1.1
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.67
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Downloader-WIH [Trj] | 20191004 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Downloader.Waski.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191004 | 2013.8.14.323 |
| McAfee | Upatre-FAAH!534F64D92A4C | 20191004 | 6.0.6.653 |
| Tencent | None | 20191004 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00001000', 'virtual_size': '0x00001d20', 'size_of_data': '0x00001e00', 'entropy': 6.993157961535865} | entropy | 6.993157961535865 | description | 发现高熵的节 | |||||||||
| entropy | 0.3333333333333333 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Trojan.GenericKD.1958066 |
| APEX | Malicious |
| AVG | Win32:Downloader-WIH [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.1958066 |
| AhnLab-V3 | Trojan/Win32.Upatre.R126822 |
| Antiy-AVL | Trojan[Downloader]/Win32.Upatre |
| Arcabit | Trojan.Generic.D1DE0B2 |
| Avast | Win32:Downloader-WIH [Trj] |
| Avira | TR/Rogue.ai.14114.aia |
| Baidu | Win32.Trojan-Downloader.Waski.a |
| BitDefender | Trojan.GenericKD.1958066 |
| Bkav | W32.FamVT.GeND.Trojan |
| CAT-QuickHeal | TrojanDwnldr.Upatre.AA4 |
| ClamAV | Win.Trojan.Upatre-3457 |
| Comodo | TrojWare.Win32.TrojanDownloader.Waski.FA@5j51sa |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.92a4cc |
| Cylance | Unsafe |
| Cyren | W32/Trojan.XENZ-1703 |
| DrWeb | Trojan.DownLoader11.60054 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.A |
| Emsisoft | Trojan.GenericKD.1958066 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Trojan3.LWZ |
| F-Secure | Trojan-Downloader:W32/Upatre.I |
| FireEye | Generic.mg.534f64d92a4cc46a |
| Fortinet | W32/Waski.A!tr |
| GData | Trojan.GenericKD.1958066 |
| Ikarus | Trojan-Spy.Zbot |
| Invincea | heuristic |
| Jiangmin | TrojanDownloader.Upatre.cb |
| K7AntiVirus | Trojan-Downloader ( 0048f6391 ) |
| K7GW | Trojan-Downloader ( 0048f6391 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=84) |
| MaxSecure | Trojan.Upatre.Gen |
| McAfee | Upatre-FAAH!534F64D92A4C |
| McAfee-GW-Edition | BehavesLike.Win32.PWSZbot.mm |
| MicroWorld-eScan | Trojan.GenericKD.1958066 |
| Microsoft | TrojanDownloader:Win32/Upatre.AA |
| NANO-Antivirus | Trojan.Win32.RiskGen.dierlg |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.5315.Malware.Gen |
| Rising | Trojan.DL.Win32.Upatre.all (CLASSIC) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-AJUR |
| Symantec | Downloader |
| TotalDefense | Win32/Upatre.PPfcDLC |
| Trapmine | malicious.high.ml.score |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2039-11-16 18:48:59
PE Imphash
