0.9
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.48
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Backdoor:MSIL/Bladabindi.cedeee73 | 20190527 | 0.3.0.5 |
| Avast | Win32:BackDoor-AFW [Trj] | 20220214 | 21.1.5827.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20210907 | 1.0 |
| Kingsoft | None | 20220215 | 2017.9.26.565 |
| McAfee | BackDoor-FDPF!729C864B0399 | 20220214 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b33a3f | 20220215 | 1.0.0.1 |
静态指标
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | IL:Trojan.MSILZilla.8845 |
| APEX | Malicious |
| AVG | Win32:BackDoor-AFW [Trj] |
| Acronis | suspicious |
| Ad-Aware | IL:Trojan.MSILZilla.8845 |
| AhnLab-V3 | Win-Trojan/NjRAT04.Exp |
| Alibaba | Backdoor:MSIL/Bladabindi.cedeee73 |
| Antiy-AVL | Trojan/Generic.ASMalwS.1E6066E |
| Avast | Win32:BackDoor-AFW [Trj] |
| Avira | TR/Dropper.Gen7 |
| BitDefender | IL:Trojan.MSILZilla.8845 |
| BitDefenderTheta | Gen:NN.ZemsilF.34212.cmW@aiojmSc |
| CAT-QuickHeal | Trojan.YakbeexMSIL.ZZ4 |
| ClamAV | Win.Packed.Generic-7672855-0 |
| Comodo | TrojWare.MSIL.Bladabindi.CC@7ebfqa |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.b0399c |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/MSIL_Bladabindi.A.gen!Eldorado |
| DrWeb | Trojan.DownLoader23.46391 |
| ESET-NOD32 | a variant of MSIL/Bladabindi.BB |
| Elastic | malicious (high confidence) |
| Emsisoft | IL:Trojan.MSILZilla.8845 (B) |
| FireEye | Generic.mg.729c864b0399c27b |
| Fortinet | MSIL/Bladabindi.AS!tr |
| GData | MSIL.Backdoor.Bladabindi.BV |
| Gridinsoft | Backdoor.Win32.Bladabindi.vl!ni |
| Ikarus | Trojan.MSIL.Bladabindi |
| Jiangmin | Trojan.Generic.argvt |
| K7AntiVirus | Trojan ( 700000121 ) |
| K7GW | Trojan ( 700000121 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Lionic | Trojan.Win32.Generic.4!c |
| MAX | malware (ai score=100) |
| Malwarebytes | Backdoor.Bladabindi |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | BackDoor-FDPF!729C864B0399 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.pm |
| MicroWorld-eScan | IL:Trojan.MSILZilla.8845 |
| Microsoft | Backdoor:MSIL/Bladabindi |
| NANO-Antivirus | Trojan.Win32.Bladabindi.hkfash |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Rising | Backdoor.Njrat!1.C5D1 (CLASSIC) |
| Sangfor | Suspicious.Win32.Save.a |
| SentinelOne | Static AI - Malicious PE |
| Sophos | Mal/Generic-R + Troj/Bladabi-DR |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Malware.Win32.Gencirc.10b33a3f |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2020-05-13 05:00:09
PE Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00002000 | 0x0000a384 | 0x0000a400 | 5.699887736208568 |
| .rsrc | 0x0000e000 | 0x00000400 | 0x00000400 | 3.5160679793070893 |
| .reloc | 0x00010000 | 0x0000000c | 0x00000200 | 0.08153941234324169 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x0000e058 | 0x000001ea | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library mscoree.dll:
• 0x402000 _CorExeMain
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
& (
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
v4.0.30319
#Strings
Stub.exe
mscorlib
Microsoft.VisualBasic
System.Windows.Forms
System
System.Drawing
user32
winmm.dll
kernel32
user32.dll
avicap32.dll
Kernel32.dll
Stub.Resources.resources
<Module>
MyApplication
Stub.My
ConsoleApplicationBase
Microsoft.VisualBasic.ApplicationServices
EditorBrowsableAttribute
System.ComponentModel
EditorBrowsableState
GeneratedCodeAttribute
System.CodeDom.Compiler
MyComputer
Computer
Microsoft.VisualBasic.Devices
DebuggerHiddenAttribute
System.Diagnostics
MyProject
Object
m_ComputerObjectProvider
m_AppObjectProvider
m_UserObjectProvider
m_MyFormsObjectProvider
m_MyWebServicesObjectProvider
.cctor
get_GetInstance
get_Computer
get_Application
get_User
get_Forms
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
Application
WebServices
HideModuleNameAttribute
StandardModuleAttribute
Microsoft.VisualBasic.CompilerServices
MyForms
m_FormBeingCreated
Hashtable
System.Collections
ThreadStaticAttribute
TargetInvocationException
System.Reflection
Control
get_IsDisposed
GetTypeFromHandle
RuntimeTypeHandle
ContainsKey
String
GetResourceString
InvalidOperationException
Activator
CreateInstance
ProjectData
SetProjectError
Exception
get_InnerException
get_Message
Remove
Create__Instance__
Instance
Component
Dispose
Dispose__Instance__
instance
RuntimeHelpers
System.Runtime.CompilerServices
GetObjectValue
Equals
GetHashCode
GetType
ToString
MyGroupCollectionAttribute
MyWebServices
ThreadSafeObjectProvider`1
m_ThreadStaticValue
CompilerGeneratedAttribute
GetInstance
ComVisibleAttribute
System.Runtime.InteropServices
Stub.OK.j
SWP_HIDEWINDOW
SWP_SHOWWINDOW
TcpClient
System.Net.Sockets
FileStream
System.IO
RegistrySt
lastcap
FileInfo
MemoryStream
xDlol1
Sleep1
Conversions
ToBoolean
Assembly
GetEntryAssembly
get_Location
HassanAmiri
ImHere
SessionEndingEventArgs
Microsoft.Win32
IntPtr
op_Equality
op_Explicit
Strings
get_Length
ClearProjectError
Encoding
System.Text
get_UTF8
GetString
capGetDriverDescriptionA
wDriver
lpszName
cbName
lpszVer
DirectoryInfo
get_Name
ToLower
Operators
CompareString
get_Directory
get_Parent
CompDir
Thread
System.Threading
Monitor
Stream
set_ReceiveBufferSize
set_SendBufferSize
get_Client
Socket
set_SendTimeout
set_ReceiveTimeout
ToInteger
Connect
ConditionalCompareObjectEqual
Concat
connect
Convert
FromBase64String
IEnumerator
Interaction
GetObject
Boolean
NewLateBinding
LateGet
IEnumerable
GetEnumerator
get_Current
MoveNext
IDisposable
CreateProjectError
GetAntiVirus
ServerComputer
get_Registry
RegistryProxy
Microsoft.VisualBasic.MyServices
get_CurrentUser
RegistryKey
OpenSubKey
DeleteValue
ToBase64String
GetForegroundWindow
GetVolumeInformation
lpRootPathName
lpVolumeNameBuffer
nVolumeNameSize
lpVolumeSerialNumber
lpMaximumComponentLength
lpFileSystemFlags
