2.8
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.81
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Fearso-V [Wrm] | 20200227 | 18.4.3895.0 |
| Baidu | Win32.Worm.Farex.b | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200227 | 2013.8.14.323 |
| McAfee | GenericRXIH-CL!578205882BAF | 20200227 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b76c99 | 20200227 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(4 个事件)
| section | CODE\x00\x00U |
| section | DATA\x00\x00s |
| section | BSS |
| section | .dxgrnk |
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
检查是否有任何人类活动正在进行,通过不断检查前景窗口是否发生变化
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Windows\kernel.dll |
创建指向可执行文件的快捷方式
(1 个事件)
| file | C:\Users\Public\Desktop\360驱动大师.lnk |
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程
(3 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': 'CODE\\x00\\x00U', 'virtual_address': '0x00001000', 'virtual_size': '0x00002cd0', 'size_of_data': '0x00002e00', 'entropy': 7.7821984618737545} | entropy | 7.7821984618737545 | description | 发现高熵的节 | |||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
使用 CreateRemoteThread 在非子进程中创建线程,表明进程注入的迹象
(2 个事件)
操纵非子进程的内存,表明进程注入
(2 个事件)
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | GenPack:Generic.Malware.E!.16360BE2 |
| APEX | Malicious |
| AVG | Win32:Fearso-V [Wrm] |
| Acronis | suspicious |
| Ad-Aware | GenPack:Generic.Malware.E!.16360BE2 |
| AhnLab-V3 | Trojan/Win32.Hupigon.R68788 |
| Antiy-AVL | Worm/Win32.Nofear |
| Arcabit | GenPack:Generic.Malware.E!.16360BE2 |
| Avast | Win32:Fearso-V [Wrm] |
| Avira | WORM/Fearso.B.1 |
| Baidu | Win32.Worm.Farex.b |
| BitDefender | GenPack:Generic.Malware.E!.16360BE2 |
| BitDefenderTheta | AI:Packer.A9D6010D1F |
| Bkav | W32.HfsAutoB. |
| CAT-QuickHeal | Trojan.GenericPMF.S7319516 |
| ClamAV | Win.Worm.Fearso-6 |
| Comodo | Worm.Win32.Farex.S@56m9cd |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.82bafb |
| Cylance | Unsafe |
| Cyren | W32/Injector.A.gen!Eldorado |
| DrWeb | Win32.HLLM.Fear.2 |
| ESET-NOD32 | a variant of Win32/Farex.Y |
| Emsisoft | GenPack:Generic.Malware.E!.16360BE2 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Injector.A.gen!Eldorado |
| F-Secure | Worm.WORM/Fearso.B.1 |
| FireEye | Generic.mg.578205882bafb0d0 |
| Fortinet | W32/Parite.C |
| GData | GenPack:Generic.Malware.E!.16360BE2 |
| Ikarus | Trojan-Dropper.Win32.Prate |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.dvegr |
| K7AntiVirus | Trojan ( 005568151 ) |
| K7GW | Trojan ( 004be7671 ) |
| Kaspersky | HEUR:Trojan.Win32.Reconyc.vho |
| MAX | malware (ai score=80) |
| Malwarebytes | Trojan.MalPack.DLF |
| McAfee | GenericRXIH-CL!578205882BAF |
| McAfee-GW-Edition | BehavesLike.Win32.Nofear.lh |
| MicroWorld-eScan | GenPack:Generic.Malware.E!.16360BE2 |
| Microsoft | Worm:Win32/Nofear.B@mm |
| NANO-Antivirus | Trojan.Win32.Fear.fvcxra |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM19.1.856D.Malware.Gen |
