1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.64
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Backdoor:Win32/Plugx.9054d806 | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200909 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_90% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200909 | 2013.8.14.323 |
| McAfee | GenericRXAA-AA!5EC25F4B7A85 | 20200909 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0ce7a | 20200909 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | code |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(3 个事件)
| section | {'name': 'code', 'virtual_address': '0x00001000', 'virtual_size': '0x00008000', 'size_of_data': '0x00001e00', 'entropy': 7.92448336565049} | entropy | 7.92448336565049 | description | 发现高熵的节 | |||||||||
| section | {'name': '.rsrc', 'virtual_address': '0x00009000', 'virtual_size': '0x00002000', 'size_of_data': '0x00001e00', 'entropy': 7.757220316243017} | entropy | 7.757220316243017 | description | 发现高熵的节 | |||||||||
| entropy | 1.0 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| ALYac | Gen:Variant.Zusy.295406 |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Zusy.295406 |
| AhnLab-V3 | Trojan/Win32.Generic.C3065578 |
| Alibaba | Backdoor:Win32/Plugx.9054d806 |
| Antiy-AVL | Trojan/Win32.VB.gic |
| Arcabit | Trojan.Zusy.D481EE |
| Avast | Win32:Trojan-gen |
| Avira | TR/Crypt.PEPM.Gen |
| BitDefender | Gen:Variant.Zusy.295406 |
| BitDefenderTheta | AI:Packer.D50774EF1E |
| Bkav | W32.AIDetectVM.malware1 |
| CAT-QuickHeal | Backdoor.PlugX.MUE.A2 |
| ClamAV | Win.Malware.Zusy-6911325-0 |
| Comodo | TrojWare.Win32.Trojan.XPACK.Gen@2ho5ur |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cybereason | malicious.b7a853 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/S-ee031e87!Eldorado |
| DrWeb | Trojan.Siggen7.10761 |
| ESET-NOD32 | a variant of Win32/Shyape.J |
| Elastic | malicious (high confidence) |
| Emsisoft | Gen:Variant.Zusy.295406 (B) |
| F-Secure | Trojan.TR/Crypt.PEPM.Gen |
| FireEye | Generic.mg.5ec25f4b7a853fe0 |
| Fortinet | W32/Shyape.J!tr |
| GData | Gen:Variant.Zusy.295406 |
| Ikarus | Trojan.Win32.Delf |
| Jiangmin | Trojan.Generic.eaoer |
| K7AntiVirus | Trojan ( 004b506c1 ) |
| K7GW | Trojan ( 004b506c1 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Lionic | Trojan.Win32.Generic.4!c |
| MAX | malware (ai score=81) |
| Malwarebytes | Trojan.Sakurel |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXAA-AA!5EC25F4B7A85 |
| MicroWorld-eScan | Gen:Variant.Zusy.295406 |
| Microsoft | Backdoor:Win32/Plugx.N!dha |
| NANO-Antivirus | Trojan.Win32.PEPM.gyzhjv |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | Generic/HEUR/QVM17.0.F01B.Malware.Gen |
| Rising | Backdoor.Plugx!8.D0 (TFE:1:7lbuyjgpLFK) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-BAXF |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-05-01 00:29:02
PE Imphash
09d0478591d4f788cb3e5ea416c25237
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| code | 0x00001000 | 0x00008000 | 0x00001e00 | 7.92448336565049 |
| .rsrc | 0x00009000 | 0x00002000 | 0x00001e00 | 7.757220316243017 |
Imports
Library kernel32.dll:
• 0x409000 LoadLibraryA
• 0x409004 GetProcAddress
• 0x409008 VirtualAlloc
• 0x40900c VirtualFree
Win32 Program!
GoLink, GoAsm www.GoDevTool.com
PEC2^O
PECompact2
.>bRK6
; @V39@-\ftrc3Mpjly
N@7S|0W7?w
DzpUZZJB.
&U{^ly
4~.1'%,
&SRTPw
\a97zv:'
Nl!JC/.+Y
@3|JApK
B%J3~\p8vi
S]Z3b id
@bnr^\'
=hj 8`
4SPu'_YM
n':/,3
,A@A{ C^}
25/1Qtij{
[u[l'eN
h&p.bx/8};Ot
Uh?J:,5eS?
km;h_G
YW(;&T
qT9N{%E||S
t4`s[;G<
yQsG@xo!Z<=
? f6fKNZXZ
[2-CAZg_Z2
&O-|mkS0
5,KrhH
Oie{|YWKcaKhebq
g)U^/L
5\K{0d\
Cjs[,Kv78>=[
;$da{%p\
4ou!cj=
fzMiDwFpsTj7
=h6N";
["ar6lC
C<MTe#,
U!W`sWt7qtA>
=VB5EZF~?(
<&FKjH?
