1.1
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.61
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:TrojanX-gen [Trj] | 20200409 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200410 | 2013.8.14.323 |
| McAfee | GenericRXHK-CS!720159896258 | 20200410 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b38293 | 20200410 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.data', 'virtual_address': '0x00005000', 'virtual_size': '0x00000a24', 'size_of_data': '0x00000200', 'entropy': 7.4062437497691915} | entropy | 7.4062437497691915 | description | 发现高熵的节 | |||||||||
| section | {'name': '.rsrc', 'virtual_address': '0x00007000', 'virtual_size': '0x00000a58', 'size_of_data': '0x00000c00', 'entropy': 6.855644501423387} | entropy | 6.855644501423387 | description | 发现高熵的节 | |||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 55 个反病毒引擎识别为恶意
(50 out of 55 个事件)
| ALYac | Trojan.Ppatre.Gen.1 |
| APEX | Malicious |
| AVG | Win32:TrojanX-gen [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.Ppatre.Gen.1 |
| AhnLab-V3 | Malware/Win32.Generic.C595153 |
| Antiy-AVL | Trojan[Dropper]/Win32.Dapato.egdg |
| Arcabit | Trojan.Ppatre.Gen.1 |
| Avast | Win32:TrojanX-gen [Trj] |
| Avira | HEUR/AGEN.1113016 |
| BitDefender | Trojan.Ppatre.Gen.1 |
| BitDefenderTheta | AI:Packer.4A2B2C081F |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Malware.Oficla-6623012-0 |
| Comodo | TrojWare.Win32.TrojanDropper.Dapato.E@7l8o47 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.962582 |
| Cylance | Unsafe |
| Cyren | W32/Dapato.L.gen!Eldorado |
| DrWeb | Trojan.DownLoad3.33795 |
| ESET-NOD32 | a variant of Win32/Rootkit.BlackEnergy.AH |
| Emsisoft | Trojan.Ppatre.Gen.1 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Dapato.L.gen!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1113016 |
| FireEye | Generic.mg.7201598962582905 |
| Fortinet | W32/BlackEnergy.AH!tr |
| GData | Win32.Trojan.Phdet.A |
| Ikarus | Backdoor.Win32.Phdet |
| Invincea | heuristic |
| Jiangmin | TrojanDropper.Dapato.yke |
| K7AntiVirus | Trojan ( 0053a0a11 ) |
| K7GW | Trojan ( 0053a0a11 ) |
| Kaspersky | Trojan-Dropper.Win32.Dapato.egdg |
| MAX | malware (ai score=88) |
| MaxSecure | Dropper.Dapato.EGDG |
| McAfee | GenericRXHK-CS!720159896258 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.mh |
| MicroWorld-eScan | Trojan.Ppatre.Gen.1 |
| Microsoft | Backdoor:Win32/Phdet.S |
| NANO-Antivirus | Trojan.Win32.DownLoad3.ddcdgk |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.777D.Malware.Gen |
| Rising | Backdoor.Phdet!8.CE4 (RDMK:cmRtazqkaFjrJ/64+u/Jjrg/7tiJ) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/TibsPk-A |
| Tencent | Malware.Win32.Gencirc.10b38293 |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_UPATRE.SM37 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-07-30 18:15:20
PE Imphash
719981e4a07a182166e9d536a1267a59
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00003660 | 0x00003800 | 6.463693977790498 |
| .data | 0x00005000 | 0x00000a24 | 0x00000200 | 7.4062437497691915 |
| .CRT | 0x00006000 | 0x00000004 | 0x00000200 | 0.0 |
| .rsrc | 0x00007000 | 0x00000a58 | 0x00000c00 | 6.855644501423387 |
