SmartHawk

2.7

中危

65 个模型检测该样本为恶意！

重新分析

下载样本

0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd

0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe

分析耗时

133s

最近分析

393天前

文件大小

23.5KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN BACKDOOR ABINDI

DACN 0.14

FACILE 1.00

IMCLNet 0.49

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.14	Unknown	0.08s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.08s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.49	Unknown	0.19s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:MSIL/Bladabindi.1196e3b9	20190527	0.3.0.5
Avast	MSIL:Agent-DRD [Trj]	20200731	18.4.3895.0
Baidu	MSIL.Backdoor.Bladabindi.a	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Kingsoft	None	20200731	2013.8.14.323
McAfee	Trojan-FIGN	20200731	6.0.6.653
Tencent	Msil.Backdoor.Agent.Woqd	20200731	1.0.0.1

查询计算机名称 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545336.6565 GetComputerNameW	computer_name: TU-PC	success	1	0

检查进程是否被调试器调试 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545326.5315 IsDebuggerPresent		failed	0	0

观察到命令行控制台输出 (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545334.250375 WriteConsoleA	console_handle: 0x00000007 buffer: ÖØÒªÐÅÏ¢:¡°netsh ·À»ðÇ½¡±ÒÑÆúÓÃ£» ÇëÊ¹ÓÃ¡°netsh advfirewall ·À»ðÇ½¡±¡£ ÓÐ¹ØÊ¹ÓÃ¡°netsh advfirewall ·À»ðÇ½¡±ÃüÁî ¶ø²»Ê¹ÓÃ¡°netsh ·À»ðÇ½¡±µÄÏêÏ¸ÐÅÏ¢£¬Çë²ÎÔÄÎ»ÓÚÏÂÁÐÎ»ÖÃµÄ KB ÎÄÕÂ 947709: http://go.microsoft.com/fwlink/?linkid=121488¡£	success	1	0
1727545334.266375 WriteConsoleA	console_handle: 0x00000007 buffer: ·þÎñÉÐÎ´Æô¶¯¡£	success	1	0

检查系统中的内存量，这可以用于检测可用内存较少的虚拟机 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545336.6725 GlobalMemoryStatusEx		success	1	0

一个或多个进程崩溃 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545334.4065 __exception__	exception.address: 0xe70d41 exception.instruction: cmp dword ptr [ecx], ecx exception.instruction_r: 39 09 e8 fc 3a a7 6c 8b f0 eb 14 8b c8 e8 bd c0 exception.symbol: exception.exception_code: 0xc0000005 registers.eax: 36704664 registers.ecx: 0 registers.edx: 36735980 registers.ebx: 36735952 registers.esp: 76608544 registers.ebp: 76608584 registers.esi: 0 registers.edi: 36735980 stacktrace: 0xe70b95 mscorlib+0x216e76 @ 0x6d976e76 mscorlib+0x2202ff @ 0x6d9802ff mscorlib+0x216df4 @ 0x6d976df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6fc91b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6fca8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6fcb6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6fcb6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6fcb6a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6fd33191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6fce192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6fce18cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6fce17f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6fce197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6fd32f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6fd3303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6fdf805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success	0	0

Time & API

Arguments

Status

Return

Repeated

1727545334.4065
__exception__

exception.address: 0xe70d41
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 fc 3a a7 6c 8b f0 eb 14 8b c8 e8 bd c0
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 36704664
registers.ecx: 0
registers.edx: 36735980
registers.ebx: 36735952
registers.esp: 76608544
registers.ebp: 76608584
registers.esi: 0
registers.edi: 36735980
stacktrace:

0xe70b95
mscorlib+0x216e76 @ 0x6d976e76
mscorlib+0x2202ff @ 0x6d9802ff
mscorlib+0x216df4 @ 0x6d976df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6fc91b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6fca8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6fcb6a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6fcb6a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6fcb6a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6fd33191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6fce192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6fce18cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6fce17f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6fce197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6fd32f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6fd3303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6fdf805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success

分配可读-可写-可执行内存（通常用于自解压） (22 个事件)

Time & API	Arguments	Status
1727545326.5165 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6fc91000 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.5475 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0040a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.5475 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6fc92000 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.5475 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00402000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.6095 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00412000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.6255 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00413000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.6255 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0044b000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.6255 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00447000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.6415 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0041c000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.6565 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00e70000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.7195 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00414000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.7345 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00415000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.7345 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00416000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.7505 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0043a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545326.7505 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00432000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545332.9845 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0041a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545334.4225 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00e71000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545334.6255 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0040b000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545335.3915 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0042a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545335.3915 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00427000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545336.6415 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x04740000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success
1727545336.7505 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x04741000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1332	success

检查是否有任何人类活动正在进行，通过不断检查前景窗口是否发生变化

一个进程试图延迟分析任务。 (1 个事件)

description

0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe 试图睡眠 191.007 秒，实际延迟分析时间 191.007 秒

检查系统上可疑权限的本地唯一标识符 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545339.4845 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

使用 Windows 工具进行基本 Windows 功能 (1 个事件)

cmdline

netsh firewall add allowedprogram "C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" "0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ENABLE

与未执行 DNS 查询的主机进行通信 (1 个事件)

host

114.114.114.114

在 Windows 启动时自我安装以实现自动运行 (50 out of 222 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdfbe1733e1cf7b7d40aac26336794f9	reg_value	"C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ..