| Rising | Worm.Soltern!1.BB24 (RDMK:cmRtazqbT8hCe1T+b+8PBYMVM+Dt) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/Systro-AB |
| Tencent | Malware.Win32.Gencirc.10b76c99 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
bf77a11f258d96f8241c51834e97eb91
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| CODE\x00\x00U | 0x00001000 | 0x00002cd0 | 0x00002e00 | 7.7821984618737545 |
| DATA\x00\x00s | 0x00004000 | 0x0000eac0 | 0x0000ec00 | 6.62453072130158 |
| BSS | 0x00013000 | 0x00000801 | 0x00000000 | 0.0 |
| .idata | 0x00014000 | 0x00000438 | 0x00000600 | 3.6226761288444767 |
| .tls | 0x00015000 | 0x00000004 | 0x00000000 | 0.0 |
| .rdata | 0x00016000 | 0x00000018 | 0x00000200 | 0.2044881574398449 |
| .reloc | 0x00017000 | 0x00000300 | 0x00000400 | 0.0 |
| .rsrc | 0x00018000 | 0x00000c00 | 0x00000c00 | 3.2296304468891783 |
| .dxgrnk | 0x00019000 | 0x00000400 | 0x00000400 | 5.231683552422086 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x00018144 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_RCDATA | 0x000189fc | 0x0000006c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x000189fc | 0x0000006c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00018a68 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.DLL:
• 0x4140d4 WriteProcessMemory
• 0x4140d8 WinExec
• 0x4140dc WaitForSingleObject
• 0x4140e0 VirtualFree
• 0x4140e4 VirtualAlloc
• 0x4140e8 SetLastError
• 0x4140ec ResumeThread
• 0x4140f0 OpenProcess
• 0x4140f4 GetWindowsDirectoryA
• 0x4140f8 GetVersionExA
• 0x4140fc GetProcAddress
• 0x414100 GetPriorityClass
• 0x414104 GetModuleHandleA
• 0x414108 GetDiskFreeSpaceA
• 0x41410c GetCurrentProcessId
• 0x414110 CreateRemoteThread
• 0x414114 CopyFileA
• 0x414118 CloseHandle
Library KERNEL32.DLL:
• 0x414064 GetCurrentThreadId
• 0x414068 GetLastError
• 0x41406c ExitProcess
• 0x414070 WriteFile
• 0x414074 SetFilePointer
• 0x414078 SetEndOfFile
• 0x41407c RtlUnwind
• 0x414080 ReadFile
• 0x414084 RaiseException
• 0x414088 GetStdHandle
• 0x41408c GetFileSize
• 0x414090 GetFileType
• 0x414094 CreateFileA
• 0x414098 CloseHandle
• 0x41409c GetCommandLineA
• 0x4140a0 TlsSetValue
• 0x4140a4 TlsGetValue
• 0x4140a8 LocalAlloc
• 0x4140ac GetModuleHandleA
• 0x4140b0 GetModuleFileNameA
• 0x4140b4 FreeLibrary
• 0x4140b8 HeapFree
• 0x4140bc HeapReAlloc
• 0x4140c0 HeapAlloc
• 0x4140c4 GetProcessHeap
Library shlwapi.dll:
• 0x414120 PathFileExistsA
Library user32.dll:
• 0x4140cc CharNextA
L!This program must be run under Win32
.idata
.rdata
P.reloc
P.rsrc
P.dxgrnk
j{=ki[
EB =#G
EB =?G
j#=kis
j?=kig
=j^VCT` =
:?^VCT`;!=
C2|LNE
gDh.OE
$p{DU'w6
*kejL]>@
S-l.wj74wD
,0(B&\
u6 I4p
T}'FJnE
wl}7~"?L>}Tu6 /
rt$}^]U
)Y.dE~
gX=},jW
Uj[07zM
GTs^i[D
p[\V{&LNEh$W
*+`j#?%o
X-}LHHI %s;
*`j'C%E
q;V}L>@A
u2 =s}
\Cn@=o
}WBD2`+%=
}*?x(4
dG ;}*s~
7/rO(R
ZK6*aj|;.qCb
I*syW>S
T3gaM/m%v]Ax
5j[Sp>vV!B>I28JKQ
7H@>g$w
ckjd!~
|jTsp;:'sz
0LJMAWrq; }@F@wB/A
P5wB/)#`8
e\X-sh^!61G
ElbOr;
S>VXq6 |
tcYNEQ
|>.p/gC
d,}*)iW$
m[D%v^A
wqISDLNE
;KisEX
5j[DwP
KB R*`<*JIM
HbpB7=9
s?uIuB
Di[s/NJNA
6h<*FC
Xd<x*NEapD7
lt >Xmyq*
>^EC1dMm
jC:D1#M
C2U%CHo[
DE-ri@7o[
V-mHRW
f2vi!?
