1.8
低危
DACN
0.15
FACILE
1.00
IMCLNet
0.62
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20190907 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Agent.ha | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190907 | 2013.8.14.323 |
| McAfee | Agent-FEU!6576059EB114 | 20190907 | 6.0.6.653 |
| Tencent | None | 20190907 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.data', 'virtual_address': '0x00006000', 'virtual_size': '0x0000062c', 'size_of_data': '0x00000600', 'entropy': 7.301508643784553} | entropy | 7.301508643784553 | description | 发现高熵的节 | |||||||||
读取系统的用户代理并随后执行请求
(11 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(1 个事件)
| dead_host | 142.251.42.238:80 |
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Trojan.Agent.BYFH |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.BYFH |
| Antiy-AVL | Trojan[Spy]/Win32.Agent.cpyi |
| Arcabit | Trojan.Agent.BYFH |
| Avast | Win32:Malware-gen |
| Avira | TR/ATRAPS.Gen |
| Baidu | Win32.Trojan.Agent.ha |
| BitDefender | Trojan.Agent.BYFH |
| Bkav | W32.VTFBNTTc.Worm |
| CAT-QuickHeal | Trojan.Zenshirsh.SL7 |
| ClamAV | Win.Malware.Byfh-6725383-0 |
| Comodo | TrojWare.Win32.Agent.WBX@5bs8lt |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.eb1140 |
| Cylance | Unsafe |
| Cyren | W32/A-887abf0f!Eldorado |
| DrWeb | BackDoor.Spy.2465 |
| ESET-NOD32 | a variant of Win32/Agent.WBX |
| Emsisoft | Trojan.Agent.BYFH (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/A-887abf0f!Eldorado |
| F-Secure | Trojan.TR/ATRAPS.Gen |
| FireEye | Generic.mg.6576059eb1140875 |
| Fortinet | W32/Agent.WBX!tr |
| GData | Trojan.Agent.BYFH |
| Ikarus | Trojan.Win32.Agent |
| Invincea | heuristic |
| Jiangmin | TrojanSpy.Agent.wzj |
| K7AntiVirus | Trojan ( 000826b41 ) |
| K7GW | Trojan ( 000826b41 ) |
| Kaspersky | Trojan-Spy.Win32.Agent.cpyi |
| Lionic | Trojan.Win32.Agent.lZps |
| MAX | malware (ai score=86) |
| Malwarebytes | Trojan.Yolox |
| McAfee | Agent-FEU!6576059EB114 |
| McAfee-GW-Edition | BehavesLike.Win32.VTFlooder.mh |
| MicroWorld-eScan | Trojan.Agent.BYFH |
| Microsoft | Trojan:Win32/Vflooder.C |
| NANO-Antivirus | Trojan.Win32.Flooder.ergkri |
| Qihoo-360 | Trojan.Win32.Yolox.A |
| Rising | Trojan.Win32.Vflooder.c (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Fareit |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-AHNL |
| Symantec | SMG.Heur!gen |
| TotalDefense | Win32/Tnega.DAFAIY |
| Trapmine | malicious.high.ml.score |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-06-26 06:58:59
PE Imphash
1dddd34c0901a22f800f486f6751a070
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000037ac | 0x00003800 | 6.1879361894948195 |
| .rdata | 0x00005000 | 0x00000c7c | 0x00000e00 | 4.762189919627371 |
| .data | 0x00006000 | 0x0000062c | 0x00000600 | 7.301508643784553 |
| .reloc | 0x00007000 | 0x000005a0 | 0x00000600 | 4.950118705462984 |
Imports
Library KERNEL32.dll:
• 0x405040 CreateFileW
• 0x405044 FindFirstFileW
• 0x405048 FindClose
• 0x40504c FindNextFileW
• 0x405050 GetWindowsDirectoryW
• 0x405054 WaitForSingleObject
• 0x405058 GetModuleHandleW
• 0x40505c GetTickCount
• 0x405060 Sleep
• 0x405064 CreateProcessA
• 0x405068 GetModuleFileNameW
• 0x40506c GetStartupInfoA
• 0x405070 ReadFile
• 0x405074 GetFileSize
• 0x405078 DeleteFileA
• 0x40507c CreateThread
• 0x405080 GetProcAddress
• 0x405084 LoadLibraryA
