1.2
低危
FACILE
1.00
IMCLNet
0.55
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Upatre-V [Trj] | 20200229 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200301 | 2013.8.14.323 |
| McAfee | Downloader-FML!4BDB49686203 | 20200229 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0cd9b | 20200301 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .links |
动态指标
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\budha.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 62 个反病毒引擎识别为恶意
(50 out of 62 个事件)
| ALYac | Trojan.Ppatre.Gen.1 |
| APEX | Malicious |
| AVG | Win32:Upatre-V [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.Ppatre.Gen.1 |
| AhnLab-V3 | Trojan/Win32.Upatre.C369973 |
| Antiy-AVL | Trojan[Downloader]/Win32.AGeneric |
| Arcabit | Trojan.Ppatre.Gen.1 |
| Avast | Win32:Upatre-V [Trj] |
| Avira | HEUR/AGEN.1025965 |
| BitDefender | Trojan.Ppatre.Gen.1 |
| BitDefenderTheta | Gen:NN.ZexaF.34090.ayX@aGXohAki |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Malware.Upatre-6997924-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Waski.BU@7nmtnf |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.862030 |
| Cylance | Unsafe |
| Cyren | W32/S-654ac031!Eldorado |
| DrWeb | Trojan.DownLoad3.33424 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.B |
| Emsisoft | Trojan.Ppatre.Gen.1 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-654ac031!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1025965 |
| FireEye | Generic.mg.4bdb496862030655 |
| Fortinet | W32/Waski.B!tr |
| GData | Trojan.Ppatre.Gen.1 |
| Ikarus | Trojan-Downloader.Win32.Waski |
| Invincea | heuristic |
| Jiangmin | TrojanSpy.Zbot.fkxb |
| K7AntiVirus | Trojan-Downloader ( 004941701 ) |
| K7GW | Trojan-Downloader ( 004941701 ) |
| Kaspersky | HEUR:Trojan-Spy.Win32.Zbot.gen |
| MAX | malware (ai score=87) |
| Malwarebytes | Trojan.Downloader |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Downloader-FML!4BDB49686203 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.lt |
| MicroWorld-eScan | Trojan.Ppatre.Gen.1 |
| Microsoft | TrojanDownloader:Win32/Upatre.A |
| NANO-Antivirus | Trojan.Win32.Zbot.euxmcg |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.967B.Malware.Gen |
| Rising | Spyware.Zbot!8.16B (TFE:dGZlOgGM67KvpgaVYA) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Downloader |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Upatre-XO |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-05-07 19:58:56
PE Imphash
dadb12329976145c6a364992dc8ec07f
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000005f2 | 0x00000600 | 5.914380863162683 |
| .bss | 0x00002000 | 0x00000004 | 0x00000000 | 0.0 |
| .rdata | 0x00003000 | 0x00000452 | 0x00000600 | 3.6491494452835775 |
| .links | 0x00004000 | 0x00000104 | 0x00000200 | 1.9977761239262495 |
| .rsrc | 0x00005000 | 0x000001c0 | 0x00000200 | 5.058292584119172 |
| .reloc | 0x00006000 | 0x000000e2 | 0x00000200 | 2.0658929695048505 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x00005058 | 0x00000165 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library WININET.dll:
• 0x403068 HttpOpenRequestA
• 0x40306c InternetQueryOptionW
• 0x403070 InternetSetOptionW
• 0x403074 HttpSendRequestW
• 0x403078 InternetConnectA
• 0x40307c InternetOpenW
• 0x403080 HttpQueryInfoW
• 0x403084 InternetReadFile
Library KERNEL32.dll:
• 0x403000 CloseHandle
• 0x403004 GetFileSize
• 0x403008 GetModuleHandleW
• 0x40300c ExitProcess
• 0x403010 HeapCreate
• 0x403014 HeapAlloc
• 0x403018 GetModuleFileNameW
• 0x40301c GetTempPathW
• 0x403020 HeapDestroy
• 0x403024 GetCurrentDirectoryW
• 0x403028 Sleep
• 0x40302c FreeLibrary
• 0x403030 GetProcAddress
• 0x403034 LoadLibraryW
• 0x403038 HeapFree
• 0x40303c DeleteFileW
• 0x403040 lstrlenW
• 0x403044 WriteFile
• 0x403048 lstrcmpW
• 0x40304c ReadFile
• 0x403050 CreateFileW
Library USER32.dll:
• 0x403060 wsprintfW
Library SHELL32.dll:
• 0x403058 ShellExecuteW
L!This program cannot be run in DOS mode.