lpFileSystemNameBuffer
nFileSystemNameSize
GetVolumeInformationA
GetWindowText
WinTitle
MaxLength
GetWindowTextA
GetWindowTextLength
GetWindowTextLengthA
GetValue
Environ
Conversion
FromFile
ImageFormat
System.Drawing.Imaging
get_Bmp
SetWallpaper
Wallpaper
SwapMouseButton
SystemParametersInfo
uAction
uParam
lpvParam
fuWinIni
SendMessage
wParam
lparam
FindWindow
lpClassName
lpWindowName
FindWindowA
SetWindowPos
hWndInsertAfter
wFlags
mciSendString
Command
ReturnString
ReturnLength
mciSendStringA
WebClient
System.Net
MessageBoxIcon
MessageBoxButtons
Bitmap
Rectangle
Graphics
CompareMethod
AppWinStyle
MessageBox
DialogResult
CreateObject
LateCall
ChangeType
Process
ConcatenateObject
get_Chars
ToArray
DownloadData
WriteAllBytes
LateSet
CompareObjectEqual
OrObject
Screen
get_PrimaryScreen
get_Bounds
get_Width
get_Height
PixelFormat
FromImage
CopyFromScreen
CopyPixelOperation
Cursor
get_Position
Cursors
get_Default
DrawImage
get_Jpeg
WriteByte
EndApp
FileSystemInfo
get_FullName
DateTime
Environment
get_MachineName
get_UserName
get_LastWriteTime
get_Date
get_Info
ComputerInfo
get_OSFullName
Replace
get_OSVersion
OperatingSystem
get_ServicePack
GetFolderPath
SpecialFolder
Contains
CreateSubKey
RegistryKeyPermissionCheck
GetValueNames
Exists
Delete
FileMode
ReadAllBytes
SetEnvironmentVariable
EnvironmentVariableTarget
SetValue
get_LocalMachine
get_FileSystem
FileSystemProxy
get_SpecialDirectories
SpecialDirectoriesProxy
get_Temp
get_ExecutablePath
SetAttributes
FileAttributes
ToDouble
ThreadStart
SessionEndingEventHandler
SystemEvents
add_SessionEnding
DoEvents
GetCurrentProcess
set_MinWorkingSet
ConditionalCompareObjectNotEqual
MD5CryptoServiceProvider
System.Security.Cryptography
HashAlgorithm
ComputeHash
NtSetInformationProcess
hProcess
processInformationClass
processInformation
processInformationLength
Module
GetModules
GetTypes
EndsWith
get_Assembly
Plugin
get_Handle
get_Available
SelectMode
GetStream
NetworkStream
ReadByte
ToLong
Receive
SocketFlags
ParameterizedThreadStart
Random
VBMath
Randomize
GetBytes
RegistryValueKind
DeleteSubKey
GZipStream
System.IO.Compression
CompressionMode
set_Position
BitConverter
ToInt32
Resources
Stub.My.Resources
resourceMan
ResourceManager
System.Resources
resourceCulture
CultureInfo
System.Globalization
ReferenceEquals
get_ResourceManager
get_Culture
set_Culture
Culture
DebuggerNonUserCodeAttribute
MySettings
ApplicationSettingsBase
System.Configuration
defaultInstance
SettingsBase
Synchronized
Default
MySettingsProperty
get_Settings
Settings
Substring
get_Keyboard
Keyboard
get_CapsLock
GetAsyncKeyState
lpString
STAThreadAttribute
RegisterServiceProcess
dwProcessId
dwType
get_Clock
get_LocalTime
DateAndTime
get_Now
get_TimeString
timx_run
timy_run
AssemblyCompanyAttribute
AssemblyTitleAttribute
AssemblyProductAttribute
RuntimeCompatibilityAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
AssemblyCopyrightAttribute