w6 KYg0}_A'(
>%E<iW
G|1@=B
@/IgA~5KglOS
av6 [szhW
j6 =e\W-ca=DbW
TiLI>Vl-
w'*wej&H
s/50VT8"BM
UO}='}l
vLyYP!0KtT
SCK=hq
ec.E&LNE
=iIy/-P6
eT6G.|2OHp
s^2J,aC
{{"eNRk#m
dS [C!?@XV0
`xfOHU
%R>#%`
>U%C|[&\jNnOo4
$T`; =
DW#g&^W
!i$wcr'
+ ljOC LNE
IDLNE.C
CwE6Ty
S>U@!wL #
X/cNbq
C+% =O73
C7HjO4U
I/sb[D&LNE#
eom}(iW
YKB A+3
>klqj<ki
EB =gG
EB =sG
jg=ki?
EB =OG
SP>ZCl
gW}Dbq
dI}B!(
[7 =O{3
>bClgW}Ebq
#TsRk[DOE
-ak}ik$
Ya1CLn
}bo5*v
au}za&
bOdv1CI
s}gj0qB
YgtlP!?
&NEUAqw"'/
Ti@s.AK
Ti@s.Ak
g~ZWy2l
i@sTj]S
s6 G,;4L<*b
El~6 zF
}*PC? =T2
dd$sUI
VM)>kl/WNf
~NEUAw"'/
7 =Pv2? ={w@Jb
j@UwDjf
INf'Va-@=*)iWF.
Ri/}+,C
y6 Ii;j[0()iWPN!2)
vj/}>*h
>G)>>C9 =a/}*)$iW$e6 )7Y/^
[[DMi!bw6VGdUj->>
8uHK
(7 =ad
NEW'D:T?(
RWpUj{
n@-wI*s6
j[0()piWN!:+
).>vV@
wBZF"d/}*fW
=*)piWC57^
d).>vV@
wBZB"d}'K
*3qjL>
RWLUj/
)iWl! =XS>
+pjO`"tkCw6
/WNf'V
= =a#}
@gcmjS(>-(Cn*^
Yg}fo!1e
,o}N>>!
RGdjS>
i#rw6T
XvD!rw6VW ej-zE
*mj/c>z<Q-3w
i%rw6f
VG\ej{(B
RG\ejL>&V
-Sw!"!
