2.4
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.65
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | TrojanDownloader:Win32/Upatre.5e0f4dd5 | 20190527 | 0.3.0.5 |
| Avast | Win32:Agent-AUID [Trj] | 20230410 | 22.11.7701.0 |
| Baidu | Win32.Trojan-Downloader.Waski.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20220812 | 1.0 |
| McAfee | Downloader-FSH | 20230410 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.115d304f | 20230410 | 1.0.0.1 |
静态指标
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tezin.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tezin.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tezin.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
生成一些 ICMP 流量
文件已被 VirusTotal 上 65 个反病毒引擎识别为恶意
(50 out of 65 个事件)
| ALYac | Trojan.GenericKD.1627005 |
| APEX | Malicious |
| AVG | Win32:Agent-AUID [Trj] |
| AhnLab-V3 | Trojan/Win32.Zbot.R103153 |
| Alibaba | TrojanDownloader:Win32/Upatre.5e0f4dd5 |
| Antiy-AVL | Trojan/Win32.Bublik |
| Arcabit | Trojan.Generic.D18D37D |
| Avast | Win32:Agent-AUID [Trj] |
| Avira | TR/Crypt.XPACK.64093 |
| Baidu | Win32.Trojan-Downloader.Waski.a |
| BitDefender | Trojan.GenericKD.1627005 |
| BitDefenderTheta | Gen:NN.ZexaF.36132.buX@aKl6cKbi |
| Bkav | W32.FamVT.GeND.Trojan |
| CAT-QuickHeal | TrojanDownloader.Upatre.A4 |
| ClamAV | Win.Downloader.Upatre-5744092-0 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cylance | unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Trojan.MNWL-4927 |
| DeepInstinct | MALICIOUS |
| DrWeb | Trojan.DownLoader9.53364 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.A |
| Elastic | malicious (high confidence) |
| Emsisoft | Trojan.GenericKD.1627005 (B) |
| F-Secure | Trojan:W32/Zbot.BBKM |
| FireEye | Generic.mg.617e21745529617e |
| Fortinet | W32/Waski.A!tr |
| GData | Trojan.GenericKD.1627005 |
| Detected | |
| Gridinsoft | Trojan.Win32.Agent.bot!s2 |
| Ikarus | Trojan-Spy.Agent |
| Jiangmin | Trojan/Generic.azsev |
| K7AntiVirus | Trojan-Downloader ( 0040f7f11 ) |
| K7GW | Trojan-Downloader ( 0048f6391 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Lionic | Trojan.Win32.Generic.lX56 |
| MAX | malware (ai score=100) |
| Malwarebytes | Waski.Trojan.Downloader.DDS |
| McAfee | Downloader-FSH |
| McAfee-GW-Edition | BehavesLike.Win32.PWSZbot.lm |
| MicroWorld-eScan | Trojan.GenericKD.1627005 |
| Microsoft | Trojan:Win32/Trickbot.GML!MTB |
| NANO-Antivirus | Trojan.Win32.Waski.cwabgb |
| Paloalto | generic.ml |
| Panda | Generic Malware |
| Rising | Downloader.Waski!1.A489 (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Upatre |
| Sangfor | Suspicious.Win32.Save.a |
| SentinelOne | Static AI - Suspicious PE |
| Sophos | Troj/Upatre-AN |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2003-10-16 10:32:51
PE Imphash
3bf52cce958af28c47ecfbb6d0a01caa
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00000871 | 0x00000a00 | 5.1970491195442765 |
| .rdata | 0x00002000 | 0x00000d0c | 0x00000e00 | 6.744979989223934 |
| .data | 0x00003000 | 0x0000010c | 0x00000200 | 2.1289171733483006 |
| .rsrc | 0x00004000 | 0x000027f8 | 0x00002800 | 4.582705204755165 |
| .reloc | 0x00007000 | 0x000000e8 | 0x00000200 | 2.0861688023565215 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x00004238 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x000067e0 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MANIFEST | 0x000040f0 | 0x00000148 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library USER32.dll:
• 0x402018 GetWindowTextW
• 0x40201c SetCapture
• 0x402020 GetActiveWindow
• 0x402024 IsChild
• 0x402028 SendMessageA
• 0x40202c MessageBoxA
• 0x402030 TrackPopupMenu
• 0x402034 CreateWindowExA
• 0x402038 TranslateMessage
• 0x40203c DispatchMessageA
• 0x402040 GetMessageA
• 0x402044 PostQuitMessage
• 0x402048 ShowWindow
• 0x40204c FlashWindowEx
• 0x402050 GetKeyState
• 0x402054 TranslateAcceleratorA
• 0x402058 RegisterClassA
• 0x40205c DefWindowProcA
• 0x402060 GetDlgItemTextA
Library KERNEL32.dll:
• 0x402000 GetProcessHeap
• 0x402004 GetModuleHandleA
• 0x402008 CloseHandle
• 0x40200c GetVersionExA
• 0x402010 ExitProcess
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
GKj 0$
PIuTE0
3PPPUR
t+58 @
MQ3PPPUR
3 jjuu
u$@Ph@
P0 E$g
uSAWVAf9
GEGEGMG;r
ET@UV3W}
FG3@_^]
E3T$$3
0VWSSu
X+PQ&YIuKXG[O_^
uHjhTR
SUl$(3VWD$
PL$4j%D$4PL$
bad allocation
x10Y( 9
i?$](j
D9 ?(nWv
KIP;?CU:9%4
_KIP;?CU:=%4
/gK!74
us*5=U:U
^&u+yf5
>\jI>,L
4]2RMEm6
PPV\I';
>4jK#L\Q
>(/:C\
sr)1Y)
#}y<\OL{
)N/4m~d
b:`7gOo
s?/W:qVs
"r=yO/W
`w{G;l^jK.F
}W}vvO'
d1I;?#85?
