2.7
中危
58 个模型检测该样本为恶意!
重新分析
更多

0d8cef5adc4a221a9e20ba85c951ea55d244ea69d6196dd55f58d7995dc72bb8

0d8cef5adc4a221a9e20ba85c951ea55d244ea69d6196dd55f58d7995dc72bb8.exe

分析耗时

134s

最近分析

383天前

文件大小

11.8KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.52
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Waski-A [Trj] 20200405 18.4.3895.0
Baidu None 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20200407 2013.8.14.323
McAfee Downloader-FML!50A2E70EF34D 20200406 6.0.6.653
Tencent Malware.Win32.Gencirc.10b0ccab 20200407 1.0.0.1
静态指标
行为判定
动态指标
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545341.62575
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\budha.exe
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\budha.exe
parameters:
show_type: 0
success 1 0
检查适配器地址以检测虚拟网络接口 (50 out of 192 个事件)
Time & API Arguments Status Return Repeated
1727545376.40675
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545376.40675
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545376.42175
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545376.42175
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545376.43775
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545376.43775
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545376.45375
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545376.45375
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545376.89075
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545376.89075
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545376.89075
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545376.89075
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545376.92175
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545376.92175
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545376.92175
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545376.92175
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545377.09375
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545377.09375
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545377.09375
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545377.09375
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545377.12575
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545377.12575
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545377.12575
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545377.14075
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545378.04675
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545378.04675
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545378.06275
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545378.06275
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545378.07875
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545378.07875
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545378.07875
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545378.09375
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545378.25075
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545378.25075
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545378.26575
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545378.26575
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545378.28175
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545378.28175
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545378.29675
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545378.29675
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545378.45375
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545378.45375
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545378.46875
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545378.46875
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545378.48475
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545378.48475
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545378.50075
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545378.50075
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545422.42175
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545422.42175
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
网络通信
与未执行 DNS 查询的主机进行通信 (1 个事件)
host 114.114.114.114
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意 (50 out of 58 个事件)
ALYac Trojan.Ppatre.Gen.1
APEX Malicious
AVG Win32:Waski-A [Trj]
Acronis suspicious
Ad-Aware Trojan.Ppatre.Gen.1
AhnLab-V3 Trojan/Win32.Upatre.R282018
Antiy-AVL Trojan/Win32.SGeneric
Arcabit Trojan.Ppatre.Gen.1
Avast Win32:Waski-A [Trj]
Avira TR/Crypt.XPACK.Gen
BitDefender Trojan.Ppatre.Gen.1
BitDefenderTheta Gen:NN.ZexaF.34104.auX@ayIbTQni
Bkav W32.AIDetectVM.malware
CAT-QuickHeal Trojan.GenericRI.S7114043
ClamAV Win.Malware.Upatre-7004553-0
Comodo TrojWare.Win32.TrojanDownloader.Waski.AQ@7t0jau
CrowdStrike win/malicious_confidence_100% (D)
Cylance Unsafe
Cyren W32/S-654ac031!Eldorado
DrWeb Trojan.DownLoad3.28161
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Emsisoft Trojan.Ppatre.Gen.1 (B)
Endgame malicious (high confidence)
F-Prot W32/S-654ac031!Eldorado
F-Secure Trojan.TR/Crypt.XPACK.Gen
FireEye Generic.mg.50a2e70ef34df146
Fortinet W32/Waski.A!tr
GData Trojan.Ppatre.Gen.1
Ikarus Trojan-Downloader.Win32.Upatre
Invincea heuristic
Jiangmin TrojanDownloader.Upatre.aerk
K7AntiVirus Trojan-Downloader ( 0048f6391 )
K7GW Trojan-Downloader ( 0048f6391 )
Kaspersky HEUR:Trojan.Win32.Generic
MAX malware (ai score=81)
Malwarebytes Trojan.Upatre
MaxSecure Trojan.Upatre.Gen
McAfee Downloader-FML!50A2E70EF34D
McAfee-GW-Edition BehavesLike.Win32.Generic.lt
MicroWorld-eScan Trojan.Ppatre.Gen.1
Microsoft TrojanDownloader:Win32/Upatre.A
NANO-Antivirus Trojan.Win32.DownLoad.cqofta
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM20.1.668B.Malware.Gen
Rising Downloader.Waski!8.184 (RDMK:cmRtazp59ha5HdLXin6OQB9BeJZT)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Mal/EncPk-ACO
Tencent Malware.Win32.Gencirc.10b0ccab
Trapmine malicious.moderate.ml.score
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (7 个事件)
dead_host 162.159.129.85:443
dead_host 192.168.56.101:49171
dead_host 161.35.49.148:443
dead_host 192.168.56.101:49178
dead_host 162.159.130.85:443
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49209
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2013-12-02 23:44:08