^xT5x`Rv
A/X0%H8I
BT;G *
8F' cML
,>wkpa9 mB"1M ^F
Sj{<i6e1
h!CKzY
sNKn>=v
5]"4AX
9?EX5!|Vf
@IJ~UA
H46)A^^N
KOd-</mTyHZ5
cPYp*%T{
s~R'M,R
,D\?9*V?
TTF]yM#
x<*H%9
H6v6EnWNF<
kgYleeC
=R!@$=
_(F~~7&
##*A~[/
(LX+!|
sM[Z* &yTMorniFfeEuSDr#
{F-30-Q
HG52B
Z#1w_9
'jVM3)
yT:,MILC[qN%
z_{HNOr
VF3S^9[
UwY_DpBXBX\;
~5'BZSY
xDNRw@G
nZz64Yd
`j*T{$
4 dko"\I2Mc!RByv
wL Zw-
.nRo<n<cL
zqR,~|]
988@OE
paBr $
!3xX!.wQX
nosEJJ
mHW3V5
\RR t+
P {fYO
&b=n#S&
Y;fIY=l
7hWG:7;G;
'J58Fq2E@o
hkN.=!
1NwOR?Z
:xa.AO$/&
Qv91-%
ndK%Eh(B
7:t gST
&1JHO4
B0BE%>%$?.CJM!gU&
%,$^@lp1&k
+SLm%u)8(
hl-&3$
"E4rond
2,pUi0>
fJ6cqS
E<]Lel
^ME0;Gl[1>dIi&|mkE%Y
M5 @"l
?QjM5t8l
*% .-^Wmdh',Rl
djQ_f0O
Ez?mZW&E>
J%iu#8
gW&7t=
+D%E'0
}-J%rc
KNB&/k
SBoE<8
:Js_91
$%dE (
RY"RIL
!(rg+
P4?IcG
Y]T(Y2u0
&,&45z
K1sO{D[~9/Ic
NCA|Z'W0}RdQ
A1>BnY8F*4JJ
7Wk$>7r
o)H6X!%tro
)rv+bV
FJ?, m6#Mo
E7sGq_8>f=i
~7wN.V
kH+=}A <
tj(O{s
<%Ay)blX4pc
{mZwX;%
RH$F= '
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
_yAU(u
)Lpaqf
My`#OA
?}vp-D
|6?+:(S
=03GrF
s(,z J~1wn
qPMW{
]"+5Dr
IpX!F8
Iv,s8x
RrV<8JP0~
'{ C)0
HARE=X
.([#1R=
f;:` a
D`}$B;
}As{i {
>4-S8`,
f@k,UND
nq{?[P@
w\X1?9
M)#(Wr
st|v$38
0CM#yT
05C_O79x
odulHawn
Virt?>oc
[da @K
ZPY[]@
+~2>/P
OR!"J-
,tpy(+
P/(#fE#M
3(4H9H8eg
._^^rs#J0MV
7hu s#
<Vy$u 6"
95[xyM
[&FXCU!
sG*DS,u
[b)+Nq*8V
*Px2$zTv
Ca&\.q
J>FAKJt
_>O&*Pg}
_^y'1w
WP!nM>
90si$M3U+
#F{@"X
QFAVc<
N,+K/Q7!'
%F@"HB
R_PJb3EZ`
QB9@4(
F>tM's
'Z&;2=2
I--$@HVW
PO:M9W
,QAj@Rw3:
!{@PWQS}
@$Hn(`L
t?H|X!9NN&TUPB;
A|Q@,: Zha]oM9%
Nr'`Q6
vq"d4n
9l@L04+
pUWmsvb
{ u.Th}e<cdc
%sy5|lntba6id|SDqLG5d,al
uj'X vMagB
wP=tfN>ExitPL
U~ActNCOsb2!
n$zH[QY9
<$J0dkX2
`t$$|$(3
r+|$(|$
USQWVRW
ZPR3C
Z^_Y[]
VeriSign, Inc.1 0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
130828000000Z
140927235959Z01
SEOUL1
Mapo-gu1
DTOPTOOLZ Co.,Ltd.1>0<
5Digital ID Class 3 - Microsoft Software Validation v21 0
Management Support Team1
DTOPTOOLZ Co.,Ltd.0
VqvH#U,^}y
p'A-KH
|@E ~}
\jzB94
9070531/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
;C<i*OjA9
0?R-Ih)s
tsCQv4F=b
?NoGia
Q fbtq
VeriSign, Inc.1 0
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
100208000000Z
200207235959Z01
VeriSign, Inc.1 0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
i7{7M_;
Vz;T0S
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
a0_][0Y0W0U
image/gif0!0 0
#http://logo.verisign.com/vslogo.gif04
-0+0)'%#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
]L4<7o 4&
!3oX%|t
VeriSign, Inc.1 0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA
PmS/JT
<$&""O
?#YPAL
<�<�<�O�b�s�o�l�e�t�e�>�>�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.