8]2f674<\
<\b:n g9|jKPCN
<\I':,u^u
tdiminutiveness
.XR}v:Ou)f
'GBDA-=QSq
GetDlgItemTextA
RegisterClassA
TranslateAcceleratorA
GetKeyState
FlashWindowEx
TrackPopupMenu
GetWindowTextW
SetCapture
GetActiveWindow
IsChild
SendMessageA
MessageBoxA
DefWindowProcA
CreateWindowExA
TranslateMessage
DispatchMessageA
GetMessageA
PostQuitMessage
ShowWindow
USER32.dll
GetVersionExA
CloseHandle
GetModuleHandleA
GetProcessHeap
ExitProcess
KERNEL32.dll
lantitude
tofkol
wookernof
button
aaaaaaaaaa
ccccccccccccccccc
static
5A)82O1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>(
|||}}}
/ / / / / / / / =./ / / / / i\/ / / / / / / +
0 0 0 0 0 0 0 0 0 H=0 0 [N0 0 0 0 0 0 0 0 0 0 0 0 -
/ 1!1!1!1!1!1!1!1!I=1!I=1!1!/ / 0!1!1!1!1!1!1!1!/
1!3"3"3"3"3"3"3"3"{3"]R3"3"j_3"3"3"3"3"3"3"1!
3"4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#4#3"
5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$5$
6%OCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOCOC6%6%6%
c2h2o2{2222222222222
3$3X3b333333333333
4&4+424<4B4N4Z4`444445!6-6666v7
\0`0d0h0l0p0t0x0|00
L�h�t�t�p�:�/�/�n�o�t�e�p�a�d�-�p�l�u�s�-�p�l�u�s�.�o�r�g�/�
h�t�t�p�:�/�/�n�o�t�e�p�a�d�-�p�l�u�s�-�p�l�u�s�.�o�r�g�/�c�o�n�t�r�i�b�u�t�o�r�s�
T�h�i�s� �p�r�o�g�r�a�m� �i�s� �f�r�e�e� �s�o�f�t�w�a�r�e�;� �y�o�u� �c�a�n� �r�e�d�i�s�t�r�i�b�u�t�e� �i�t� �a�n�d�/�o�r� �m�o�d�i�f�y� �i�t� �u�n�d�e�r� �t�h�e� �t�e�r�m�s� �o�f� �t�h�e� �G�N�U� �G�e�n�e�r�a�l� �P�u�b�l�i�c� �L�i�c�e�n�s�e� �a�s� �p�u�b�l�i�s�h�e�d� �b�y� �t�h�e� �F�r�e�e� �S�o�f�t�w�a�r�e� �F�o�u�n�d�a�t�i�o�n�;� �
e�n�e�r�a�l� �P�u�b�l�i�c� �L�i�c�e�n�s�e� �a�l�o�n�g� �w�i�t�h� �
C�:�\�U�s�e�r�s�\�E�l�l�e�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�T�e�m�p�1�_�C�B�E�_�F�o�r�m�.�z�i�p�\�C�B�E�_�F�o�r�m�.�s�c�r�
C�:�\�J�K�n�o�0�h�e�g�.�e�x�e�
C�:�\�W�K�c�M�w�Y�T�m�.�e�x�e�
C�:�\�M�y�E�P�V�k�4�Q�.�e�x�e�
C�:�\�P�M�k�G�R�e�y�R�.�e�x�e�
C�:�\�p�R�7�R�V�J�A�i�.�e�x�e�
C�:�\�P�c�f�1�g�Y�W�6�.�e�x�e�
C�:�\�1�P�d�s�J�m�L�k�.�e�x�e�
C�:�\�8�7�4�Z�c�C�S�9�.�e�x�e�
C�:�\�C�B�Y�g�C�3�1�l�.�e�x�e�
C�:�\�R�n�R�F�V�Z�b�5�.�e�x�e�
C�:�\�j�1�T�G�U�4�b�N�.�e�x�e�
C�:�\�u�v�X�j�R�3�W�N�.�e�x�e�
C�:�\�8�K�p�b�g�m�t�K�.�e�x�e�
C�:�\�L�1�w�V�b�x�J�F�.�e�x�e�
C�:�\�E�2�S�e�h�T�L�u�.�e�x�e�
C�:�\�q�a�D�d�b�E�N�r�.�e�x�e�
C�:�\�b�d�i�N�9�g�K�I�.�e�x�e�
C�:�\�f�Q�c�U�1�s�X�S�.�e�x�e�
C�:�\�v�a�n�z�c�d�P�S�.�e�x�e�
C�:�\�n�B�R�3�F�D�A�w�.�e�x�e�
C�:�\�x�X�l�e�e�x�b�H�.�e�x�e�
C�:�\�R�e�0�B�i�Q�_�u�.�e�x�e�
C�:�\�u�E�a�6�B�0�0�a�.�e�x�e�
C�:�\�4�J�D�H�x�g�3�g�.�e�x�e�
C�:�\�Y�3�M�a�d�r�8�E�.�e�x�e�
C�:�\�S�K�O�s�_�i�K�1�.�e�x�e�
C�:�\�N�H�E�P�L�W�K�l�.�e�x�e�
C�:�\�e�G�Z�2�q�A�m�S�.�e�x�e�
C�:�\�x�H�i�I�o�r�f�R�.�e�x�e�
C�:�\�h�7�g�O�W�o�p�9�.�e�x�e�
C�:�\�E�0�l�i�q�F�_�k�.�e�x�e�
C�:�\�8�a�f�d�d�7�7�0�0�b�8�a�5�d�8�6�b�1�1�d�e�c�6�8�a�5�0�3�3�d�4�e�e�f�3�8�9�9�3�b�d�2�f�2�1�2�2�9�f�6�4�9�1�5�9�4�b�f�3�f�a�9�8�e�
C�:�\�4�9�8�e�e�9�4�2�0�6�8�9�a�1�3�6�8�0�1�2�1�b�1�f�2�8�0�9�0�1�7�a�2�5�a�0�7�f�b�2�c�5�2�3�4�8�f�2�b�a�2�3�c�f�9�8�f�8�3�c�6�f�7�1�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�t�e�z�i�n�.�e�x�e�
C�:�\�2�6�b�f�6�e�9�7�2�4�4�8�9�b�0�a�0�4�e�e�c�7�b�7�a�d�c�3�d�6�5�9�5�1�7�d�5�1�f�8�b�b�9�6�e�b�a�f�4�1�4�a�2�c�7�c�c�9�0�3�3�d�5�1�
C�:�\�T�K�n�A�U�s�S�_�.�e�x�e�
C�:�\�a�a�e�7�7�f�e�0�3�9�6�c�a�9�8�b�2�c�1�2�e�e�d�0�4�4�a�b�a�9�b�8�0�3�7�c�0�4�7�2�b�6�9�9�4�5�7�0�2�b�7�2�3�9�6�2�a�8�6�6�1�7�4�f�
Process Tree
-
00a61774bd4123752e5018d7dc05414e4213f4293212deb5d0ff311740b7c840.exe (616)
"C:\Users\Administrator\AppData\Local\Temp\00a61774bd4123752e5018d7dc05414e4213f4293212deb5d0ff311740b7c840.exe"
- tezin.exe (1404) "C:\Users\ADMINI~1\AppData\Local\Temp\tezin.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
131.107.255.255 |
| dns.msftncsi.com |
AAAA fd3e:4f5a:5b81::1 AAAA fd3e:4f5a:5b81::1 |
131.107.255.255 |
| peterjwarren.com | ||
| egodesign-home.com |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 57665 | 8.8.8.8 | 53 |
| 192.168.56.101 | 51758 | 8.8.8.8 | 53 |
| 192.168.56.101 | 52215 | 8.8.8.8 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62361 | 8.8.8.8 | 53 |
| 192.168.56.101 | 58985 | 8.8.8.8 | 53 |
| 192.168.56.101 | 58985 | 114.114.114.114 | 53 |
| 192.168.56.101 | 50075 | 8.8.8.8 | 53 |
| 192.168.56.101 | 50075 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 114.114.114.114 | 3 | |
| 192.168.56.101 | 114.114.114.114 | 3 | |
| 192.168.56.101 | 114.114.114.114 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 5c2203b3522fe453_tezin.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tezin.exe |
| Size | 19.9KB |
| Processes | 616 (00a61774bd4123752e5018d7dc05414e4213f4293212deb5d0ff311740b7c840.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | dea34ecb013ff7e2de7f5fba5dbd5da8 |
| SHA1 | 2cab330bbc3ca2add8b1957e0182dc3221abcab9 |
| SHA256 | 5c2203b3522fe453cc522deaf9c9df47758c913d4fa5078a97d561387c438874 |
| CRC32 | 3664CA97 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.