文件已被 VirusTotal 上 65 个反病毒引擎识别为恶意 (50 out of 65 个事件)

ALYac	Generic.MSIL.Bladabindi.95968F40
APEX	Malicious
AVG	MSIL:Agent-DRD [Trj]
Acronis	suspicious
Ad-Aware	Generic.MSIL.Bladabindi.95968F40
AhnLab-V3	Backdoor/Win32.Bladabindi.R91438
Alibaba	Backdoor:MSIL/Bladabindi.1196e3b9
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Arcabit	Generic.MSIL.Bladabindi.95968F40
Avast	MSIL:Agent-DRD [Trj]
Avira	TR/Dropper.Gen7
Baidu	MSIL.Backdoor.Bladabindi.a
BitDefender	Generic.MSIL.Bladabindi.95968F40
BitDefenderTheta	Gen:NN.ZemsilF.34144.bmW@aiO@HFn
Bkav	W32.PraticI.Trojan
ClamAV	Win.Trojan.B-468
Comodo	Backdoor.MSIL.Bladabindi.A@566ygc
CrowdStrike	win/malicious_confidence_100% (W)
Cybereason	malicious.c22aa4
Cylance	Unsafe
Cynet	Malicious (score: 100)
Cyren	W32/MSIL_Bladabindi.AU.gen!Eldorado
DrWeb	BackDoor.Bladabindi.13678
ESET-NOD32	MSIL/Bladabindi.BH
Elastic	malicious (high confidence)
Emsisoft	Generic.MSIL.Bladabindi.95968F40 (B)
F-Prot	W32/MSIL_Bladabindi.AU.gen!Eldorado
F-Secure	Trojan.TR/Dropper.Gen7
FireEye	Generic.mg.62bb89bc22aa42e2
Fortinet	MSIL/Agent.LI!tr
GData	MSIL.Backdoor.Bladabindi.AV
Ikarus	Trojan.MSIL.Bladabindi
Invincea	heuristic
Jiangmin	TrojanDropper.Autoit.dce
K7AntiVirus	Trojan ( 700000121 )
K7GW	Trojan ( 700000121 )
Kaspersky	Backdoor.MSIL.Agent.jdt
Lionic	Trojan.Win32.Generic.mAmC
MAX	malware (ai score=81)
Malwarebytes	Backdoor.NJRat
McAfee	Trojan-FIGN
MicroWorld-eScan	Generic.MSIL.Bladabindi.95968F40
Microsoft	Backdoor:MSIL/Bladabindi
NANO-Antivirus	Trojan.Win32.Disfa.dtznyx
Paloalto	generic.ml
Panda	Trj/CI.A
Qihoo-360	Generic/Backdoor.88d
Rising	Backdoor.MSIL.Bladabindi!1.9E49 (CLOUD)
SUPERAntiSpyware	Trojan.Agent/Gen-Bladabindi
Sangfor	Malware

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-17 20:51:48

PE Imphash

f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00002000	0x00005494	0x00005600	5.5722876712857285
.rsrc	0x00008000	0x00000240	0x00000400	4.966081339698093
.reloc	0x0000a000	0x0000000c	0x00000200	0.08153941234324169

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_MANIFEST	0x00008058	0x000001e7	LANG_NEUTRAL	SUBLANG_NEUTRAL	None