da6b168375faf6dc3c71fb750b6f3832
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00001d20 | 0x00001e00 | 6.993157961535865 |
| .rdata | 0x00003000 | 0x000009a4 | 0x00000a00 | 4.870738937487076 |
| .data | 0x00004000 | 0x00000b3c | 0x00000400 | 3.9147859922140555 |
| .rsrc | 0x00005000 | 0x00002d08 | 0x00002e00 | 5.042199268053648 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000053f0 | 0x000025a8 | LANG_NORWEGIAN | SUBLANG_NORWEGIAN_BOKMAL | None |
| RT_GROUP_ICON | 0x00007998 | 0x00000014 | LANG_NORWEGIAN | SUBLANG_NORWEGIAN_BOKMAL | None |
| RT_VERSION | 0x00005130 | 0x000002c0 | LANG_NORWEGIAN | SUBLANG_NORWEGIAN_BOKMAL | None |
| RT_MANIFEST | 0x000079b0 | 0x00000357 | LANG_NORWEGIAN | SUBLANG_NORWEGIAN_BOKMAL | None |
Imports
Library MSVCRT.dll:
• 0x403050 __p__commode
• 0x403054 _controlfp
• 0x403058 _XcptFilter
• 0x40305c _except_handler3
• 0x403060 __set_app_type
• 0x403064 __p__fmode
• 0x403068 _exit
• 0x40306c _adjust_fdiv
• 0x403070 __setusermatherr
• 0x403074 _initterm
• 0x403078 __getmainargs
• 0x40307c _acmdln
• 0x403080 exit
Library USER32.dll:
• 0x403090 DestroyWindow
• 0x403094 PostQuitMessage
• 0x403098 DefWindowProcA
• 0x40309c CreateWindowExA
• 0x4030a0 LoadCursorA
• 0x4030a4 LoadIconA
• 0x4030a8 RegisterClassExA
• 0x4030ac GetMessageA
• 0x4030b0 TranslateMessage
• 0x4030b4 DispatchMessageA
• 0x4030b8 SendMessageA
Library KERNEL32.dll:
• 0x403010 SetLastError
• 0x403014 CreateFileA
• 0x403018 GetTempPathA
• 0x40301c GetCommandLineW
• 0x403020 lstrcatA
• 0x403024 LoadLibraryA
• 0x403028 GetStringTypeA
• 0x40302c GetDiskFreeSpaceA
• 0x403030 IsValidCodePage
• 0x403034 GetModuleHandleA
• 0x403038 GetStartupInfoA
• 0x40303c SetFileAttributesA
• 0x403040 CopyFileA
• 0x403044 lstrcpynA
• 0x403048 SetEnvironmentVariableA
Library GDI32.dll:
• 0x403008 CreateFontIndirectA
Library COMCTL32.dll:
• 0x403000 InitCommonControlsEx
Library SHELL32.dll:
• 0x403088 CommandLineToArgvW
L!This program cannot be run in DOS mode.
`.rdata
@.data
hh@h@h
C.S%;U\
HP3PIQ5
.+rbxdkGHeV8)
CFHoeup:?0h+
L$(hdU
PD$(PD$P
L$ D$D
L$$D$D
L$$\$D
L$ D$D
L$0QD$H
L$0D$H
WPT$0RD$P
PD$4PD$\
Q\$h>s
L$$\$D
L$ D$D
L$(D$D
L$,D$D
L$0D$D
L$4D$D
_^]L$0[d
SUVW@V3u)V
taVWL$
AVWAf9
GGEGGEM;r
hD0$h$
DDD@hC
0SZ+$h$0h0@0D@YA@
DhD@$@$
q6w {Jg
cRdr I.
WLC*^
" e3Le
~@h,> o
$UeIvH6yAs&
eqBML:
eGQ1#;
SD]*M.c
E]u&#<<*
sBNpQ]
7b;e&]G
AA+mGh,lH(e
T^mc\j6h8
"g},%ybqi
l0,01 a dET
>;b*,uJ
f7iCF Z4e
7r`{ls
gr/t88)
[?h+!0`)
XJxrb4`
?j 1-Bf[T
K)[X_J^72;k^>+
k2%upP=Xh+;0
6t~[N~
}l%-Bw
c^f)*tV:-K4}?l
xboIq=nA3,0-Gf
,Uy>%PP
4?(R<3
6upB?f{?bhjsJ
LjT~W33mQH*d5
$+^:uk<s2e
~/DV8pt
6" @"i:
aebk`UVPXO
]ZE>D!)i.
`S(. H} d
O[}xFcG
:e'6%:8pn
[)%]}v
R7r-KUB
@"1y t
*J*fuC<f>A<W?