| .reloc | 0x00008000 | 0x000003f8 | 0x00000400 | 0.0 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_RCDATA | 0x00007220 | 0x00000834 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MANIFEST | 0x000070c0 | 0x0000015c | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x401038 OpenThread
• 0x40103c CloseHandle
• 0x401040 Thread32First
• 0x401044 CreateToolhelp32Snapshot
• 0x401048 LocalFree
• 0x40104c Sleep
• 0x401050 GetModuleFileNameA
• 0x401054 GetModuleHandleA
• 0x401058 GetCommandLineA
• 0x40105c GetCurrentProcess
• 0x401060 GetVersionExA
• 0x401064 SetEvent
• 0x401068 OpenEventA
• 0x40106c ExitProcess
• 0x401070 GetCurrentProcessId
• 0x401074 LocalAlloc
• 0x401078 WinExec
• 0x40107c lstrcatA
• 0x401080 GetEnvironmentVariableA
• 0x401084 GetShortPathNameA
• 0x401088 CreateMutexA
• 0x40108c SuspendThread
• 0x401090 GetTickCount
• 0x401094 FlushFileBuffers
• 0x401098 WriteFile
• 0x40109c CreateFileA
• 0x4010a0 ReadFile
• 0x4010a4 GetFileSize
• 0x4010a8 FindClose
• 0x4010ac FindFirstFileA
• 0x4010b0 GetExitCodeProcess
• 0x4010b4 WaitForSingleObject
• 0x4010b8 CreateProcessA
• 0x4010bc Process32Next
• 0x4010c0 Process32First
• 0x4010c4 GetStartupInfoA
• 0x4010c8 GetWindowsDirectoryA
• 0x4010cc DeleteFileA
• 0x4010d0 GetSystemDirectoryA
• 0x4010d4 GetTempPathA
• 0x4010d8 CopyFileA
• 0x4010dc CreateEventA
• 0x4010e0 MoveFileA
• 0x4010e4 Thread32Next
• 0x4010e8 FreeLibrary
• 0x4010ec IsBadReadPtr
• 0x4010f0 LoadLibraryA
• 0x4010f4 GetProcAddress
• 0x4010f8 VirtualProtect
• 0x4010fc VirtualAlloc
• 0x401100 VirtualFree
• 0x401104 VirtualQuery
• 0x401108 GetLastError
• 0x40110c FindResourceA
• 0x401110 LoadResource
• 0x401114 GetCommandLineW
• 0x401118 LockResource
• 0x40111c IsProcessorFeaturePresent
Library USER32.dll:
• 0x401130 LockWorkStation
• 0x401134 UnregisterClassA
• 0x401138 wsprintfA
• 0x40113c RegisterWindowMessageA
• 0x401140 GetClipboardFormatNameA
• 0x401144 RegisterClassExA
• 0x401148 SendInput
Library ADVAPI32.dll:
• 0x401000 OpenProcessToken
• 0x401004 AllocateAndInitializeSid
• 0x401008 SetEntriesInAclA
• 0x40100c InitializeSecurityDescriptor
• 0x401010 SetSecurityDescriptorDacl
• 0x401014 InitializeAcl
• 0x401018 SetSecurityDescriptorSacl
• 0x40101c FreeSid
• 0x401020 GetTokenInformation
• 0x401024 GetSidSubAuthority
• 0x401028 GetSidSubAuthorityCount
• 0x40102c CheckTokenMembership
• 0x401030 CreateWellKnownSid
Library imagehlp.dll:
• 0x401150 CheckSumMappedFile
L!This program cannot be run in DOS mode.
Richdg
`.data
@.rsrc
@.reloc
wwwwwzw
wzwv{w9wkw^ww
|w|<|G|]|B$|W|)|,|
|Q(|(||/|
||jH| |?|
|0%|g#|
|;)|\|cL|!|S
||"|=|f||w
CLIENT32
"%s" /exploit
"%s" /uac
Global\AtomFun
sysprep.exe
logonui.exe
utilman.exe
user32.dll
wsprintfA
wvsprintfA
msvcrt.dll
_vscprintf
ComSpec
/c del %s >> NUL
Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
advapi32.dll
AddMandatoryAce
cmd.exe /C %s
cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep
\system32\sysprep\cryptbase.dll
\system32\sysprep\sysprep.exe
makecab.exe /V1 %s %s
\cryptbase.msu
\cryptbase.dll
\%.8x.tmp
kernel32.dll
IsWow64Process
WinExec
LoadLibraryA
\uxtheme.dll
t@SVWP
`|$0L$8D$4a_^3[
`t$4|$0L$8a_^3[