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
GuidAttribute
AssemblyTrademarkAttribute
MyTemplate
10.0.0.0
My.Computer
My.Application
My.User
My.Forms
My.WebServices
System.Windows.Forms.Form
Create__Instance__
Dispose__Instance__
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
10.0.0.0
My.Settings
WrapNonExceptionThrows
).NETFramework,Version=v4.0,Profile=Client
FrameworkDisplayName .NET Framework 4 Client Profile
1.0.0.0
$68c310d8-2cc8-417a-b3db-f782bc869a2b
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
W�i�n�F�o�r�m�s�_�R�e�c�u�r�s�i�v�e�F�o�r�m�C�r�e�a�t�e�
W�i�n�F�o�r�m�s�_�S�e�e�I�n�n�e�r�E�x�c�e�p�t�i�o�n�
D�l�l�h�o�s�t�.�e�x�e�
J�a�v�a� �u�p�d�a�t�e�
W�i�n�d�o�w�s� �U�p�d�a�t�e�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�R�u�n�
S�G�F�j�S�2�V�k�
N�j�r�a�t� �0�.�7� �G�o�l�d�e�n� �B�y� �H�a�s�s�a�n� �A�m�i�r�i�
|�H�a�s�s�a�n�|�
S�e�l�e�c�t� �*� �F�r�o�m� �A�n�t�i�V�i�r�u�s�P�r�o�d�u�c�t�
w�i�n�m�g�m�t�s�:�\�\�.�\�r�o�o�t�\�S�e�c�u�r�i�t�y�C�e�n�t�e�r�2�
E�x�e�c�Q�u�e�r�y�
d�i�s�p�l�a�y�N�a�m�e�
N�o� �A�n�t�i�v�i�r�u�s�
S�o�f�t�w�a�r�e�\�
S�y�s�t�e�m�D�r�i�v�e�
\�C�u�r�r�e�n�t�W�a�l�l�p�a�p�e�r�.�B�m�p�
R�e�s�t�a�r�t�
s�h�u�t�d�o�w�n� �-�r� �-�t� �0�0�
S�h�u�t�d�o�w�n�
s�h�u�t�d�o�w�n� �-�s� �-�t� �0�0�
E�r�o�r�r�M�s�g�
N�o�r�m�a�l�M�o�u�s�e�
R�e�v�e�r�s�e�M�o�u�s�e�
S�A�P�I�.�S�p�v�o�i�c�e�
S�h�e�l�l�_�t�r�a�y�w�n�d�
o�p�e�n�c�d�
s�e�t� �c�d�a�u�d�i�o� �d�o�o�r� �o�p�e�n�
c�l�o�s�e�c�d�
s�e�t� �c�d�a�u�d�i�o� �d�o�o�r� �c�l�o�s�e�d�
O�p�e�n�P�a�g�e�
M�o�n�i�t�o�r�O�N�
M�o�n�i�t�o�r�O�F�F�
S�c�a�r�y�1�
w�w�w�.�u�p�l�o�a�d�.�e�e�/�i�m�a�g�e�/�2�2�9�8�1�5�8�/�k�o�l�i�.�s�w�f�
S�c�a�r�y�2�
w�w�w�.�u�p�l�o�a�d�.�e�e�/�i�m�a�g�e�/�2�9�7�1�8�4�7�/�s�c�a�r�e�4�.�s�w�f�
S�c�a�r�y�3�
w�w�w�.�u�p�l�o�a�d�.�e�e�/�i�m�a�g�e�/�2�2�9�9�9�5�2�/�f�a�c�e�y�.�s�w�f�
g�e�t�v�a�l�u�e�
E�x�e�c�u�t�e� �E�R�R�O�R�
D�o�w�n�l�o�a�d� �E�R�R�O�R�
E�x�e�c�u�t�e�d� �A�s� �
E�x�e�c�u�t�e� �E�R�R�O�R� �
U�p�d�a�t�e� �E�R�R�O�R�
U�p�d�a�t�i�n�g� �T�o� �
U�p�d�a�t�e� �E�R�R�O�R� �
y�y�-�M�M�-�d�d�
?�?�-�?�?�-�?�?�
M�i�c�r�o�s�o�f�t�
W�i�n�d�o�w�s�
S�E�E�_�M�A�S�K�_�N�O�Z�O�N�E�C�H�E�C�K�S�
H�a�s�s�a�n� �f�i�r�e�w�a�l�l� �a�d�d� �a�l�l�o�w�e�d�p�r�o�g�r�a�m� �"�
"� �E�N�A�B�L�E�
/�S�e�r�v�e�r�.�e�x�e�
s�c�h�t�a�s�k�s� �/�c�r�e�a�t�e� �/�s�c� �m�i�n�u�t�e� �/�m�o� �1� �/�t�n� �S�e�r�v�e�r� �/�t�r� �
a�b�c�d�e�f�g�h�i�j�k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z�
H�a�s�s�a�n� �f�i�r�e�w�a�l�l� �d�e�l�e�t�e� �a�l�l�o�w�e�d�p�r�o�g�r�a�m� �"�
S�o�f�t�w�a�r�e�
c�m�d�.�e�x�e� �/�c� �p�i�n�g� �0� �-�n� �2� �&� �d�e�l� �"�
S�t�u�b�.�R�e�s�o�u�r�c�e�s�
y�y�/�M�M�/�d�d�
[�B�a�c�k�]�
[�s�h�i�f�t�]�
[�c�t�r�l�]�
[�p�a�u�s�e�]�
[�h�o�m�e�]�
[�l�e�f�t�]�
[�r�i�g�h�t�]�
[�d�o�w�n�]�
[�i�n�s�e�r�t�]�
[�D�e�l�e�t�e�]�
[�N�u�m�L�o�c�k�]�
[�S�c�r�o�l�l�L�o�c�k�]�
[�P�r�i�n�t�S�c�r�e�e�n�]�
[�P�a�g�e�U�p�]�
[�P�a�g�e�d�o�w�n�]�
[�C�t�r�l�]�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.