• 0x405088 GetCurrentProcess
• 0x40508c GetLastError
• 0x405090 GetSystemInfo
• 0x405094 GetModuleHandleA
• 0x405098 GlobalAlloc
• 0x40509c GlobalFree
• 0x4050a0 GetTempFileNameA
• 0x4050a4 CreateFileA
• 0x4050a8 CloseHandle
• 0x4050ac GetVersionExA
• 0x4050b0 CreateToolhelp32Snapshot
• 0x4050b4 GetDiskFreeSpaceA
• 0x4050b8 HeapReAlloc
• 0x4050bc Process32Next
• 0x4050c0 GetCurrentDirectoryW
• 0x4050c4 GetSystemDirectoryA
• 0x4050c8 GetFileAttributesW
• 0x4050cc GetVolumeInformationA
• 0x4050d0 OpenProcess
• 0x4050d4 GetDriveTypeA
• 0x4050d8 GetLogicalDrives
• 0x4050dc Process32First
• 0x4050e0 GetDriveTypeW
• 0x4050e4 GetComputerNameA
• 0x4050e8 GetProcessHeap
• 0x4050ec HeapFree
• 0x4050f0 HeapAlloc
• 0x4050f4 GetTempPathA
Library USER32.dll:
• 0x405120 GetWindowRect
• 0x405124 GetWindowDC
• 0x405128 ReleaseDC
• 0x40512c GetDesktopWindow
Library GDI32.dll:
• 0x40501c CreateDIBSection
• 0x405020 CreateCompatibleDC
• 0x405024 DeleteObject
• 0x405028 DeleteDC
• 0x40502c BitBlt
• 0x405030 SelectObject
Library ADVAPI32.dll:
• 0x405000 GetTokenInformation
• 0x405004 OpenProcessToken
• 0x405008 GetUserNameA
• 0x40500c CreateWellKnownSid
• 0x405010 CheckTokenMembership
• 0x405014 DuplicateToken
Library ole32.dll:
• 0x40518c CreateStreamOnHGlobal
Library ntdll.dll:
• 0x405174 _snwprintf
• 0x405178 _wcsicmp
• 0x40517c sprintf
• 0x405180 memcpy
• 0x405184 memset
Library WININET.dll:
• 0x405134 InternetReadFile
• 0x405138 InternetSetOptionA
• 0x40513c HttpOpenRequestA
• 0x405140 HttpSendRequestA
• 0x405144 InternetOpenA
• 0x405148 InternetCloseHandle
• 0x40514c HttpQueryInfoA
• 0x405150 InternetConnectA
Library IPHLPAPI.DLL:
• 0x405038 GetAdaptersInfo
Library gdiplus.dll:
• 0x405158 GdipSaveImageToStream
• 0x40515c GdipGetImageEncodersSize
• 0x405160 GdipDisposeImage
• 0x405164 GdipCreateBitmapFromHBITMAP
• 0x405168 GdipGetImageEncoders
• 0x40516c GdiplusStartup
Library PSAPI.DLL:
• 0x40510c GetModuleFileNameExA
L!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
SVW3Sj
2_^[]33}u
[]UPSV33W]u
APEhQ@
}t"EPWE
@u+PRu
@u+PRu
@u+PRuj
@u+PRuE
@u+PRu
3WWWWMQWW
t+UEPj
[]UxSV3Wuu
t5FAfEEPE:
F |EPE
SVWEPQ33E
}}t4Wj
BIu=P@
uMURWM
uuWug!
MQUREPMQR
SV3Wuu
P2_^[]
9u~URV
P2_^[]j
P2_^[]
URE3P}}
MQWP9}~
URWP9}~
EPWP2_^[]9}~
MQWP9}~
URWP9}~
EPWP_^
[]USVu
[]UQSVj
^2[]Wj
_^2[]j
_^2[]S
[]UQSVj
^2[]Wj
_^2[]j
_^2[]S
SW=tQ@
t,QVhQ@
WSVhQ@
tjQVhQ@
u}tuWSV
D73EEMu
EPMQSSh
SSSV3SfUE
P2_^[]
F;s2_^[]
M3EEEPh#@
P3EE9E~
P2_^[]3
;t0V;~
;t0V;~
2_^[]h
F;s2_^[]
M3EEEPh0$@
P3EE9E~
P2_^[]3
;t0V;~
;t0V;~
2_^[]h
EtU<0t-W~
D$$3PVt$ t$$
VVVVVhDR@
VVVVVhDR@
tVVVh 8@
VVt$$t$(
L$LQT$XRP\
tX|$L\$T;t,WV
D$XPVVVVt$0t$4
L$$QhP
T$dhQ@
Rt$8t$<
L$$QVP
T$XRVVj
Vt$8t$<
D$DPhP
L$dhQ@
Qt$Xt$\
D$DPVP
L$XQVVj&Vt$Xt$\
T$,RhP
D$dhQ@
Pt$@t$D6
T$,RVP
t$4t$8
L$<QhP
T$dhQ@
Rt$Pt$T
L$<QVP
Rt$@t$DD$
T$4Rh %@
Vt$@t$D
L$4QVP
Pt$<t$@t$
QVP9t$
UQ3VWC
_^t#hR@
MQjMSE
EPjMWE
E$QM RPQW
E_^[]
VWE3Pj
t2UREPWj
EMQURP
^]USV3W0p
|_^[]UQ}
_13^]UtSVWEP
E+E]+]E
E_^[]U
VEPM3Quu
UESWRP
9uvH_0
t#FL;urWj
[_^]UXSV3W3
u95(f@
u EPMQUR
}EPSV}
UVMQRW
;umU:]Sj
xRU:VV3QO
MQVURP
u339}vSVU
SRV]G ;}r
a6281279.yolox.net
/gate.php
VMGrab
cmd.exe /c
file.exe
/vtapi/v2/file/scan
www.virustotal.com
google.com
HTTP/1.1
Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
urlmon.dll
ObtainUserAgentString
IsWow64Process
kernel32
HeapReAlloc
HeapAlloc
HeapFree
GetProcessHeap
GetComputerNameA