*w67J3d
k[D.+UA)w"2I
%HVJ-C`wK
(NEi~bg
Cb0[y*$A
@E^c#
fXu+_@w
=*jC'q-=*>kj
M/])2\#h
72JLa_>@
7Bs0Oa7
7Kb/Oj
MG)@D%W
F]`p/Wg
*0WKHP
-JKI_jC@
drL4}*l
r)qx>{Q
eY~x6WS]
q6s>y[Di
do>V1.{OTseS
j[*s)iW
bu*A>J
$k_r'{u
6WS dTD
WG,8v8pAuG
ID/]z>{W\
kVgHfYD
*fjOWp b,r*
Nce+eOgw4U
U}NEZC
}.NEjC
u}NE.C
}6NE~C
=*)PiW
Q2]ni%< =a/(=*)iWl
zlFL>@W
BuL>^t
=*)iW)
6s:}[DNE~7
d}A|+'h=
L!This program must be run under Win32
.idata
.reloc
P.rsrc
Stringl
TObjectx
TObjectl
System
gW9tSVW
t1|9,9t:VW
_^UEP=
Ek<1fU
Ht Ht.g
RPFHPW
6Huv=L
1^6KfF
3E?E3s
3EE_^[Y]
f=r/f=w)f%f=u
1^[^8u
f=v-f=w'j
f=v)f=w#j
-C GL$
SVWPtl11
-tb+t_$t_xtZXtU0u
FxtHXtCt
~ExC[)A
FuY12_^[
PRQYZXt5x
YXfYX_^
@~d@PQ@
YXYX
Iu9u_^[
PRQQTj
YZXtpH
S1VWUd
SPRQT$(j
Zd$,1Yd
t=HtN`
r6t0R=
t/=t&,*&"
1Ul$PEd
SVWU&@
^s]_^[
UDU1h%@
QRZX1Yd
PVS_^[]
XRHpZX
PQIZXSVW
ISVWRP1L
KuZXu
JzZ_^[X$
thtkFW)w
9uXJt
8uAJt
t7JIt1S
St-Xt&J|
t0JN|*9}&~")9~
tVSVWU
t@t1SVW
1Z)_^[
K)QfY[
Mu]_^[
@+uh3@
USVWME]
3mEE;Et
u5];}}
;EU@]^
MO|"GE
U3Uh6@
U3Uhu8@
U3Uh8@
U3Uh9@
TFileName
TSearchRecX
BFKu_^[
BFKu_^[
USEE3UhW;@
d0d UE
33ZYYd
USVEE3Uh;@
d0d UE
E^[YY]
| v;}
N|7 vU+A
PP^[SVWQj
$Z_^[Pb
3URURURURPJ
EUE3RPEUM
E3RPEU~M
kernel32.dll
GetDiskFreeSpaceExA
uTC,PNSC
U3Uh?@
U3ZYYd
TStrListSVWt
3UhQA@
E$[Y]SVW
U3UhA@
TRGSV>
3UhSD@
d0d E|E3E}
E2EPEPj
MU3ZYYd
E"E^[]
MU3UhE@
jt`MAE3H]K|JC3E@Ej
EPEPVG
EFKu3ZYYd
EE_^[]
SVWUQ3
t-uEE}
UQSVWM
P_^[Y]
UQSVW3EE
3Uh<H@
0P3ZYYd
E9E^[YY]Sz
U3UhH@
UVWQSR1hH@
f:MZuV
Z[Y_^]
U3UhI@
SV3UhK\@
U3ZYYd
N^[]SVWU
T*dT(Cfu]_^[
^[SVW
SV3Uh]@
FBfu3ZYYd
SVWUE'3Uh^@
EU_^[]USVW3
ME3Uhv_@
d0d EPE0
EPM3EEP|
u3ZYYd
E_^[]U3QQQQQQS(@
3UhNa@
d0d Uf9
YE=PPUf=
U3Uha@
PHuE`SUEE5E-3Uhb@
PHuEDSV3
D@LHTPMUEEEu3Uh
d0d UE_
PTUTPESij
SEnPX@
WHLULX
r@DUD?PA3ZYYd
XFEARX
U3UhEe@
3UhJn@
d0d uh`n@
FuA@KL
Ut3ZYYd
U3QQQQQSVW3Uh`o@
K3ZYYd
U33Uho@
d0d Ep@
fu3ZYYd
S3Uh\q@
U3QQQQQQSV3UhZr@
pUXcU3
Sfv1EP
S3Uhr@
U3QQQQQQSV3Uhs@
S3Uhtt@
IuQS3Uhu@
TUXGU3
&uL3hu@