PE Imphash

dbedbd02d04be04f074d5cec09129e32

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000004bf 0x00000600 5.148108865724482
.rdata 0x00002000 0x00000514 0x00000600 3.9347106150218445
.data 0x00003000 0x00000020 0x00000200 0.36235932787291114
.rsrc 0x00004000 0x000001c0 0x00000200 5.067991416548164
.reloc 0x00005000 0x000000ce 0x00000200 1.9537160164971747

Resources

Name Offset Size Language Sub-language File type
RT_MANIFEST 0x00004058 0x00000165 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library WININET.dll:
0x402060 HttpSendRequestW
0x402064 InternetSetOptionW
0x40206c HttpOpenRequestW
0x402070 HttpQueryInfoW
0x402074 InternetReadFile
0x402078 InternetConnectW
0x40207c InternetOpenW
Library KERNEL32.dll:
0x402000 lstrlenW
0x402004 WriteFile
0x40200c HeapFree
0x402010 FreeLibrary
0x402014 GetProcAddress
0x402018 LoadLibraryW
0x40201c DeleteFileW
0x402020 GetModuleHandleW
0x402024 HeapCreate
0x402028 HeapAlloc
0x40202c GetModuleFileNameW
0x402030 GetTempPathW
0x402034 CreateFileW
0x402038 GetFileSize
0x40203c lstrcmpW
0x402040 ExitProcess
0x402044 ReadFile
0x402048 CloseHandle
Library USER32.dll:
0x402058 wsprintfW
Library SHELL32.dll:
0x402050 ShellExecuteW
L!This program cannot be run in DOS mode.
MV,8,8,8T,8,9,8Z,8Z,8Rich,8
`.rdata
@.data
@.reloc
_3^@[SP
SMQuPu
SWSuhx!@
SLMA<u
tSSSSh!@
]3ESSj
0EPESS4
^EPEPjWu
VEPjW
3SSSSW
]3SEPEPh
]]EPuV
SMQuEVP
RtlDecompressBuffer
InternetOpenW
InternetConnectW
HttpOpenRequestW
InternetQueryOptionW
InternetSetOptionW
HttpSendRequestW
HttpQueryInfoW
InternetReadFile
WININET.dll
GetModuleHandleW
HeapCreate
HeapAlloc
GetModuleFileNameW
GetTempPathW
CreateFileW
GetFileSize
lstrlenW
ExitProcess
ReadFile
lstrcmpW
WriteFile
CloseHandle
DeleteFileW
LoadLibraryW
GetProcAddress
FreeLibrary
HeapFree
GetCurrentDirectoryW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
10?0L0Z0f0t0y000000000
1<1d1m11111111
2/282_2g22222
3H3333333
464N4U4h4q44444
/wp-content/uploads/2009/06/pdf.enc
/wp-content/uploads/2013/05/pdf.enc
kofinyame.com
california89.com
budha.exe
Updates downloader
text/*
application/*
ntdll.dll
rkilf.exe
C:\HJw24fD9.exe
C:\d8f1b4e468f8a061198f3cc9ee2526e3c51df67f54c94ea5e83f83efe197b5ff
C:\d810aa5c08e626726b45e4fada4782688c8b37bf27f7ecb0f91ea4f2050af2dd
C:\b19fef3a0882b34135fc07d258218e3f45fcc38e9dfcdd6dfa0477c7b4b0dbec
C:\a70badd15fe4332a3eebaff74d677e585f67a96f94d3bfd799ed65ef9b187d05
C:\8877b2bf229c949210974eb60d5d723e440f9208a56566cab4f2dad93ff24022
C:\Documents and Settings\Administrator\Desktop\Ze3RblXy.exe
C:\415be2a17986628f95dd34ea72f2a61a1982e2b4e9861c353e7e3820e988b688
C:\d2831e10352c1a3ce66f1293a68777459418a4326bccc0a715bc01c3ef72545b
