ppatre.Gen.1
Avast	Win32:TrojanX-gen [Trj]
Avira	HEUR/AGEN.1025965
BitDefender	Trojan.Ppatre.Gen.1
BitDefenderTheta	Gen:NN.ZexaF.34090.auX@aCYK0Uai
Bkav	W32.AIDetectVM.malware
CAT-QuickHeal	Trojan.Mauvaise.SL1
ClamAV	Win.Dropper.Upatre-7492010-0
Comodo	TrojWare.Win32.TrojanDownloader.Waski.ADW@8mzp93
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.0f40a5
Cylance	Unsafe
Cyren	W32/S-ac2b8d99!Eldorado
DrWeb	Trojan.DownLoad3.33216
ESET-NOD32	Win32/TrojanDownloader.Waski.E
Emsisoft	Trojan.Ppatre.Gen.1 (B)
Endgame	malicious (high confidence)
F-Prot	W32/S-ac2b8d99!Eldorado
F-Secure	Heuristic.HEUR/AGEN.1025965
FireEye	Generic.mg.4b72a360f40a539b
Fortinet	W32/EncPk.ACO!tr
GData	Trojan.Ppatre.Gen.1
Ikarus	Trojan-Downloader.Win32.Upatre
Invincea	heuristic
Jiangmin	TrojanSpy.Zbot.ffhh
K7AntiVirus	Trojan-Downloader ( 0055f33b1 )
K7GW	Trojan-Downloader ( 0055f33b1 )
Kaspersky	HEUR:Trojan.Win32.Generic
MAX	malware (ai score=82)
MaxSecure	Trojan.Upatre.Gen
McAfee	Downloader-FBVU!4B72A360F40A
McAfee-GW-Edition	BehavesLike.Win32.Generic.xt
MicroWorld-eScan	Trojan.Ppatre.Gen.1
Microsoft	TrojanDownloader:Win32/Upatre.AA
NANO-Antivirus	Trojan.Win32.DownLoad3.fwxwkz
Panda	Trj/Genetic.gen
Qihoo-360	HEUR/QVM20.1.967B.Malware.Gen
Rising	Dropper.Generic!8.35E (TFE:dGZlOgIz6Ab+oxliRQ)
Sangfor	Malware
SentinelOne	DFI - Malicious PE
Sophos	Mal/EncPk-ACO
Symantec	ML.Attribute.HighConfidence
Tencent	Malware.Win32.Gencirc.10b0cf7e

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2014-05-28 20:47:19

PE Imphash

b1decad0f067131fff2e76ab43787f60

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x000004b4	0x00000600	4.989665066271293
.rdata	0x00002000	0x000004ac	0x00000600	4.062393113788854
.data	0x00003000	0x00000020	0x00000200	0.3599274675255742
.rsrc	0x00004000	0x000001c0	0x00000200	5.067991416548164
.reloc	0x00005000	0x000000d0	0x00000200	2.0177941243564073

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_MANIFEST	0x00004058	0x00000165	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library WININET.dll:

• 0x402064 HttpOpenRequestW

• 0x402068 InternetConnectW

• 0x40206c HttpSendRequestW

• 0x402070 InternetReadFile

• 0x402074 InternetCloseHandle

• 0x402078 InternetOpenW

Library KERNEL32.dll:

• 0x402000 ReadFile

• 0x402004 SleepEx

• 0x402008 GetCurrentDirectoryW

• 0x40200c HeapFree

• 0x402010 FreeLibrary

• 0x402014 GetProcAddress

• 0x402018 GetModuleHandleW

• 0x40201c HeapCreate

• 0x402020 HeapAlloc

• 0x402024 GetModuleFileNameW

• 0x402028 GetTempPathW

• 0x40202c CreateFileW

• 0x402030 GetFileSize

• 0x402034 lstrlenW

• 0x402038 ExitProcess

• 0x40203c DeleteFileW

• 0x402040 lstrcmpW

• 0x402044 WriteFile

• 0x402048 CloseHandle

• 0x40204c LoadLibraryW

Library USER32.dll:

• 0x40205c wsprintfW

Library SHELL32.dll:

• 0x402054 ShellExecuteW

L!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
SUV3WVt$
PD$0Sj
t$,SWV
_^3]@[4
VD$,Pt$
\VD$,PW
VWVUhH!@
VCC<t$
tVVVVhT!@
D$4d!@
D$8t!@
t$<t$ t$
D$<PD$
|[3VVVVS
D$(PUS
D$(PUWt$ 
|$,;Mu
@;rh!@
SUt$(t$@h
VD$DPt$4t$$W
Vt$,SVt$,
UD$HPh!@
VVVD$PP
vvvgvvvtv-
w5vPvvk
v!SvSvhvBv
RtlDecompressBuffer
InternetOpenW
InternetCloseHandle
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
InternetReadFile
WININET.dll
GetModuleHandleW
HeapCreate
HeapAlloc
GetModuleFileNameW
GetTempPathW
CreateFileW
GetFileSize
lstrlenW
ExitProcess
ReadFile
lstrcmpW
WriteFile
CloseHandle
DeleteFileW
SleepEx
LoadLibraryW
GetProcAddress
FreeLibrary
HeapFree
GetCurrentDirectoryW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
70D0J0o0{000000000
1G1a1u1
11111111
2%2J2Z2j222222
3R333333333+4@4G4^4e4o4444
/images/2805USmp.zip
/images/icons/2805USmp.zip
charmco.az
dollarsbooster.com
kdeohw.exe
Opera10
text/*
application/*
ntdll.dll
rpoertn.exe
C:\Users\admin\Downloads\941ad475b5ea29243876207c76c5591a.exe
C:\b81bee32382ee01c30236d7c1fef751fd700b868aacd9a7b79448213649eab83
C:\Users\admin\Downloads\kdeohw.exe
C:\c71a59275a1a3ad7eaeab0dc140a3d636f275f98c51e003aa037f0dd75d6925b
C:\52b0b1aba27a2bcfff9a6baf9ba5a909f6ab314688d1fa9762dfa819a49f71a2
C:\0da5190ba58183edd0523fce92a68b0f4767ed3a683814318e1ffabbcd643604
C:\Users\admin\Downloads\kdeohw.exe
C:\5eca03b6f078039b600d7b2dd6a695beee51c86a2bce5ceb07f254ed5e9b42a9
C:\74c3f1f6fd1e2abafea2b5c78e386e9bf3fae009431e15d007deeef8fe77aed7
C:\bb6d2d443c81a6b7d16b80ac42a94247d2371666fb5a4e8aa7142cc309ef8efb
C:\cf19ead3850f6f37ae95a823506c940e39bc4baab79ae2b7dced2c5d6cfd00b1
C:\Users\admin\Downloads\kdeohw.exe
C:\1cUTLC4s.exe
C:\Users\admin\Downloads\d62b4af2e2db073bea6d7ce89a17d8f0.virus.exe
C:\989e7ff0d57375a25680eba776d841805806567ef0326b52fdaa3a289ee5d2e4
C:\9w2Q7P_1.exe
C:\Users\admin\Downloads\1140e6568561ddfd82ec025289279c91.virus.exe
C:\b1f5155d6c6c80fd8bc29dd5f9fddb990741766184b57050950b5a42d839b916
C:\Users\admin\Downloads\kdeohw.exe
C:\8f979be5e6c0d971dca9122814785fde0de2b2c5c6780042f4385c9dcd448f09
C:\6289d411213b40d3db079af3f68fdd3131b1321cc593acffb3d8bc2edacfae1f
C:\Users\admin\Downloads\kdeohw.exe
C:\e6a0caf86d7f6aa26333fedab82da3f918dc62d26b914d0944a278eb769c48f3

Hosts

IP
114.114.114.114

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.