S3Uh`v@
IuQSVW
2UEYfF
S3UhTx@
{UXnU3
S3Uhy@
k3ZYYd
U3QQQQQS3UhZz@
>UX1U3
U3QQQQQQQ3Uhg{@
U3Uh{@
d0d MU
uLuuh}@
u78.t,uh}@
t3ZYYd
SV3Uh\~@
d0d f=(@
EPEt~@
Nu3ZYYd
IuQSVW
d0d EPSj
E3Uhq@
d2d"EPEPWEP
EEPEPWEP
Lt'f=(@
d0d Uf6
3Y3ZYYd
E;Y]U3Uh@
U3QQQQSVEE
d0d UE
;toEPE
EsH~*U$@
[]():
d0d UEYUE
Efu&=<@
d0d UfA
iphlpapi.dll
GetNetworkParams
UdSVW3
o3ZYYd
U3QQQQSV3Uhp@
Us3ZYYd
MMMMUE3Uh
d0d 3EE
UQSEE3UhR@
EPE?P(A
33ZYYd
IuMSMUEE{EsEkE
d0d PU
ppuh @
USV3E3UhV@
d0d tD
%fdUUtD
E ^[YY]
MMUEE}3Uh,@
d0d 33EE
tcEjF~T
,.u;E0E
GCNu3ZYYd
USVWMUE3E
EPEPS@
u-EPEPj
EPEPS@
USVW3E
E3ZYYd
$E_^[]
?u!GEPM3
E83ZYYd
C;u*U
u+fEP@
A4USV3EEEE3UhP@
d0d 3EE3
E3|6xD
~(EPEPMEz}
d0d |D
h3ZYYd
d0d h?
VSV3ZYYd
SVW3D@
\3ZYYd
<~_^[]
U3Uh1@
d0d U/p
EDE3Uhb@
jE3UhE@
<-tEM<.t>M<Zt7E
E9v$E<
<-tEM<.t>M<Zt7E
E9v$E<
<-tEM<.t>M<Zt7E
E9v$E<
Ehz3ZYYd
E/z3ZYYd
TClientSocketl@
TClientSocket@@
TServerSockethD
u$EEP@
fEE/fG
_^[]tcp
|3ZYYd
{Vv_^[]
U3Uh}@
TWebserverInfo
UEE!}E
}3UhE@
}UE4~u
Uy3ZYYd
Tys[YY]
USVWUEE|3Uh
d0d ExEzfv$f
E|D8\CfuU
E}EM(@
xz3ZYYd
Esx5s_^[YY]
IuSVWUEE{
~3UhG@
d0d U3U`@
wEnwEfwUE;ExU|
:|5m_fS
{ln_fV
J{El^@
bV]`U@
EUjtEP@
^\U|x~;j
vTPPfk
PXut7LU
?LPHfl
vElsPEu
ZqE.qk_^[]
</A> (
U3QQQQQSV]
EOpEGpE
^uE"tf
EUt~UE
tEPUfv
Q3ZYYd
o<j^[]
Q3ZYYd
Lzh_^[]
UUEEqEq3Uh
n3ZYYd
mlhYY]
im3ZYYd
SVWfUfE=@
d0d f]fuE
orf;r/E
UlCNf;sf;uv
fEIf;]s
fU83ZYYd
l(g_^[]
U3QQQQQQQQSVW5
d0d 33
t!EPMEUlU?
<3ZYYd
je_^[]
U3QQQQQ3Uh@
'EPUf#
ZU/3ZYYd
IuQSVWE3Uh@
s3ZYYd
hb_^[]
UHSVW3LHPXT`\dh=
`P\|x\Xh`
gtdVXf
XPT8xTXhhXo
gP<CLf
(LPHwHX
Cf`_^[]U
UEEi3Uh0@
d0d U!S
iCNuEzfv
?S3ZYYd
U3QQQQSVW3UhM@
6Nr+F3
|3ZYYd
Lc]_^[]
U3QQQQQQQQSV3Uh@
tt!Uf&
vfNr_F3
t;UrsUM
-{3ZYYd
ai\^[]
|z3ZYYd
a[^[YY]
U3QQQQQQQQSVW3Uh@
ly3Uh@
d0d `@
yX,Z3X@
^yY_^[]
d0d U0K00I
U0YP0PGui,En,
b0L3ZYYd
,]E]DX[]
UUUUEE`3UhP@
EU\E\U|
E|8 tU@
I3ZYYd
IZT_^[]
$(UEE+]3Uh@
d0d U,F,PD7C
U,yK,K
EZ~'E8>u E
8]fv6$P
XEYu f:
,E3ZYYd
F\3Uh@
WLU3fiz:UfM
dWMUSW?