GetDriveTypeW
Process32First
GetLogicalDrives
GetDriveTypeA
OpenProcess
GetVolumeInformationA
GetFileAttributesW
GetSystemDirectoryA
GetCurrentDirectoryW
Process32Next
GetDiskFreeSpaceA
CreateToolhelp32Snapshot
GetVersionExA
CloseHandle
CreateFileA
GetFileSize
ReadFile
CreateFileW
FindFirstFileW
FindClose
FindNextFileW
GetWindowsDirectoryW
WaitForSingleObject
GetModuleHandleW
GetTickCount
CreateProcessA
GetModuleFileNameW
GetStartupInfoA
GetTempFileNameA
GetTempPathA
DeleteFileA
CreateThread
GetProcAddress
LoadLibraryA
GetCurrentProcess
GetLastError
GetSystemInfo
GetModuleHandleA
GlobalAlloc
GlobalFree
KERNEL32.dll
GetDesktopWindow
ReleaseDC
GetWindowDC
GetWindowRect
USER32.dll
DeleteObject
CreateCompatibleDC
SelectObject
CreateDIBSection
DeleteDC
BitBlt
GDI32.dll
GetUserNameA
OpenProcessToken
GetTokenInformation
DuplicateToken
CheckTokenMembership
CreateWellKnownSid
ADVAPI32.dll
SHGetFolderPathW
SHELL32.dll
CreateStreamOnHGlobal
ole32.dll
sprintf
_wcsicmp
_snwprintf
ntdll.dll
HttpQueryInfoA
InternetConnectA
InternetReadFile
InternetSetOptionA
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
GetAdaptersInfo
IPHLPAPI.DLL
GdipSaveImageToStream
GdipGetImageEncodersSize
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdiplusStartup
gdiplus.dll
GetModuleFileNameExA
PSAPI.DLL
WNetCloseEnum
WNetOpenEnumW
WNetEnumResourceW
MPR.dll
memset
memcpy
----------%u
Content-Disposition: form-data; name="apikey"
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
4d1ee14a3191ba1afde5261326dcd7e81793afacb6aa7e46d0b467bc6ebcd367
----------%u
Content-Disposition: form-data; name="file"; filename="%s"
Content-Type: application/x-msdownload
Content-Transfer-Encoding: binary
----------%u--
Content-Type: multipart/form-data; boundary=--------%u
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
0'040t00000/1<1w1111111
2 2,2S2u222222A3H3R3Y3333333
494@4e4444444444
5V5]5y5555666
7=7C7N777777
8B8I8c8x8888888/969n99999C:I:s:}::::
;U;};;;;;;
<%<a<k<}<<<<
=H=O=`======
> >V>>>
?M?S?a????
0E0e00000
1P1]11111D2Q222
4 4w4~4444444
55555555
6!6W6^666666666
7J7c777777777
898Q888
9D9]9o9999(:::Q:::::
;&;-;@;;;;;;
<#<-<6<]<d<n<u<<<<<< =&=0=7={========D>M>[>k>>.?I?V?o??
0%0A0[0000
1(1C1.2I2V2o22
3%3A3[3333
5<5C55555
6H6L6P6T6X6\66666666
7J7W7777777
8F8M8p8w8888888
9;9L9S99999999[:b::::::::::
;a;k;v;;;;%</<:<<'=.=====?>F>P>W>>>>>
?a?k?s?~?????
0!0y0000000h111111
262z22222 333 4'404N4Y4s4z4444444
5M5T555555
6-6s6z666
7F77777
----------146640--Content-Type: multipart/form-data; boundary=--------146984
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Host: www.virustotal.com
Content-Length: 22433
Connection: Keep-Alive
----------151359--Content-Type: multipart/form-data; boundary=--------152453
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3)
Host: www.virustotal.com
Content-Length: 22774
Connection: Keep-Alive
i�m�a�g�e�/�j�p�e�g�
Process Tree
- 06a9e1b908da2a6c267324ef3158c959bcfdf9c7462a6add6414fd5ca9966ad9.exe (1332) "C:\Users\Administrator\AppData\Local\Temp\06a9e1b908da2a6c267324ef3158c959bcfdf9c7462a6add6414fd5ca9966ad9.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 142.251.42.238 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| google.com | A 142.251.42.238 | 142.251.42.238 |
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 65473 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.