2.3
中危
56 个模型检测该样本为恶意!
重新分析
更多

0122360cf8842231010dbb7b27071d5034dadf787daa05fdb166b40110c40999

0122360cf8842231010dbb7b27071d5034dadf787daa05fdb166b40110c40999.exe

分析耗时

73s

最近分析

389天前

文件大小

12.5KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.53
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Upatre-V [Trj] 20191208 18.4.3895.0
Baidu None 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20191208 2013.8.14.323
McAfee Downloader-FML!7560B8442303 20191208 6.0.6.653
Tencent Malware.Win32.Gencirc.10180cb2 20191208 1.0.0.1
行为判定
动态指标
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545276.60975
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\budha.exe
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\budha.exe
parameters:
show_type: 0
success 1 0
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (1 个事件)
dead_host 185.151.30.204:443
文件已被 VirusTotal 上 56 个反病毒引擎识别为恶意 (50 out of 56 个事件)
ALYac Trojan.Ppatre.Gen.1
APEX Malicious
AVG Win32:Upatre-V [Trj]
Acronis suspicious
Ad-Aware Trojan.Ppatre.Gen.1
AhnLab-V3 Malware/Win32.Generic.R98727
Antiy-AVL Trojan[Spy]/Win32.Zbot
Arcabit Trojan.Ppatre.Gen.1
Avast Win32:Upatre-V [Trj]
Avira TR/AD.Yarwi.tfyfs
BitDefender Trojan.Ppatre.Gen.1
BitDefenderTheta Gen:NN.ZexaF.32519.ayX@aqL9O8ci
CAT-QuickHeal Downloader.Upatre.27298
ClamAV Win.Malware.Upatre-6997681-0
Comodo TrojWare.Win32.TrojanDownloader.Waski.BU@7nmtnf
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.42303d
Cylance Unsafe
Cyren W32/S-654ac031!Eldorado
DrWeb Trojan.DownLoad3.33424
ESET-NOD32 a variant of Win32/TrojanDownloader.Waski.B
Emsisoft Trojan.Ppatre.Gen.1 (B)
Endgame malicious (high confidence)
F-Prot W32/S-654ac031!Eldorado
F-Secure Trojan.TR/AD.Yarwi.tfyfs
Fortinet W32/EncPk.ACO!tr
GData Trojan.Ppatre.Gen.1
Ikarus Trojan-Downloader.Win32.Waski
Invincea heuristic
Jiangmin TrojanSpy.Zbot.fois
K7AntiVirus Trojan-Downloader ( 0054b9021 )
K7GW Trojan-Downloader ( 0054b9021 )
Kaspersky Trojan-Spy.Win32.Zbot.zpfe
MAX malware (ai score=81)
Malwarebytes Trojan.Downloader
McAfee Downloader-FML!7560B8442303
McAfee-GW-Edition BehavesLike.Win32.Upatre.lt
MicroWorld-eScan Trojan.Ppatre.Gen.1
Microsoft TrojanDownloader:Win32/Upatre.A
NANO-Antivirus Trojan.Win32.DownLoad3.frlegi
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM20.1.BDF7.Malware.Gen
Rising Trojan.Waski!1.A489 (CLASSIC)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Troj/Agent-BCEQ
Symantec ML.Attribute.HighConfidence
Tencent Malware.Win32.Gencirc.10180cb2
Trapmine malicious.high.ml.score
TrendMicro TROJ_UPATRE.SMZ2
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2014-01-27 20:19:18

PE Imphash

0cfe10cd6972cf0744cb73df5fd16aa7

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000005b6 0x00000600 5.795231207665622
.bss 0x00002000 0x00000004 0x00000000 0.0
.rdata 0x00003000 0x00000414 0x00000600 3.4589607442112973
.links 0x00004000 0x00000104 0x00000200 1.368594016290666
.rsrc 0x00005000 0x000001c0 0x00000200 5.058292584119172
.reloc 0x00006000 0x000000da 0x00000200 2.016945406881052

Resources

Name Offset Size Language Sub-language File type
RT_MANIFEST 0x00005058 0x00000165 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library WININET.dll:
0x403068 HttpOpenRequestA
0x40306c HttpSendRequestW
0x403070 InternetConnectA
0x403074 InternetOpenW
0x403078 HttpQueryInfoW
0x40307c InternetReadFile
Library KERNEL32.dll:
0x403000 WriteFile
0x403004 GetTempPathW
0x403008 GetModuleHandleW
0x40300c ExitProcess
0x403010 HeapCreate
0x403014 HeapAlloc
0x403018 HeapDestroy
0x403020 Sleep
0x403024 FreeLibrary
0x403028 GetProcAddress
0x40302c LoadLibraryW
0x403030 HeapFree
0x403034 DeleteFileW
0x403038 CloseHandle
0x40303c CreateFileW
0x403040 lstrcmpW
0x403044 ReadFile
0x403048 lstrlenW
0x40304c GetFileSize
0x403050 GetModuleFileNameW
Library USER32.dll:
0x403060 wsprintfW
Library SHELL32.dll:
0x403058 ShellExecuteW
L!This program cannot be run in DOS mode.
MF,(,(,(T,(,),(Z,(Z,(Rich,(
.rdata
@.links
@.reloc
SVW3S]H
_3^@[xSP
@SMTQutPud
bSETPW
ud580@
SWSulh
SM`A<ud
Et}t N
WSuhulSuhh0@
bE<PVh
SSSSh0@
*MlE(0@
ElElMlkl;L8h|
uH]tkl
u@E`SSj
SSjPu`u8
>]tE`p Sh
E(PSSVSu\
|i3SSSSuh
]p3SE4PEpPh
]T]t=|0@
ETPupudV
ETPupuduh
MdEp+;t
u}pE`@`3
Vu\RVh
ELuXEpuD
YjlES0@
SE$PupuXV
EPPh0@
@hIEH;
application/*
text/*
RtlDecompressBuffer
InternetReadFile
HttpQueryInfoW
HttpSendRequestW
HttpOpenRequestA
InternetConnectA
InternetOpenW
WININET.dll
HeapDestroy
GetCurrentDirectoryW
FreeLibrary
GetProcAddress
LoadLibraryW
HeapFree
DeleteFileW
CloseHandle
WriteFile
lstrcmpW
ReadFile
lstrlenW
GetFileSize
CreateFileW
GetTempPathW
GetModuleFileNameW
HeapAlloc
HeapCreate
ExitProcess
GetModuleHandleW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
ren7oaks.co.uk
/images/
al2701.e
salahicorp
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
i0v0000000000
1#1@1J1111111
2(2=2C2U2\2a2l222222222+3c333333q4444*5>5E5W5g5n55555
kilf1.exe
Updates downloader
rntdll.dll
budha.exe
C:\urp44qWI.exe
C:\Users\Virtual\AppData\Local\Temp\85230474c45234d6f9f7fddef1a65061bc849c6861933147f8e652be4fbb1711.exe
C:\851f58bdd9a76583a08df3121a78e07a5b594d8333641b63cc22ef1ee7f31d5c
C:\c55208afb3895f6391232eec6a73ca26512f5d10ecd01fc3e0cd3a48ca5463e4
C:\k_5IKLsr.exe
C:\D1se0U2P.exe
C:\dd628525beadd7a6ba8ce4ced42d206631bc7f15e526fc7dd82b99c0c11b335b
C:\7665fa876963b34c2a62f3a6294f1c4b7acf03585dd31b3980b39e76d6464b46
C:\yNFdXtry.exe
C:\dvloWhZ4.exe
C:\a6849cbd6fa1dcb9d5ff5f894f541a97167d77d60f8ff5ebd3131ef27c76aa40
C:\b6287aef7b7093f3febcecdf69546ee5b37a339b61eaca626543761dcebb5ece
C:\598b3c86800ef21650353883d12ac5365f59a76c77bd0177e33442be2031283d
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\ed6119d46ac4b1c94d77b9eda77e74de446e68fe7db53cc3a13051dd095034a1
C:\VeQEC5S7.exe
C:\MF845dwO.exe
C:\6aus64b7.exe
C:\9yQulFRg.exe
C:\084d81ea27064717fb9904b8b7cba3a1240d472c11dbce6bc5fadbde72e2e481
C:\Users\Virtual\AppData\Local\Temp\2dc0af750f5221207a4eb7006da628474318b8f39629c88bb045f377fd1062d7.exe
C:\5011516c7d7f81bcdf96008ea6d7d2de22556b4ac635cd9f97a4cd71b70ae924
C:\8b671d06f0f2e04c935e6a2cd4d76df9e2e5250ee5a6636738ab724d21600198
C:\f4235f957fda7ad394f30de231ce7cdd2e1fa4bd97b1e90c8104941a9c18c1fa
C:\90cbfa5e9a51e2d5ffecdd228ddb49c87b01abc52693cf1b182cc1cfef81ba56
C:\f92d676412b9fb1642ce3585cbaf60dc85022be84bfd5a216b477abd3ac8b16f
C:\s1vAdWJM.exe
C:\UL74yAhf.exe
C:\wcKycYX0.exe
C:\LGLTyjyw.exe
C:\mc75mfDe.exe
C:\R3fa4hbN.exe
C:\8e73e57f376579f0ec9e1b259a12e8902ea70d7ab4fa71ce79149a346e62e0e1
C:\5d208e04a888a4305f06253bf94025a9b915a87e625b8efddc0a23130c37d0a9
C:\b9d5079a5b280b8462e5cb1ee56666e5809395baf0ee4b571eb39c68d1e6de39
C:\1cae5ef24492f2d6c7dd84aa6752cf6b92d60a779494435eabc491485f97fe94
C:\rcqRVGB1.exe
C:\22sjbojz.exe
C:\Users\Petra\AppData\Local\Temp\file.pe32
C:\efed283c09ebf514a97c01075f63137b8cb7bc3faf1f2b98174179a4d8fa04a2
C:\MU1zzXeb.exe
C:\AR0iRzNS.exe
C:\214973aa30920642282130b11e8679e9da36e83b9256cf66e388b83ac57d750a
C:\Users\Virtual\AppData\Local\Temp\ac9e211c7e9daa70eebd89b11b1d8e435dde5d8b08a47c2df0312bec547aab22.exe
C:\EoeBlxZr.exe
C:\Xasu7Y2B.exe
C:\eNsvYmeK.exe
C:\jHx8_QU1.exe
C:\Lxs0YRTw.exe
C:\A8W6HIwg.exe
C:\d293e25a77fd30522ea7e4ff7ef78efebfdfee7a6eff89b014d096b3c269ae8f
C:\6f00416969ade10e3603d75a6fe97a8a3b00e00e09d926ff46e12b71497c63a9
C:\YVgn816o.exe
C:\mZFMDioP.exe
C:\ykhXU4Ly.exe
c:\task\6DEAF277408E978C248653B39F9E363E.exe
c:\task\1DABE0D3C0BE5EB9CB0AEAEBCE156299.exe
C:\RqUS5WPW.exe
C:\GJiZIi2i.exe
C:\SeRCwJDH.exe
C:\e7daa2bcd5b666430b660422b376f819671f45a7e94df4776ad3cf6aee8de643
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\47d4477a9827c4b9f3a8633f987b51b1dd0e6149f578257fe9935ce38bd79b59
C:\3701113a6d77b26c3c7cad09d025ae4119ee76834a7e47947ba0647f36ca7bad
C:\6fbb89ec2a6329a0d8ef112f3896cef0acb9f59920c9e22af6ca8f457b5dbe71
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\admin\Downloads\50230b1b3d0a458f_budha.exe
C:\b0e89a54f7fc23474cfe2c2f09cb20a4dfc0dd903945fd15411ab54cf6b2ede5
C:\Users\admin\Downloads\budha.exe
C:\e5a2ebbdaf95d96d567bf57c60c08499098869f7795eddd753e846f35f2bb66e
C:\Users\admin\Downloads\budha.exe
C:\PX2vP2xX.exe
C:\Users\admin\Downloads\b2c2f798da91b6f122883c9669c653b0.virus.exe
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\admin\Downloads\94394a3e5b785716_budha.exe
C:\5e6f9f3a1aa443de17c07be29a660d3797945344d987b69a5b150a0316c1d2b0
C:\3879631990943739f6dfd65af82f26d8be1fe254fd47182838d31a2e66ba9edc
C:\1f698418d9993eebf60c65bfd695af0be3f9b968977918804da15a935e2ec0be

Process Tree

0122360cf8842231010dbb7b27071d5034dadf787daa05fdb166b40110c40999.exe, PID: 2336, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

budha.exe, PID: 2656, Parent PID: 2336

default registry file network process services synchronisation iexplore office pdf

TCP

Source Source Port Destination Destination Port
192.168.56.101 49164 185.151.30.204 ren7oaks.co.uk 80
192.168.56.101 49165 185.151.30.204 ren7oaks.co.uk 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 58485 8.8.8.8 53
192.168.56.101 57665 114.114.114.114 53
192.168.56.101 51758 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 2c12a5092819b860_budha.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\budha.exe
Size 12.7KB
Processes 2336 (0122360cf8842231010dbb7b27071d5034dadf787daa05fdb166b40110c40999.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 90e7876c1755dc9828259e67d2b6f46f
SHA1 164324de83a0e40328de3551495a08e759460a90
SHA256 2c12a5092819b860d421e75546d621ead4bd6b443987ac0b6d401f131731d112
CRC32 20E57FEB
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.