C:\22a753b3eb1e2d6d07e2388c317ff8192114a4ac2ef30e121013df98f97a33a0
C:\c19a6cf1b6e0eab9078216c0f4bb5450dc2a10078ae950e5b822e7a7cd50c448
C:\Users\Lisa\Desktop\yKbWTU0e.exe
C:\084cbb7cd8627cdfe63f8519f09a8100aac4710de7d396149d345182ce078d93
C:\7c1b33a4ffaca8cd292d24c9b0a275629e931e0378d49305680e759d87b19aa5
C:\0Uo5xKz3.exe
C:\6KFaOARu.exe
C:\f9e7ac30f32702132cf61b9629f6af02a1b805896d2102f529420b9691c98365
C:\ygr5uoF9.exe
C:\38e9207f91e4476779efe6907f2a9fe5ecc8a1b5bae45cbf227afdc6999c9887
c:\task\9B9CA61614A4FF51A6EABB3272FCB5BD.exe
C:\16763a2cc3689668f16585355b5887bcfb1ded868e4392c468bb74facaa069cc
C:\Users\admin\Downloads\invoice.exe
C:\c81c281539c3ab2994aeda20a9768a8186b490d71f37262f7d7fe60fe040722a
C:\Users\admin\Downloads\invoice.exe
C:\Ecm_s7kh.exe
C:\Users\admin\Downloads\factura.exe
C:\3b6805cfa374d5fd3a692a6cce2d1a5285ee427c6887966edc98a5d246adb73f
C:\Users\admin\Downloads\factura.exe
C:\Users\Joe Cage\Desktop\KSHnsPDRjb.exe
C:\de1066604e42a4ebeb261aebc0f4b2add7d5318a1c0672738fc9d467258e7b9c
C:\e97e2e07e374ea17b536cc6be6683369a15b2d9be1ff4fbef72e37e36bfd53a4
C:\Users\admin\Downloads\budha.exe
C:\5a2f29ed03ae45dd8c6b9e1e69e09945ac18f7bc275033778516a90e915cde8c
C:\Users\admin\Downloads\budha.exe
C:\e31d269d8d15494dfa03efcabf80676434f32f6c7fe6a88f7fe0af2973b98f61
C:\Users\admin\Downloads\budha.exe
c:\task\876D14258484B485C75A62C79B40B58A.exe
c:\task\3A8E55BB9E5D5B5BF07EB4DA61FA874E.exe
C:\5043a39a10114874a4801ac76f831ee5ae46886c4b1cb1d2e5240074a45c9df7
C:\f57ef8444231b89cf358eb754e94f849553e8440de06c87d981588083e867d61
C:\Users\admin\Downloads\budha.exe
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\10d6abb63d5f6a6e65ba668825a89239b3feb8c822bea992a4d422c079f447ee
C:\1400cf2d34d6444e59381b2b9812665c70972fc1b0aecab1ddbac1c3e7286c9f
C:\Users\Virtual\AppData\Local\Temp\82ef47a08de8e29254e4936b76b854039fa9694ec52d9ffbfac86723f9479c60.exe
C:\65db06f070574e880d192e4e68f6841f7b452540963b573c22f37bd5349c4ff9
C:\Users\admin\Downloads\budha.exe
C:\Users\admin\Downloads\87ef47ed3b825863c91eeeff6a61c714c675f3de00d18240e11e723020b25776.exe
C:\2964356cbbadff57aee79d9ca11a51da62cf101b515839ac59ed6a421c27a5e5
C:\3041006ed545dd6eabec4eed16323d1dc91edb71d3f377d88e8e942f7c3ae25d
C:\Users\admin\Downloads\budha.exe
C:\Users\admin\Downloads\59b50d60380e0f9d039cf3b4a918335546899b42d32adf05ee2f260db514c5b6.exe
C:\CwHoR9uo.exe
C:\DJT1dC7v.exe
C:\Users\admin\Downloads\c8c5beeb2fe4675acfb6ed38e56f8490.exe
C:\b83359c6acd6935581dbc8a9ba781b4b62a86bc6f18ce8d5967f4d1076c160de
C:\0bf25a0f90ba04df185c3fecd8b3d7c5643b6bae00c5fd5f3526985a8e875bc9
C:\b72745b93c08f5a0df3d6cdb14d7602053804b82dc782d420dbe8cdb2c2a7b06

