0.9
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.50
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | TrojanPSW:MSIL/Discord.bd08978d | 20190527 | 0.3.0.5 |
| Avast | Win32:PWSX-gen [Trj] | 20200225 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_80% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200225 | 2013.8.14.323 |
| McAfee | PWS-FCML!4E76DF3913F4 | 20200225 | 6.0.6.653 |
| Tencent | Msil.Trojan-qqpass.Qqrob.Pftm | 20200225 | 1.0.0.1 |
静态指标
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 51 个反病毒引擎识别为恶意
(50 out of 51 个事件)
| ALYac | Gen:Variant.Razy.461180 |
| APEX | Malicious |
| AVG | Win32:PWSX-gen [Trj] |
| Ad-Aware | Gen:Variant.Razy.461180 |
| AhnLab-V3 | Malware/Win32.RL_Generic.R263796 |
| Alibaba | TrojanPSW:MSIL/Discord.bd08978d |
| Antiy-AVL | Trojan[PSW]/MSIL.Agent |
| Arcabit | Trojan.Razy.D7097C |
| Avast | Win32:PWSX-gen [Trj] |
| Avira | HEUR/AGEN.1041225 |
| BitDefender | Gen:Variant.Razy.461180 |
| BitDefenderTheta | Gen:NN.ZemsilF.34090.am0@auIzoHc |
| CAT-QuickHeal | Trojan.YakbeexMSIL.ZZ4 |
| CrowdStrike | win/malicious_confidence_80% (D) |
| Cybereason | malicious.913f49 |
| Cylance | Unsafe |
| Cyren | W32/Razy.CN.gen!Eldorado |
| DrWeb | Trojan.PWS.Stealer.25724 |
| ESET-NOD32 | a variant of MSIL/PSW.Discord.AP |
| Emsisoft | Gen:Variant.Razy.461180 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Razy.CN.gen!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1041225 |
| FireEye | Generic.mg.4e76df3913f49ffe |
| Fortinet | MSIL/Agent.RCF!tr.pws |
| GData | MSIL.Trojan-Stealer.Dhaxx.A |
| Ikarus | Trojan.MSIL.PSW |
| Invincea | heuristic |
| Jiangmin | Trojan.PSW.MSIL.gah |
| K7AntiVirus | Trojan ( 700000121 ) |
| K7GW | Trojan ( 700000121 ) |
| Kaspersky | HEUR:Trojan-PSW.MSIL.Agent.gen |
| MAX | malware (ai score=87) |
| Malwarebytes | Spyware.DHTokenGrabber |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | PWS-FCML!4E76DF3913F4 |
| McAfee-GW-Edition | PWS-FCML!4E76DF3913F4 |
| MicroWorld-eScan | Gen:Variant.Razy.461180 |
| Microsoft | Trojan:MSIL/Discord.BM!MTB |
| Panda | Trj/CI.A |
| Qihoo-360 | HEUR/QVM03.0.7A5D.Malware.Gen |
| Rising | Stealer.Discord!1.B7AA (CLOUD) |
| Sangfor | Malware |
| Sophos | Mal/Disteal-B |
| Tencent | Msil.Trojan-qqpass.Qqrob.Pftm |
| Trapmine | malicious.moderate.ml.score |
| TrendMicro | TrojanSpy.MSIL.DISCHOARD.SM |
| TrendMicro-HouseCall | TrojanSpy.MSIL.DISCHOARD.SM |
| VBA32 | TScope.Trojan.MSIL |
| Webroot | W32.Trojan.Gen |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2020-02-20 03:56:58
PE Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00002000 | 0x000013d4 | 0x00001400 | 5.296243850467217 |
| .rsrc | 0x00004000 | 0x000005e8 | 0x00000600 | 4.3009381579266925 |