(((()(((Rich(
.rdata
@.links
@.reloc
SVW3S]H
ulh 1@
_3^@[xSP
@SMTQutPuX
bSETPW
SWSulh
SM`A<uX
Et}t N
WSuhulSuhh
dM8QVh
SSSSh0@
,MlE$0@
ElElMXkpUl;T
}H]tkp
SSPVu4
uL9~lu
0]tSudE$PSSF PSu\
|N9~lu.j
^M\QMPQj Pu\
VEPPj uh
3SSSSuh
]p3SE0PEpPh
]T]t=0@
ETPupu`V
ETPupu`uh
M`Ep+;t
G>Mtr~
9}pEL@`3
Vu\RVh
EDudEpu@
YjlES0@
SE PupudV
EPPh0@
@hIEH;
application/*
text/*
RtlDecompressBuffer
InternetReadFile
HttpQueryInfoW
HttpSendRequestW
InternetSetOptionW
InternetQueryOptionW
HttpOpenRequestA
InternetConnectA
InternetOpenW
WININET.dll
HeapDestroy
GetCurrentDirectoryW
FreeLibrary
GetProcAddress
LoadLibraryW
HeapFree
DeleteFileW
CloseHandle
WriteFile
lstrcmpW
ReadFile
lstrlenW
GetFileSize
CreateFileW
GetTempPathW
GetModuleFileNameW
HeapAlloc
HeapCreate
ExitProcess
GetModuleHandleW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
k-m-a.or g.uk
mages/jq
uerytree
/0705USm`p.enc
tuckersp
ride.com
wp-cont
ent/uplo
ads/2014X/05"x
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
i0v0000000000
1#1@1J1111111
2(2=2C2U2\2a2l222222222&3w3333
4,4E44
545f5z555555555
k�i�l�f�1�.�e�x�e�
U�p�d�a�t�e�s� �d�o�w�n�l�o�a�d�e�r�
r�n�t�d�l�l�.�d�l�l�
b�u�d�h�a�.�e�x�e�
C�:�\�f�v�H�c�4�X�3�L�.�e�x�e�
C�:�\�a�q�K�4�J�A�H�4�.�e�x�e�
C�:�\�3�F�z�i�9�2�Z�y�.�e�x�e�
C�:�\�j�S�Z�V�u�D�a�h�.�e�x�e�
C�:�\�1�7�b�0�3�7�4�f�7�6�1�a�9�5�f�b�0�2�9�b�a�f�5�3�d�1�a�1�6�4�c�4�6�0�b�9�b�6�9�2�0�2�1�b�2�7�6�f�2�4�0�a�b�8�b�a�3�e�2�5�6�d�d�b�
C�:�\�3�c�5�7�2�f�2�3�b�b�e�1�5�b�1�2�b�4�9�d�6�1�b�6�9�f�e�8�b�2�0�a�e�4�9�7�8�3�8�a�e�7�6�3�2�1�6�2�9�0�f�c�0�5�2�0�7�e�a�e�9�c�5�a�
C�:�\�c�8�4�0�2�e�1�0�0�0�3�e�4�1�e�0�0�1�6�8�e�0�d�1�1�0�8�3�8�c�4�8�f�a�b�f�5�1�a�9�d�6�4�3�a�d�0�c�b�8�d�a�2�f�5�6�a�9�3�2�c�5�c�8�
c�:�\�a�n�a�l�y�s�e�\�1�5�6�1�6�8�2�2�5�0�.�6�9�5�6�3�0�6�_�1�f�f�d�8�7�1�1�-�b�e�5�c�-�4�3�d�a�-�9�b�6�e�-�9�c�6�3�6�0�c�d�2�5�e�8�
C�:�\�c�d�a�c�2�7�c�8�0�c�3�f�8�6�b�8�7�a�1�7�3�b�9�a�0�d�e�3�e�f�a�5�0�d�5�7�c�c�5�f�5�3�d�c�8�5�1�d�1�f�5�d�8�a�6�2�7�b�4�f�c�3�8�6�
C�:�\�0�0�8�0�8�8�4�f�9�8�f�b�9�d�2�a�f�9�5�2�b�f�3�5�4�f�1�7�f�7�c�9�3�0�6�7�6�6�8�3�7�e�1�d�6�4�5�3�1�6�e�5�5�9�3�b�1�0�4�4�7�9�b�a�
C�:�\�E�k�6�0�H�h�q�C�.�e�x�e�
C�:�\�a�3�W�G�0�X�r�k�.�e�x�e�
C�:�\�U�s�e�r�s�\�V�i�r�t�u�a�l�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�8�4�2�3�9�c�d�a�3�0�1�e�1�1�8�a�c�9�8�6�9�f�d�6�b�d�3�b�b�1�1�d�9�d�3�0�f�8�8�7�a�1�9�9�0�7�7�c�f�f�b�6�e�f�7�0�c�d�0�f�7�8�c�e�.�e�x�e�
C�:�\�8�0�H�m�M�0�C�m�.�e�x�e�
C�:�\�m�j�C�D�k�M�V�R�.�e�x�e�
C�:�\�t�V�K�V�6�f�q�R�.�e�x�e�
C�:�\�9�b�a�b�7�c�7�8�4�8�4�7�3�b�0�3�8�5�f�1�2�f�4�e�3�2�8�9�f�8�d�9�7�3�6�5�9�0�3�e�9�f�5�8�4�0�7�3�c�4�4�3�9�4�3�8�a�4�e�1�8�6�e�c�
C�:�\�3�4�2�3�8�0�5�4�c�7�0�6�b�8�c�a�d�8�1�e�b�9�d�e�2�a�b�7�9�7�c�8�e�b�d�2�b�3�0�7�5�a�6�a�a�3�5�7�2�c�3�b�d�0�1�0�d�5�d�d�2�f�9�2�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�b�u�d�h�a�.�p�e�3�2�
C�:�\�8�7�e�b�0�b�f�0�b�3�3�5�4�d�3�5�d�f�4�f�1�1�7�9�f�b�f�6�9�2�4�8�7�0�b�e�3�0�2�5�6�8�b�9�c�0�0�f�4�8�4�3�1�a�8�3�2�3�f�7�a�a�0�b�
C�:�\�a�h�j�r�l�y�_�x�.�e�x�e�
C�:�\�K�s�b�4�d�X�5�a�.�e�x�e�
C�:�\�3�l�N�w�R�4�w�W�.�e�x�e�
C�:�\�D�k�b�_�U�Y�B�L�.�e�x�e�
C�:�\�e�w�c�_�e�5�Q�F�.�e�x�e�
C�:�\�d�4�j�a�B�Y�0�q�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�f�i�l�e�.�p�e�3�2�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�8�0�m�c�R�p�C�e�.�e�x�e�
C�:�\�L�j�K�B�j�i�d�G�.�e�x�e�
C�:�\�p�g�R�m�v�c�k�G�.�e�x�e�
C�:�\�D�J�P�W�w�h�e�i�.�e�x�e�
C�:�\�Y�h�g�4�V�8�7�P�.�e�x�e�
C�:�\�U�s�e�r�s�\�V�i�r�t�u�a�l�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�a�9�b�5�a�9�9�b�0�a�e�1�8�c�5�b�3�d�e�4�8�f�8�b�b�5�7�0�7�3�0�f�a�7�3�9�4�8�a�4�e�d�2�b�6�b�2�4�1�c�4�6�3�d�e�7�6�7�1�7�6�4�1�5�.�e�x�e�
c�:�\�V�I�D�6�8�3�4�7�6�0�0�2�.�e�x�e�
C�:�\�d�9�0�f�d�e�9�6�f�8�a�f�4�0�e�1�3�a�d�c�c�9�2�4�7�3�3�2�8�0�f�8�6�e�3�1�c�e�f�3�b�f�6�0�c�8�a�b�4�c�1�a�4�6�c�2�4�d�a�e�e�b�d�9�
C�:�\�_�N�d�M�x�8�8�f�.�e�x�e�
C�:�\�L�h�U�Z�X�_�r�i�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�a�c�t�u�r�a�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�s�a�m�p�l�e�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�a�c�t�u�r�a�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�a�c�t�u�r�a�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�b�u�d�h�a�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�s�a�m�p�l�e�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�i�n�v�o�i�c�e�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�i�n�v�o�i�c�e�.�e�x�e�
C�:�\�U�s�e�r�s�\�V�i�r�t�u�a�l�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�0�d�a�d�7�4�3�3�7�2�6�9�9�5�6�f�5�4�2�6�5�1�7�2�5�2�d�c�b�7�0�0�0�3�4�9�2�3�f�d�f�b�3�3�1�5�d�4�d�9�e�9�b�d�3�2�3�f�6�1�5�a�6�5�.�e�x�e�
C�:�\�C�D�n�U�2�N�J�F�.�e�x�e�
C�:�\�p�2�P�K�H�f�I�v�.�e�x�e�
C�:�\�E�w�L�7�2�f�z�f�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�a�5�a�6�b�2�d�a�9�1�9�b�d�e�b�7�5�0�b�8�b�1�b�c�3�0�5�d�4�a�2�c�.�e�x�e�
C�:�\�G�U�U�5�N�K�D�3�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�b�d�f�1�c�e�7�4�c�3�2�9�7�6�d�e�b�4�4�7�0�5�e�5�6�d�1�d�8�6�3�3�.�e�x�e�
C�:�\�7�5�9�6�1�6�5�e�8�5�8�f�d�4�e�b�b�4�2�8�4�0�a�c�3�b�e�4�b�2�3�8�5�a�5�4�5�4�b�e�a�2�0�7�1�b�a�3�b�2�6�7�5�e�0�5�4�6�8�7�5�b�d�7�
C�:�\�0�8�3�5�4�a�2�7�1�8�2�3�d�d�2�9�1�f�3�1�8�a�1�a�b�6�f�1�f�6�a�e�a�0�b�d�7�a�d�d�d�5�8�a�f�7�d�3�2�5�9�9�2�4�8�8�f�f�6�9�d�6�d�b�
C�:�\�6�4�5�6�c�5�e�6�2�9�e�9�3�5�2�4�f�1�2�6�9�7�5�3�5�7�e�e�1�6�9�e�1�f�f�d�9�8�7�c�5�5�4�9�7�3�3�a�e�2�3�a�1�7�1�5�b�1�b�b�2�1�4�6�
C�:�\�a�f�8�e�9�b�7�8�2�e�8�5�4�1�a�c�7�8�b�6�f�c�e�e�0�b�4�d�9�3�c�d�9�0�7�c�2�5�6�5�8�5�e�5�c�5�2�9�4�c�a�6�c�0�f�0�b�b�3�a�9�5�6�c�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 104.21.38.216 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| k-m-a.org.uk |
A 172.67.139.81
A 104.21.38.216 |
172.67.139.81 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49164 | 104.21.38.216 k-m-a.org.uk | 80 |
| 192.168.56.101 | 49165 | 104.21.38.216 k-m-a.org.uk | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 8a236f8083212787_budha.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\budha.exe |
| Size | 10.2KB |
| Processes | 2996 (None) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 6037b8363b35e0cb1ae6daff761bb21b |
| SHA1 | 4720cb02e803d8756e4e6ac0459f60d54b9a8a1f |
| SHA256 | 8a236f808321278705b298bfa2fbb36ebe8c9e9ba5a863897b25e56f2d3468cc |
| CRC32 | 42920605 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.