@*$=)`
>RXNH."rS'
*c~0_v
h_YDq/7
YnHaV8iV
b,0)C`?0hA
*c~<V<
9;exjLK3!xF
~eyD
[!GOd?8uM
*"[[)[N
Dh$hD@DDh
D0$D0$0D@C
Dhh0@0U
@uHD0@@D
D@jhA*R
&Iua3@0@D$
Q3[h)@
UjhH5@
hSVWe3
EEP5 K@
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
Dh%\0@
RICHED32.DLL
1 2 3 4 5 6 7 8 9
projects, and I think it is unlikely that will
0f3/f3f
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
MSVCRT.dll
_controlfp
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadIconA
LoadCursorA
CreateWindowExA
DefWindowProcA
PostQuitMessage
SendMessageA
DestroyWindow
USER32.dll
lstrcpynA
lstrcatA
GetCommandLineW
GetTempPathA
CreateFileA
SetLastError
LoadLibraryA
SetFileAttributesA
CopyFileA
SetEnvironmentVariableA
GetStringTypeA
GetDiskFreeSpaceA
IsValidCodePage
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
CreateFontIndirectA
GDI32.dll
InitCommonControlsEx
COMCTL32.dll
CommandLineToArgvW
SHELL32.dll
time to go
far far away
very speedy
mesatamy
eclass
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
RICHEDIT
"~!JO29
KIKI2,
xxxyyy
2 2 2 2 2 2 J<z2 J<2 2 0
1 2 2 2 2 2 2 2 0
8 ;!;!;!8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 6
9!;!;!;!;!;!;!;!;!;!;!;!;!;!;!;!;!;!;!;!8 8 8 8 8 8 ;!;!;!9!~CX
9!;!\D\D\D\D\DV>W@V>V>V>V>V>V>V>V>V>V>V>V>V>V>V>V>V>V>V>;!;!Na
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>
c�u�p�e�r�A�V�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
1�3�F�9�C�6�A�6�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
L�a�b� �T�r�a�b� �N�a�b�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�0�5�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �2�0�1�1�-�2�0�1�4� �a�l�l� �a�u�t�h�o�r�s� �(�G�P�L�v�3�)�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
t�r�a�b�n�a�b�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
L�a�b� �T�r�a�b� �N�a�b�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�0�5�
C�o�m�p�a�n�y�N�a�m�e�
L�a�b� �T�r�a�b� �N�a�b� �I�n�c�.�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
C�:�\�U�s�e�r�s�\�M�e�l�i�s�s�a�.�R�O�B�E�R�T�C�U�S�S�E�N�A�N�D�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�T�e�m�p�1�_�B�A�C�S�_�T�r�a�n�s�f�e�r�_�J�S�5�3�4�5�4�3�5�_�p�d�f�.�z�i�p�\�B�A�C�S�_�T�r�a�n�s�f�e�r�_�J�S�5�3�4�5�4�3�5�_�p�d�f�.�e�x�e�
C�:�\�e�8�3�c�b�d�9�7�2�8�b�2�8�3�3�a�5�d�e�2�2�8�4�1�2�b�7�6�c�4�c�1�e�a�b�2�e�6�5�e�f�3�8�0�8�e�3�1�e�1�1�5�5�2�b�7�7�1�a�8�2�6�0�d�
C�:�\�6�9�8�9�2�9�4�8�0�7�2�9�f�c�5�4�2�5�e�9�3�0�2�5�2�7�a�4�d�5�a�4�0�5�8�5�b�4�a�5�5�c�1�5�8�1�6�6�0�c�5�7�4�c�d�e�7�a�9�9�b�8�d�4�
c�:�\�m�a�p�p�_�s�t�a�r�t�_�f�o�l�d�e�r�\�s�n�o�w�b�a�l�l�.�e�x�e�
C�:�\�d�0�6�b�d�0�1�0�1�e�5�a�b�0�3�4�8�4�7�f�4�d�6�f�0�b�a�7�0�4�f�a�e�f�7�4�f�6�e�2�1�0�4�6�c�e�2�7�0�7�1�5�a�8�0�a�9�c�a�1�9�2�0�c�
C�:�\�d�2�5�7�c�a�b�7�5�7�c�7�c�a�a�3�a�1�1�f�7�4�2�b�4�5�6�4�0�f�d�e�1�f�8�c�5�d�4�3�3�6�a�d�e�0�7�f�9�f�7�4�8�6�e�2�0�e�c�f�5�4�1�d�
C�:�\�8�7�f�c�5�0�0�4�1�1�7�9�8�1�1�2�4�1�5�5�b�9�d�8�5�9�e�e�d�1�8�c�c�9�9�8�7�c�f�8�d�a�e�3�a�2�2�2�2�a�7�5�f�e�7�2�5�b�7�f�a�6�2�3�
C�:�\�0�1�8�3�d�a�a�c�3�6�1�e�9�8�0�5�6�2�e�9�b�d�2�9�a�7�f�8�1�e�e�a�a�6�c�3�4�6�a�a�d�f�0�6�0�4�4�8�1�2�2�d�8�5�7�7�1�e�9�4�d�b�b�7�
C�:�\�5�2�4�0�c�6�6�8�d�6�7�e�1�e�4�4�d�a�4�a�3�6�7�e�1�e�2�c�e�0�1�3�5�f�1�9�c�6�c�3�a�c�c�a�f�5�1�f�4�1�c�e�c�2�d�8�b�c�2�d�d�8�e�a�
C�:�\�d�0�b�1�0�4�3�4�3�e�f�3�f�b�7�c�8�d�5�9�3�6�8�4�c�5�e�e�e�8�3�3�8�6�6�f�d�1�7�2�e�e�d�c�3�e�e�8�f�6�8�d�6�f�8�e�3�6�8�3�6�a�8�5�
C�:�\�U�s�e�r�s�\�V�i�r�t�u�a�l�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�a�0�8�d�9�1�2�c�9�e�2�a�4�0�4�b�7�5�f�6�3�7�1�e�f�3�5�9�4�4�2�8�b�6�9�5�6�c�d�a�9�d�a�1�8�6�8�b�3�4�7�c�d�7�e�9�2�0�3�f�1�8�0�4�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�m�c�z�y�h�.�e�x�e�
C�:�\�7�5�2�1�a�6�1�2�3�8�2�0�8�5�d�5�1�2�e�1�2�5�1�c�8�6�c�a�4�a�d�9�9�2�2�3�3�0�d�d�c�8�9�1�b�e�9�3�5�2�f�0�4�4�f�a�2�f�f�b�4�f�8�a�
C�:�\�3�7�c�5�3�e�0�b�d�2�2�c�a�2�1�4�7�9�c�7�e�f�d�b�f�f�0�5�c�f�0�3�b�a�8�3�e�3�d�f�b�1�9�8�0�4�1�6�d�9�2�c�4�b�b�b�b�f�0�0�2�5�2�3�
C�:�\�0�4�a�d�4�0�7�e�6�3�d�a�b�6�b�f�b�b�d�1�6�8�2�a�5�3�c�a�c�a�e�d�a�b�2�9�e�5�4�c�3�3�9�7�b�4�3�c�9�9�d�1�6�9�6�7�4�7�1�7�6�e�5�1�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�m�c�z�y�h�.�e�x�e�
C�:�\�b�8�f�5�4�2�3�1�9�9�c�8�5�3�a�3�6�e�5�e�5�c�3�e�9�8�f�0�2�7�8�b�1�1�e�d�2�4�d�1�0�7�b�c�0�c�b�a�b�d�7�9�7�6�8�7�9�d�b�0�6�8�a�7�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�m�c�z�y�h�.�e�x�e�
C�:�\�d�6�6�3�c�1�c�a�8�b�e�3�f�1�2�e�1�3�c�6�3�c�b�a�7�9�3�5�2�b�9�4�1�5�d�3�b�8�8�d�6�3�d�2�2�1�3�f�9�1�a�c�c�4�7�5�f�5�4�5�a�c�0�0�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�m�c�z�y�h�.�e�x�e�
C�:�\�0�2�0�7�0�f�d�d�d�4�e�7�6�d�6�b�3�c�8�e�a�d�0�4�f�6�f�a�c�1�e�0�8�a�8�5�6�b�4�1�0�3�7�a�d�b�9�4�0�3�e�f�3�7�b�1�3�6�f�6�a�4�c�6�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.