| .reloc | 0x00006000 | 0x0000000c | 0x00000200 | 0.08153941234324169 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_VERSION | 0x000040a0 | 0x0000035c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_MANIFEST | 0x000043fc | 0x000001ea | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library mscoree.dll:
• 0x402000 _CorExeMain
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v4.0.30319
#Strings
DHTokenGrabber.exe
DHTokenGrabber
mscorlib
System
System.Net.Http
<Module>
Grabber
Object
FileInfo
System.IO
Directory
Exists
DirectoryInfo
GetFiles
FileSystemInfo
get_Name
String
EndsWith
get_FullName
ReadAllText
Contains
Concat
FindLdb
FindLog
ReadAllBytes
Encoding
System.Text
get_UTF8
GetString
get_Length
GetToken
IndexOf
Substring
List`1
System.Collections.Generic
AddRange
IEnumerable`1
RemoveAt
ToArray
contents
Program
Process
System.Diagnostics
Environment
GetFolderPath
SpecialFolder
GetProcessesByName
Thread
System.Threading
op_Equality
HttpClient
MultipartFormDataContent
StringContent
HttpContent
get_UserName
PostAsync
Task`1
System.Threading.Tasks
HttpResponseMessage
get_Result
Exception
SendWH
GetStringAsync
WebException
System.Net
Settings
Webhook
.cctor
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
DebuggableAttribute
DebuggingModes
AssemblyTitleAttribute
System.Reflection
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
Gu)Myxl
WrapNonExceptionThrows
DHTokenGrabber
Copyright
2019
$4b7ec21f-3cd6-4ac1-a85f-c9cce429afeb
1.0.0.0
.NETFramework,Version=v4.6
FrameworkDisplayName
.NET Framework 4.6
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGX
\�d�i�s�c�o�r�d�\�L�o�c�a�l� �S�t�o�r�a�g�e�\�l�e�v�e�l�d�b�\�
N�o� �v�a�l�i�d� �.�l�d�b� �o�r� �.�l�o�g� �f�i�l�e� �f�o�u�n�d�
D�i�s�c�o�r�d�
N�o�t� �f�o�u�n�d�
D�i�s�c�o�r�d�H�a�x�x� �T�o�k�e�n� �G�r�a�b�b�e�r�
u�s�e�r�n�a�m�e�
h�t�t�p�s�:�/�/�m�e�d�i�a�.�d�i�s�c�o�r�d�a�p�p�.�n�e�t�/�a�t�t�a�c�h�m�e�n�t�s�/�5�3�6�6�1�3�7�4�1�2�6�6�0�7�5�6�4�9�/�5�3�9�4�4�6�2�5�3�7�3�0�3�9�8�2�1�8�/�d�i�s�c�o�r�d�h�a�x�x�_�l�o�g�o�.�p�n�g�?�w�i�d�t�h�=�3�0�0�&�h�e�i�g�h�t�=�3�0�0�
a�v�a�t�a�r�_�u�r�l�
T�o�k�e�n� �b�y� �
R�e�s�u�l�t�:� �
c�o�n�t�e�n�t�
h�t�t�p�s�:�/�/�w�t�f�i�s�m�y�i�p�.�c�o�m�/�t�e�x�t�
U�n�a�b�l�e� �t�o� �g�e�t� �I�P�
h�t�t�p�s�:�/�/�c�a�n�a�r�y�.�d�i�s�c�o�r�d�a�p�p�.�c�o�m�/�a�p�i�/�w�e�b�h�o�o�k�s�/�6�7�9�7�7�7�5�1�4�1�4�2�4�3�3�2�9�1�/�u�8�0�P�l�H�y�I�p�8�R�O�A�K�N�x�X�i�u�D�c�Z�L�G�U�O�p�m�j�d�G�a�z�u�O�V�7�g�n�B�W�q�y�1�o�-�d�I�_�z�R�1�D�L�I�f�d�u�i�b�5�0�d�Y�n�Z�j�P�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�o�m�p�a�n�y�N�a�m�e�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
N�i�t�r�o� �F�r�e�e�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
N�i�t�r�o� �F�r�e�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �
� �2�0�1�9�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
N�i�t�r�o� �F�r�e�e�
P�r�o�d�u�c�t�N�a�m�e�
A�s�s�e�m�b�l�y� �p�r�o�d�u�c�t� �n�a�m�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
N�i�t�r�o� �F�r�e�e�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.