2.7
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.56
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20191217 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191217 | 2013.8.14.323 |
| McAfee | Downloader-FBSK!68401BE96D53 | 20191217 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0cec3 | 20191217 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | |
| section | petite |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(4 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\fcbnaf.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\fcbnaf.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\fcbnaf.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '', 'virtual_address': '0x00001000', 'virtual_size': '0x00003000', 'size_of_data': '0x00000a00', 'entropy': 7.059154946785886} | entropy | 7.059154946785886 | description | 发现高熵的节 | |||||||||
| entropy | 0.8689748811948405 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(1 个事件)
| dead_host | 44.221.84.105:443 |
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| ALYac | Trojan.GenericKD.30773778 |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.30773778 |
| AhnLab-V3 | Trojan/Win32.Upatre.R256307 |
| Antiy-AVL | Trojan/Win32.AGeneric |
| Arcabit | Trojan.Generic.D1D59212 |
| Avast | Win32:Malware-gen |
| Avira | TR/Crypt.XPACK.Gen |
| BitDefender | Trojan.GenericKD.30773778 |
| BitDefenderTheta | AI:Packer.DD8AEA1E1D |
| Bkav | W32.AIDetectVM.malware1 |
| CAT-QuickHeal | Trojan.Upatre.S3228852 |
| Comodo | TrojWare.Win32.TrojanDownloader.Upatre.AX@7t0ehr |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.c73dfe |
| Cylance | Unsafe |
| Cyren | W32/new-malware!Maximus |
| DrWeb | Trojan.DownLoader10.8528 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.AJ |
| Emsisoft | Trojan.GenericKD.30773778 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/new-malware!Maximus |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.679c4f4c73dfe899 |
| Fortinet | W32/Tiny.NIV!tr |
| GData | Trojan.GenericKD.30773778 |
| Ikarus | Trojan-Downloader.Upatre |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.cdnmu |
| K7AntiVirus | Trojan-Downloader ( 0053178a1 ) |
| K7GW | Trojan-Downloader ( 0053178a1 ) |
| Kaspersky | HEUR:Trojan-Downloader.Win32.Generic |
| MAX | malware (ai score=85) |
| Malwarebytes | Trojan.Upatre |
| MaxSecure | Trojan.Upatre.Gen |
| McAfee | Downloader-FBSK!68401BE96D53 |
| McAfee-GW-Edition | BehavesLike.Win32.Upatre.xt |
| MicroWorld-eScan | Trojan.GenericKD.30773778 |
| Microsoft | TrojanDownloader:Win32/Upatre.A |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM19.1.F0A1.Malware.Gen |
| Rising | Downloader.Waski!8.184 (TFE:5:86rDnqRTsYH) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Downloader |
| Sangfor | Malware |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Troj/Upatre-XO |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Malware.Win32.Gencirc.10b0cec3 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-08-23 22:01:36
PE Imphash
4e7f4e9f034d0a9a0d18c7188d0c2390
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| 0x00001000 | 0x00003000 | 0x00000a00 | 7.059154946785886 | |
| petite | 0x00004000 | 0x00000182 | 0x00000182 | 3.8538995995144925 |
Imports
Library kernel32.dll:
• 0x404122 ExitProcess
• 0x404126 GetModuleHandleA
• 0x40412a GetProcAddress
• 0x40412e VirtualProtect
• 0x404132 VirtualAlloc
• 0x404136 VirtualFree
• 0x40413a LoadLibraryA
Library WININET.dll:
• 0x404142 InternetOpenW
Library SHELL32.dll:
• 0x40414a ShellExecuteW
L!This program cannot be run in DOS mode.
`petite
KVus?8^
C @i6[7
Q4Tl/|
~JRR*89
z2N/S\T
k|RCgoC^&T@
0yZvT|
pPNr;E
s~@:JQ
\L!{.Qq
_[]`{#a0[i
Kgc}p,D*I.+^&=UFE<.)C
rX$t1imig{_.&W
f+y$m1#*Ep7
c*Y!X6
o(D?&ZT
PlzfAb`m
@SGt ql!OS)pyQ
h5bh&S
RWSM<x^dic^Qe
&".,87+
z"Qhp/m1
`R1jaJ@n$c`z3@
!7Vi,`F;.
fZcEZY'\
@DK`D943q1b`n8r]
Q:TDHS
ZrQg?@
oiJ,<@]S
X#c/Wr
_b``lG
9iaHsP[
%dWVM\)
V48^XXXX]
MessageBoxA
wsprintfA
ExitProcess
GetModuleHandleA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
LoadLibraryA
InternetOpenW
ShellExecuteW
user32.dll
kernel32.dll
WININET.dll
SHELL32.dll
l�C�:�\�1�1�f�c�c�b�d�2�3�9�3�1�d�3�c�a�1�e�d�6�e�f�8�2�4�2�f�d�3�e�2�7�b�b�d�1�0�f�9�c�2�7�6�c�0�c�c�2�6�9�f�a�b�f�b�c�d�2�8�2�f�6�3�e�
C�:�\�x�J�g�4�Z�n�p�3�.�e�x�e�
C�:�\�9�1�8�0�3�3�8�b�1�d�3�6�b�f�f�f�4�1�d�5�f�1�a�5�7�0�d�7�6�3�2�8�8�5�7�9�6�f�7�9�1�5�6�d�a�0�9�d�8�2�9�f�3�f�0�5�b�9�c�3�7�c�b�f�
C�:�\�a�3�3�3�7�2�c�7�5�1�9�a�1�1�8�1�e�1�1�9�a�9�c�7�1�a�2�7�7�2�c�2�a�b�5�0�3�a�e�5�d�b�3�0�4�7�2�4�7�b�6�0�4�d�2�a�a�5�7�9�c�9�3�0�
C�:�\�d�0�f�d�2�5�3�b�9�0�c�8�4�b�e�3�e�8�0�0�5�2�d�d�5�2�c�7�1�4�a�8�f�5�9�2�d�a�9�a�b�8�2�a�7�b�0�5�4�9�e�1�7�e�8�6�a�7�5�8�c�3�c�9�
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�u�c�k�o�o�-�1�2�7�1�f�5�3�c�7�8�4�a�2�7�6�a�4�5�6�1�d�2�d�7�4�8�c�8�8�2�5�8�a�c�f�1�9�5�a�a�6�a�e�6�b�3�6�6�5�9�c�b�9�7�b�d�1�6�8�d�3�7�6�f�.�e�x�e�
C�:�\�7�4�3�d�c�8�2�5�7�e�2�8�b�6�f�6�4�0�0�b�7�6�1�e�1�a�5�6�a�2�0�c�5�8�1�d�7�1�4�5�e�e�f�b�1�9�d�b�7�9�4�2�6�f�3�e�6�9�1�c�3�b�4�e�
C�:�\�e�1�c�a�5�2�9�9�0�8�c�c�f�b�3�4�f�9�f�e�c�9�7�f�c�d�2�b�7�7�d�4�c�0�b�c�6�1�e�3�3�2�d�3�e�4�7�e�6�d�1�3�1�5�a�4�5�f�4�b�f�5�3�2�
C�:�\�9�e�e�5�4�b�2�b�4�c�0�2�8�d�b�2�4�5�1�4�0�9�a�0�7�9�c�5�7�a�c�4�a�e�1�d�a�b�a�0�2�7�a�e�4�1�c�d�8�c�c�7�5�5�a�6�d�f�e�8�1�0�1�7�
C�:�\�1�9�b�c�0�0�d�5�4�1�9�4�0�0�9�1�0�7�c�9�f�8�5�f�0�4�4�2�a�d�8�0�3�7�5�3�5�3�c�2�1�d�a�e�e�2�3�4�6�0�e�2�a�f�0�2�8�2�8�b�6�0�5�0�
C�:�\�r�6�2�C�N�F�0�G�.�e�x�e�
C�:�\�e�d�5�2�5�b�5�b�5�d�b�a�5�0�7�c�9�8�5�f�0�7�9�0�6�2�8�9�1�a�f�b�b�7�0�d�e�7�7�1�a�e�d�5�4�6�8�a�3�4�b�d�e�1�a�3�0�5�d�8�e�4�d�9�
C�:�\�e�4�6�2�9�1�1�c�f�0�0�3�4�6�d�1�f�9�3�b�6�f�3�f�f�4�e�a�7�2�0�8�7�7�8�1�b�8�6�3�c�a�c�4�0�7�7�0�2�d�5�9�8�4�7�6�c�4�e�e�2�6�5�1�
c�:�\�f�f�b�a�4�d�a�d�a�3�4�1�8�f�3�d�9�3�3�3�4�5�1�1�8�2�0�0�8�3�5�0�.�e�x�e�
C�:�\�a�7�7�8�7�d�3�9�d�2�4�a�9�6�c�0�0�5�9�9�0�8�7�8�1�c�a�7�8�e�f�6�c�5�d�8�1�8�0�e�f�d�c�6�9�5�8�2�e�9�a�6�7�1�d�e�2�1�1�3�6�3�d�f�
C�:�\�Y�K�g�u�v�S�n�o�.�e�x�e�
C�:�\�5�c�7�1�8�a�3�7�7�8�1�7�8�7�e�f�3�d�c�d�4�f�a�6�2�f�1�f�0�e�1�8�a�f�2�c�8�4�a�d�2�f�3�5�b�b�3�8�3�1�4�0�7�e�8�3�7�0�4�5�9�2�e�f�
C�:�\�0�3�a�d�c�8�0�0�4�5�8�2�7�a�a�6�0�8�3�4�b�5�3�d�e�8�d�2�f�a�9�3�f�6�b�a�2�4�c�6�d�1�2�e�5�2�2�b�8�6�c�3�9�4�1�8�b�c�1�f�e�c�6�7�
C�:�\�P�_�y�c�D�e�q�Z�.�e�x�e�
C�:�\�O�y�o�l�x�B�d�Z�.�e�x�e�
C�:�\�U�s�e�r�s�\�l�u�s�e�r�\�D�e�s�k�t�o�p�\�o�Y�j�v�1�y�0�x�.�e�x�e�
C�:�\�2�c�d�1�a�b�b�0�0�5�e�9�e�1�0�a�b�6�6�d�7�4�7�a�f�7�c�c�1�3�5�5�b�d�8�c�9�2�c�5�4�e�d�3�9�4�c�5�2�8�7�1�3�5�f�2�4�c�e�1�4�1�4�d�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�y�c�2�2�W�H�F�t�.�e�x�e�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�M�y� �D�o�c�u�m�e�n�t�s�\�e�l�p�m�a�s�.�e�x�e�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�M�y� �D�o�c�u�m�e�n�t�s�\�e�l�p�m�a�s�.�e�x�e�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�M�y� �D�o�c�u�m�e�n�t�s�\�e�l�p�m�a�s�.�e�x�e�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�M�y� �D�o�c�u�m�e�n�t�s�\�e�l�p�m�a�s�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�6�4�7�a�3�0�0�f�4�d�2�e�b�7�0�1�e�e�6�6�9�e�f�7�c�b�0�2�5�e�c�1�.�v�i�r�u�s�.�e�x�e�
C�:�\�d�c�2�2�6�2�5�5�4�1�2�b�8�a�8�e�f�1�3�3�7�a�9�a�6�3�1�b�9�a�7�6�2�2�8�9�7�6�4�d�a�9�7�e�a�d�1�8�f�a�0�1�2�7�3�4�6�b�5�6�8�8�7�9�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�f�c�b�n�a�f�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�7�d�d�d�4�d�7�b�a�f�a�0�a�8�9�4�_�f�c�b�n�a�f�.�e�x�e�
C�:�\�b�3�1�8�3�5�8�0�9�b�4�1�1�9�6�2�5�1�b�d�3�3�1�f�d�c�2�f�e�5�0�4�4�1�d�f�9�9�9�4�2�2�4�8�8�3�8�1�9�0�a�a�d�2�3�d�a�2�1�b�b�f�5�5�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�c�b�n�a�f�.�e�x�e�
C�:�\�1�8�e�1�8�1�e�3�5�0�f�2�c�5�7�5�9�9�5�f�2�6�6�8�a�1�c�a�3�1�5�4�d�6�8�4�8�8�e�2�3�0�2�8�6�9�4�a�7�e�1�0�3�3�b�9�8�0�a�4�2�6�2�4�
C�:�\�7�2�d�4�7�7�5�8�8�6�5�9�8�b�4�3�7�b�f�b�5�9�3�c�d�0�9�d�8�8�e�9�a�d�c�9�2�0�9�f�5�d�c�2�0�f�2�3�6�1�7�3�d�0�2�1�f�3�e�1�1�a�3�2�
C�:�\�8�5�d�0�f�b�5�f�5�3�3�7�6�1�8�4�b�4�8�e�1�7�c�0�d�7�2�9�3�5�d�e�8�c�b�8�f�3�6�3�8�0�3�6�2�3�f�f�8�3�9�e�8�b�e�a�b�9�2�6�3�2�7�9�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�c�b�n�a�f�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�f�c�b�n�a�f�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�V�i�r�t�u�a�l�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�5�7�0�f�7�a�6�7�9�6�a�b�0�e�c�4�e�a�8�2�8�f�9�5�e�5�d�d�e�e�9�9�4�c�1�3�c�6�5�4�2�1�8�c�6�e�e�5�f�6�2�3�a�7�8�1�4�f�0�1�2�0�c�2�.�e�x�e�
Process Tree
-
0b49bd693ba0fffa483935b0b95c5f73e64edc5befb2f5bd71c0661a5151e896.exe (2108)
"C:\Users\Administrator\AppData\Local\Temp\0b49bd693ba0fffa483935b0b95c5f73e64edc5befb2f5bd71c0661a5151e896.exe"
- fcbnaf.exe (2708) "C:\Users\ADMINI~1\AppData\Local\Temp\fcbnaf.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 44.221.84.105 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| huyontop.com | A 44.221.84.105 | 44.221.84.105 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49164 | 44.221.84.105 huyontop.com | 443 |
| 192.168.56.101 | 49165 | 44.221.84.105 huyontop.com | 443 |
| 192.168.56.101 | 49166 | 44.221.84.105 huyontop.com | 443 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 501d9571ec89b939_fcbnaf.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\fcbnaf.exe |
| Size | 8.6KB |
| Processes | 2108 (0b49bd693ba0fffa483935b0b95c5f73e64edc5befb2f5bd71c0661a5151e896.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | f1ae2f70081af6a0cef63b69abc9b7a6 |
| SHA1 | 0666f3e6975b927533142a828a7451d7ae8184b7 |
| SHA256 | 501d9571ec89b9392b8a55e111281bc2bcf067f6d0b29e3267e096a04b6cf516 |
| CRC32 | E18E10DA |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.