Process Tree

0d8cef5adc4a221a9e20ba85c951ea55d244ea69d6196dd55f58d7995dc72bb8.exe, PID: 1612, Parent PID: 2244

default registry file network process services synchronisation iexplore office pdf

budha.exe, PID: 920, Parent PID: 1612

default registry file network process services synchronisation iexplore office pdf

TCP

Source Source Port Destination Destination Port
192.168.56.101 49164 162.159.129.85 california89.com 443
192.168.56.101 49165 162.159.129.85 california89.com 443
192.168.56.101 49166 162.159.129.85 california89.com 443
192.168.56.101 49168 162.159.129.85 california89.com 443
192.168.56.101 49169 162.159.129.85 california89.com 443
192.168.56.101 49170 162.159.129.85 california89.com 443
192.168.56.101 49172 161.35.49.148 kofinyame.com 443
192.168.56.101 49173 183.235.178.81 www.download.windowsupdate.com 80
192.168.56.101 49174 161.35.49.148 kofinyame.com 443
192.168.56.101 49175 162.159.129.85 california89.com 443
192.168.56.101 49176 162.159.129.85 california89.com 443
192.168.56.101 49177 162.159.129.85 california89.com 443
192.168.56.101 49179 162.159.129.85 california89.com 443
192.168.56.101 49180 162.159.129.85 california89.com 443
192.168.56.101 49181 162.159.129.85 california89.com 443
192.168.56.101 49184 161.35.49.148 kofinyame.com 443
192.168.56.101 49185 161.35.49.148 kofinyame.com 443
192.168.56.101 49186 162.159.130.85 california89.com 443
192.168.56.101 49187 162.159.130.85 california89.com 443
192.168.56.101 49188 162.159.130.85 california89.com 443
192.168.56.101 49190 162.159.130.85 california89.com 443
192.168.56.101 49191 162.159.130.85 california89.com 443
192.168.56.101 49192 162.159.130.85 california89.com 443
192.168.56.101 49194 161.35.49.148 kofinyame.com 443
192.168.56.101 49195 161.35.49.148 kofinyame.com 443
192.168.56.101 49196 162.159.130.85 california89.com 443
192.168.56.101 49197 162.159.130.85 california89.com 443
192.168.56.101 49198 162.159.130.85 california89.com 443
192.168.56.101 49200 162.159.130.85 california89.com 443
192.168.56.101 49201 162.159.130.85 california89.com 443
192.168.56.101 49203 162.159.130.85 california89.com 443
192.168.56.101 49206 161.35.49.148 kofinyame.com 443
192.168.56.101 49207 161.35.49.148 kofinyame.com 443
192.168.56.101 49208 162.159.130.85 california89.com 443
192.168.56.101 49209 162.159.130.85 california89.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 57665 114.114.114.114 53
192.168.56.101 51758 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name a5f70ac0e7bf5a66_94308059b57b3142e455b38a6eb92015
Filepath C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Size 342.0B
Processes 920 (budha.exe)
Type data
MD5 4f58ea36953ff2fbaf7c4b37d5473d75
SHA1 8d8ce343e457ada240e3a67afd6f8c3258e3a3ff
SHA256 a5f70ac0e7bf5a66e2b0f4ab9945526e6c8af5bf63c487a631c4dd80a0b82faa
CRC32 FCC5EF2A
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name ed0a163f040eb093_budha.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\budha.exe
Size 12.0KB
Processes 1612 (0d8cef5adc4a221a9e20ba85c951ea55d244ea69d6196dd55f58d7995dc72bb8.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 15003295722e71fef50d1a4a31d5596b
SHA1 a97876b4a09f241fa87ad691a923f2c1e05bccbc
SHA256 ed0a163f040eb093b28e5dffd31f91c1fa05007ba64d169ab6caf892f50c3575
CRC32 47D9B8DD
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.