E~eP3EtZY~
UE}u0E&E
~48.t)uh @
OV<ht3ZYYd
SESPN[]
d0d cEJTE@
u E TE@
TEKC{u3ZYYd
RM[YY]
@u<U3 }
E1RLY]
pE<UPj
P9a3ZYYd
ExQ:LY]
E3Uh.@
Ax;Ufi
>QEHt"j
EP`u3ZYYd
d0d 4D
O3ZYYd
]3Uhu@
d0d <@
kernel32.dll
GetCurrentThreadId
GetLastError
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
LocalFree
LocalAlloc
FreeLibrary
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
oleaut32.dll
SysFreeString
SysReAllocStringLen
advapi32.dll
RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCloseKey
kernel32.dll
ReadFile
GetVersionExA
GetProcAddress
GetModuleHandleA
GetLastError
GetFileSize
GetDriveTypeA
GetDiskFreeSpaceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
DeleteFileA
CreateThread
CreateFileA
CopyFileA
CloseHandle
user32.dll
SetTimer
MessageBoxA
GetMessageA
DispatchMessageA
CharLowerBuffA
kernel32.dll
LoadLibraryA
advapi32.dll
CloseServiceHandle
ControlService
OpenServiceA
OpenSCManagerA
0 0@0L0P0T0X0\0`0d0h0t0000000000000000
1&1.161>1F1N1V1^1f1n1v1~111111111
2,2E2V2k2x22314C5l5s5z5J6_6666D7K7z77"8B88Q:\:m:v:<<<<
=6=>>>?
I01"262>2T2l2z222222
373d3m33333
4S4{4555
6,6e6m6y66666666
7,72787>7C7I7R7b7g7l7q7v77777777
8 8A8J8`8x888888
00333333
6{66666666666
787S7]7h7{777777777
8!8?8D8W8c8p88888888888888
9"9*929:9B9J9R9Z9b9j9r9z9999999999999
:";J;;;0<D<O<V=f=q=w=
==>>>>>>>>>>>>>
?#?.?8?C?M?X?b?m?w???????????
0(00080D0X0`0d0h0l0p0t0x0|0000
1D11111111111111111
4F4444s57/8o8{888888888889999
;;9<<<.=a=====>>
?/?i????????????
0%0-050=0E0_0k0s0{0000000000/1<1c1o1v111112,3M334'535@5R5t====
>8>u>>>>>>>'?F??????
&040Z0n0{00000*181J1
111162H2t22222
3O3j333
4B4P4b44444
51575K5p5{55555.6<6N666@77777"808B8t888888
9,9^9l9~9999
:6:H:x:::C;U;{;;;;;;;J<T<\<<<K=====
>'>J>>>>>>
0 0'050Z0d0000000
1-1K1W1^1i1{112
3G3333B4x44444444
5 5(50585@5H5P5X5`5h5p5x5555555555555G6f6n6666666
7@7M77^88888
9K9\99
:':.:E::::::
;4;?;K;V;j;o;u;;;;;;;;;;;;;;
<9<><E<g<l<<<<<<<
='=K=P=W=y=~===B>G>>>
?"?M?R???
0m0r000
1+101T1i1n1u1111111G2S2Z2e2o2y2222222
373I33
5!5G5T555586w6677P777708D8L8`8888888 9999999
:":8:F::::::::::
;C;O;V;`;j;|;;
23:3B3J3g33
4.4O4{55555
6 6,6>6u66
77z889U9r999999
: :$:(:,:0:4:8:<:J:R:h:{:
:::::::::::::::
;E;p;u;;;;;;
=:=O=d===
?_?k?x??????