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
1  (u
v2.0.50727
#Strings
<Module>
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
System
Object
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
System.IO
FileInfo
FileStream
Microsoft.VisualBasic.Devices
Computer
System.Net.Sockets
TcpClient
MemoryStream
Conversions
ToBoolean
System.Reflection
Assembly
GetEntryAssembly
get_Location
Exception
Microsoft.VisualBasic.MyServices
RegistryProxy
ServerComputer
get_Registry
Microsoft.Win32
RegistryKey
get_CurrentUser
String
Concat
OpenSubKey
DeleteValue
ProjectData
SetProjectError
ClearProjectError
RuntimeHelpers
GetObjectValue
GetValue
RegistryValueKind
CreateSubKey
SetValue
DateTime
Operators
ConditionalCompareObjectEqual
ToString
Environment
get_MachineName
get_UserName
FileSystemInfo
get_LastWriteTime
get_Date
ComputerInfo
get_Info
get_OSFullName
Replace
OperatingSystem
get_OSVersion
get_ServicePack
Microsoft.VisualBasic
Strings
CompareMethod
SpecialFolder
GetFolderPath
Contains
RegistryKeyPermissionCheck
GetValueNames
get_Length
Convert
ToBase64String
FromBase64String
System.Text
Encoding
get_UTF8
GetBytes
GetString
System.IO.Compression
GZipStream
Stream
CompressionMode
set_Position
BitConverter
ToInt32
Dispose
IntPtr
op_Equality
op_Explicit
Interaction
Environ
Conversion
Module
GetModules
GetTypes
get_FullName
EndsWith
get_Assembly
CreateInstance
DirectoryInfo
get_Name
ToLower
CompareString
get_Directory
get_Parent
get_LocalMachine
AppWinStyle
Delete
DeleteSubKey
EndApp
System.Threading
Thread
Exists
FileMode
ReadAllBytes
System.Diagnostics
Process
EnvironmentVariableTarget
SetEnvironmentVariable
System.Net
WebClient
System.Drawing
Graphics
Bitmap
Rectangle
ConcatenateObject
get_Chars
ToArray
DownloadData
GetTempFileName
WriteAllBytes
get_Message
NewLateBinding
LateSet
LateCall
Boolean
LateGet
CompareObjectEqual
OrObject
System.Windows.Forms
Screen
get_PrimaryScreen
get_Bounds
get_Width
get_Height
System.Drawing.Imaging
PixelFormat
FromImage
CopyPixelOperation
CopyFromScreen
Cursor
Cursors
get_Default
get_Position
ToInteger
DrawImage
ImageFormat
get_Jpeg
WriteByte
RuntimeTypeHandle
GetTypeFromHandle
ChangeType
System.Security.Cryptography
MD5CryptoServiceProvider
HashAlgorithm
ComputeHash
GetCurrentProcess
get_Handle
Monitor
Socket
get_Client
SocketFlags
set_ReceiveBufferSize
set_SendBufferSize
set_SendTimeout
set_ReceiveTimeout
Connect
get_Available
SelectMode
NetworkStream
GetStream
ReadByte
ToLong
Receive
ParameterizedThreadStart
Command
ThreadStart
SessionEndingEventArgs
SessionEndingEventHandler
SystemEvents
add_SessionEnding
Application
DoEvents
set_MinWorkingSet
ConditionalCompareObjectNotEqual
CompilerGeneratedAttribute
DebuggerStepThroughAttribute
STAThreadAttribute
StringBuilder
GetProcessById
get_MainWindowTitle
DateAndTime
get_Now
get_ProcessName
Keyboard
get_Keyboard
get_ShiftKeyDown
get_CapsLock
ToUpper
get_CtrlKeyDown
Remove
avicap32.dll
kernel32
user32.dll
user32
mscorlib
lastcap
.cctor
NtSetInformationProcess
hProcess
processInformationClass
processInformation
processInformationLength
capGetDriverDescriptionA
wDriver
lpszName
cbName
lpszVer
GetVolumeInformation
GetVolumeInformationA
lpRootPathName
lpVolumeNameBuffer
nVolumeNameSize
lpVolumeSerialNumber
lpMaximumComponentLength
lpFileSystemFlags
lpFileSystemNameBuffer
nFileSystemNameSize
GetForegroundWindow
GetWindowText
GetWindowTextA
WinTitle
MaxLength
GetWindowTextLength
GetWindowTextLengthA
Plugin
CompDir
connect
_Lambda$__1
_Lambda$__2
LastAV
LastAS
lastKey
ToUnicodeEx
GetKeyboardState
MapVirtualKey
GetWindowThreadProcessId
GetKeyboardLayout
GetAsyncKeyState
VKCodeToUnicode
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
xadefg
WmlrdSBab21iaWVn
server.exe
cdfbe1733e1cf7b7d40aac26336794f9
127.0.0.1
Software\Microsoft\Windows\CurrentVersion\Run
Software\
yy-MM-dd
??-??-??
Microsoft
Windows
SystemDrive
netsh firewall delete allowedprogram "
Software
cmd.exe /c ping 0 -n 2 & del "
SEE_MASK_NOZONECHECKS
netsh firewall add allowedprogram "
" ENABLE
getvalue
Execute ERROR
Download ERROR
Executed As 
Execute ERROR 
Update ERROR
Updating To 
Update ERROR 
yy/MM/dd 
[ENTER]

Process Tree

0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe (1332) "C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe"
- netsh.exe (1404) netsh firewall add allowedprogram "C:\Users\Administrator\AppData\Local\Temp\0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" "0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe" ENABLE

0a9c37403d759cb7f4936973f8e3989f93d5eae08ff1a5eecaa3e30b569c9cdd.exe, PID: 1332, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

netsh.exe, PID: 1404, Parent PID: 1332

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.