SVWEV_^[]
V3F4pu^U
|txst0j
3_MbO4puEt
@8E~Bj
EQPEFE
E(9E|_[^
SVY$W3;
3;t`9^
t*W39^
H<ME8PE
EpPEp4
MH4uuu
mEM+H4Mt
Y3}EPSE
EdPEhPElPE\PW}\}l}h}dP
EpPEtPP}t}p6
9}lt=}`
sa9}hu\Pht
_^3[xUE
rZhDNWP
WPWVt$
3@ W3t
G@;r3_^]
3@UVWu
ANu^D$
W3G9}`~
G;}`|S
UVW3VVj
UQSW3WWj
Y;r_^[
U@SVW3
EPSSSSSSSSj
j ESP]
EPSEPj
tUEPSSSSSSSh
S]|VW3}h}l;
VEWP;A
E|PWWj
ul}|=
zuXu|j@
tKE|Pu|Vj
V3EWP*
u^EhPj
EdPEPWj
ElPEPup}l
_^[xUXE
SV3u;t
jD_WEVP
EPEPVVVVVV3SGV}
E_^[Ul$
P39}`E
YYEdPEhPP
u|Puduh
uduhP\
}xDNWPu
:.rsrt
EEEPEPu
U0VWj0^Vj
Gdr3_^
W3j[YfEEEEj
E3GPW}fMf]
EPWf]j
EPW]j[XfEj
EPW]_^[
PtAPPu
EEEEPEPP2
PPuuPMt
tAt2t$
r)$ 8@
DDDDDDDDDDDDDD
3@]W|$
:t3^[_
FGIuX^_]
B:t6t:t't
B^_[d0
LockResource
LoadResource
FindResourceA
GetLastError
VirtualQuery
VirtualFree
VirtualAlloc
VirtualProtect
GetProcAddress
LoadLibraryA
IsBadReadPtr
FreeLibrary
Thread32Next
SuspendThread
OpenThread
CloseHandle
Thread32First
CreateToolhelp32Snapshot
LocalFree
GetModuleFileNameA
GetModuleHandleA
GetCommandLineA
GetCurrentProcess
GetVersionExA
SetEvent
OpenEventA
ExitProcess
GetCurrentProcessId
LocalAlloc
WinExec
lstrcatA
GetEnvironmentVariableA
GetShortPathNameA
CreateMutexA
GetCommandLineW
GetTickCount
FlushFileBuffers
WriteFile
CreateFileA
ReadFile
GetFileSize
FindClose
FindFirstFileA
GetExitCodeProcess
WaitForSingleObject
CreateProcessA
Process32Next
Process32First
GetStartupInfoA
GetWindowsDirectoryA
DeleteFileA
GetSystemDirectoryA
GetTempPathA
CopyFileA
CreateEventA
MoveFileA
KERNEL32.dll
wsprintfA
UnregisterClassA
RegisterClassExA
SendInput
LockWorkStation
RegisterWindowMessageA
GetClipboardFormatNameA
USER32.dll
FreeSid
SetSecurityDescriptorSacl
InitializeAcl
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetEntriesInAclA
AllocateAndInitializeSid
OpenProcessToken
GetTokenInformation
GetSidSubAuthority
GetSidSubAuthorityCount
CheckTokenMembership
CreateWellKnownSid
ADVAPI32.dll
CommandLineToArgvW
SHELL32.dll
CheckSumMappedFile
imagehlp.dll
IsProcessorFeaturePresent
Y3P0%y4S:
r2\^2\i
M!'yr 5$1]KoCHe`b \(~D
O$T7=+B
W%(L6c`Lif
EHq/tpAme2Nx
I{.+g'I^
&m0T\(
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="FALSE"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
aPEexcutbyl
d;C#Wy"{`;
P4GYX%6=u
A$o ',
F@s6>M`
gui(B
F:uzE(BpbR
LR;Z5@Q;uZH
QvPteFJ
EH4Vq6Ppm+
+b1su0t3
\%+[:X
RFW${l
CloseH
CExProcs
mpu@r<NahC
gunDgi
ModulY
`Vsion
(Rhdbi
7S* [v(
V tuaAfc
kPn3(2.
HtpObqu
I(:B,W
8w#(ShEzJ
>RtD2Ihr!vBufo-mw t
/* a>lic
GET za5.0c?nw<ghT
Hrk(?hl_(/h-
uCsr>14
E7uk[hig-F3
/�e�x�e�c�u�t�a�b�l�e�
/�e�x�p�l�o�i�t�
/�r�u�n�m�a�i�n�
C�L�I�E�N�T�3�2�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�U�z�g�n�X�G�N�8�.�e�x�e�
C�:�\�e�8�7�d�5�4�5�e�e�b�7�6�f�7�f�7�2�e�4�5�2�1�3�5�f�e�2�1�6�4�a�0�7�a�5�b�d�8�7�9�d�c�2�b�5�1�3�3�1�f�1�3�5�8�a�d�b�b�d�6�d�2�2�4�
C�:�\�2�c�f�0�2�9�6�f�d�c�7�0�b�1�e�8�d�a�9�8�4�9�8�b�2�7�4�0�1�f�e�f�b�3�1�6�d�a�8�a�c�5�4�d�4�1�a�f�5�6�3�c�0�2�3�3�f�1�5�4�f�d�8�7�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�s�l�3�Z�c�s�C�e�.�e�x�e�
C�:�\�6�4�4�3�f�3�3�4�9�1�8�a�3�e�7�8�5�d�a�9�a�5�2�e�c�8�c�a�2�7�b�f�8�3�d�2�0�d�e�7�e�b�c�a�7�3�9�0�a�4�9�d�f�1�1�3�8�a�b�8�c�d�2�6�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.