30o00000T1a1y11F233=4C4H4V444444l555I6666
707J7d7777
: :(:<:Q:Y:g:n:::::
;0;9;G;;;;;;;;;;
<&<B<J<<%=0=C=S=j=z====Q>>>>
?4?C?]?l?{?????
0?0`000051O1b1v111A33
5T5d555555555
6'6;6o6z666666
707Y7y77777777!8H8m88888888
9,999X9]9i9x999999999
:3:C:]:n:t:::::`;;;E<<F=U====S>>>>>>??
3&3B3F3J3N3R3V3Z3^3b3f3j3n3r333P4T4X4\4`4d4h4l4p4t4x4|444.5u55506J6t66666
7*777Q7d7w7777777"8Q8X8d8o8888888
9J9P9k9v999999999999999999999999999
: :$:(:,:4:?:L:W:\:p:
(0,0004080<0@0H0L0P0000000
1 1$1,101D1L1`1d1h1l1p1t1x1|111111111111111111111111111111111
Fear_DLL
UTypes
System
SysInit
KWindows
KERNEL32.DLL
KERNEL32.DLL
shlwapi.dll
user32.dll
WriteProcessMemory
WinExec
WaitForSingleObject
VirtualFree
VirtualAlloc
SetLastError
ResumeThread
OpenProcess
GetWindowsDirectoryA
GetVersionExA
GetProcAddress
GetPriorityClass
GetModuleHandleA
GetDiskFreeSpaceA
GetCurrentProcessId
CreateRemoteThread
CopyFileA
CloseHandle
GetCurrentThreadId
GetLastError
ExitProcess
WriteFile
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
GetCommandLineA
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
GetModuleFileNameA
FreeLibrary
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
PathFileExistsA
CharNextA
GetProc
SysInit
System
UTypes
<AclUtils
KWindows
GPrepender
TlHelp32
j{=ki[
EB =#G
EB =?G
j#=kis
j?=kig
=j^VCT` =
:?^VCT`;!=
C2|LNE
gDh.OE
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUC
|!;zjt
@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
@� �@�@�@�`�@�
`�@�@�@�@�@�
`�@�@�@�@�@�
`�@�@�@�@�@�
`� � � � �@�
`�@�@�@�@�`�
`� � � � �@�
`�@�@�@�@�`�
Process Tree
- explorer.exe (1412) C:\Windows\Explorer.EXE
- 0834214a2e525eda44cbfe9e263b5a1cb006ed7263befa938cd652f45246bdef.exe (1848) "C:\Users\Administrator\AppData\Local\Temp\0834214a2e525eda44cbfe9e263b5a1cb006ed7263befa938cd652f45246bdef.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 99c463412a27083b_kernel.dll |
|---|---|
| Filepath | C:\Windows\kernel.dll |
| Size | 58.5KB |
| Processes | 1848 (0834214a2e525eda44cbfe9e263b5a1cb006ed7263befa938cd652f45246bdef.exe) |
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | a8bc0ea18313a54c9ac752e0e9835a18 |
| SHA1 | 7a6c24088f0f6d6da73dcaaf51d6a98fe7430f1b |
| SHA256 | 99c463412a27083b58c98fabc80980c8297c0709b70fcbb929f0fa70eea560d7 |
| CRC32 | 3BDE0AE7 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 8b4451d32b0c44d1eb52cf4809bf60e409016d1f |
|---|---|
| Size | 4.0KB |
| Type | data |
| MD5 | afe8b03a243e2c21a319025216eec3db |
| SHA1 | 8b4451d32b0c44d1eb52cf4809bf60e409016d1f |
| SHA256 | 97b50df00c90b082260a7bc7a9228564f137aedc5d5d7255d092a905ca893263 |
| CRC32 | BCDBA74B |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |