1.8
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.55
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Downloader-WFT [Trj] | 20191029 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191029 | 2013.8.14.323 |
| McAfee | GenericATG-FABE!767759523F07 | 20191029 | 6.0.6.653 |
| Tencent | None | 20191029 | 1.0.0.1 |
静态指标
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\szgfw.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\szgfw.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\szgfw.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 52 个反病毒引擎识别为恶意
(50 out of 52 个事件)
| ALYac | Dropped:Generic.Malware.dld!!.55384913 |
| APEX | Malicious |
| AVG | Win32:Downloader-WFT [Trj] |
| Acronis | suspicious |
| Ad-Aware | Dropped:Generic.Malware.dld!!.55384913 |
| AhnLab-V3 | Trojan/Win32.Agent.R120254 |
| Antiy-AVL | Trojan/Win32.Badur |
| Arcabit | Generic.Malware.dld!!.D34D1B51 |
| Avast | Win32:Downloader-WFT [Trj] |
| Avira | TR/Crypt.XPACK.Gen |
| BitDefender | Dropped:Generic.Malware.dld!!.55384913 |
| ClamAV | Win.Dropper.Upatre-7194419-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Upatre.BC@5qv3w8 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.23f07f |
| Cylance | Unsafe |
| Cyren | W32/S-f170c96e!Eldorado |
| DrWeb | Trojan.DownLoad3.33795 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Waski.F |
| Emsisoft | Dropped:Generic.Malware.dld!!.55384913 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-f170c96e!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.767759523f07f401 |
| Fortinet | W32/Waski.C!tr |
| GData | Dropped:Generic.Malware.dld!!.55384913 |
| Ikarus | Trojan-Downloader.Win32.Waski |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.aucae |
| K7AntiVirus | Trojan-Downloader ( 0049d22b1 ) |
| K7GW | Trojan-Downloader ( 0049d22b1 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=83) |
| Malwarebytes | Trojan.Upatre |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericATG-FABE!767759523F07 |
| McAfee-GW-Edition | BehavesLike.Win32.Downloader.xz |
| MicroWorld-eScan | Dropped:Generic.Malware.dld!!.55384913 |
| Microsoft | TrojanDownloader:Win32/Upatre.AA |
| NANO-Antivirus | Trojan.Win32.DownLoad3.deckqy |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.DFC9.Malware.Gen |
| Rising | Trojan.Waski!1.B69C (CLASSIC) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Upatre-AS |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.high.ml.score |
| VBA32 | BScope.TrojanDownloader.Upatre |
| VIPRE | Trojan.Win32.Upatre.zz (v) |
| Yandex | Trojan.Agent!+4OIeTe2G40 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
cc40fefa3af5cd00cc28dbd874038a4d
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00000801 | 0x00000a00 | 5.306331173574518 |
| .rdata | 0x00002000 | 0x00000455 | 0x00000600 | 3.980235852646873 |
Imports
Library kernel32.dll:
• 0x4020d8 CloseHandle
• 0x4020dc CreateFileW
• 0x4020e0 DeleteFileW
• 0x4020e4 ExitProcess
• 0x4020e8 GetComputerNameW
• 0x4020ec GetCurrentDirectoryW
• 0x4020f0 GetFileSize
• 0x4020f4 GetModuleFileNameW
• 0x4020f8 GetTempPathW
• 0x4020fc GetVersionExW
• 0x402100 ReadFile
• 0x402104 WriteFile
• 0x402108 lstrlenW
• 0x40210c lstrcmpW
• 0x402110 SleepEx
• 0x402114 VirtualAlloc
Library wininet.dll:
• 0x40211c HttpOpenRequestW
• 0x402120 HttpSendRequestW
• 0x402124 InternetOpenW
• 0x402128 InternetConnectW
• 0x40212c InternetCloseHandle
• 0x402130 InternetReadFile
Library shell32.dll:
• 0x402138 ShellExecuteW
L!This is a PE executable
`.rdata
u3fdXW3
PU`XUl/3
SfEfRf
P-fSfPfX
0f3/f3f
WVP}3/fEU3
fl3fft
fupX:tWf4
UW3%fuf
3QQQQP
XWVU^_VW3P
Nu3VVVj
UE3QQj
RUZE@E;xu3HEE@;xu
VVjPEUUPu(
QVVVVW
E3Eu}t
QVuWu0
)EEt)Iu
EPE+Pu
VEP}tWh
f=MZt&E
E3PEPutW
CloseHandle
CreateFileW
DeleteFileW
ExitProcess
GetComputerNameW
GetCurrentDirectoryW
GetFileSize
GetModuleFileNameW
GetTempPathW
GetVersionExW
ReadFile
WriteFile
lstrlenW
lstrcmpW
SleepEx
VirtualAlloc
kernel32.dll
HttpOpenRequestW
HttpSendRequestW
InternetOpenW
InternetConnectW
InternetCloseHandle
InternetReadFile
wininet.dll
ShellExecuteW
shell32.dll
RtlDecompressBuffer
swprintf
ntdll.dll
text/*
application/*
szgfw.exe
94.23.247.202
entsj.exe
hngdecor.com
/wp-content/themes/twentyfourteen/images/11k2.zip
welfareofmankind.com
/css/11k2.zip
dtmri.exe
okeanbg.com
/images/1108h.zip
alltruckquimicos.com
/css/images/1108h.zip
1108uk2
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�f�i�l�e�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�7�5�1�c�5�a�8�9�f�a�d�1�8�4�d�d�_�s�z�g�f�w�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�s�z�g�f�w�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�7�5�6�d�1�3�c�7�d�5�d�3�b�d�4�_�s�z�g�f�w�.�e�x�e�
C�:�\�e�a�a�a�5�c�0�4�b�3�1�1�d�3�2�3�b�4�0�6�e�4�7�8�8�6�2�b�f�2�1�7�2�e�8�1�c�b�b�0�5�0�2�7�c�c�4�4�6�d�e�7�2�3�c�c�b�9�4�e�8�1�8�2�
C�:�\�1�d�3�b�d�f�e�2�5�3�6�a�b�1�b�9�2�5�f�3�2�8�9�2�5�8�2�6�0�b�3�e�c�3�c�c�3�b�0�a�0�8�2�e�5�1�1�3�7�7�a�3�2�d�8�e�b�0�e�7�0�e�2�b�
C�:�\�5�1�1�7�e�f�2�1�f�1�c�9�f�7�6�9�d�2�4�f�b�a�a�a�8�2�7�f�8�1�6�8�3�9�5�d�2�7�4�9�7�e�e�7�8�b�d�f�b�e�7�a�b�f�a�5�b�7�7�5�6�a�b�a�
C�:�\�0�b�1�4�5�2�f�4�b�a�8�f�7�3�2�e�7�3�5�7�d�7�4�c�6�f�1�d�a�c�f�6�c�b�5�b�0�3�f�a�f�3�b�a�2�2�0�f�9�e�5�c�f�6�8�0�1�b�9�3�2�9�f�b�
C�:�\�b�a�b�e�6�a�1�9�f�6�f�1�3�f�1�7�d�7�f�3�a�3�8�7�2�4�f�0�8�e�c�6�9�4�7�1�d�e�c�e�9�f�6�8�2�9�6�3�a�7�d�6�7�3�c�1�2�3�0�a�8�3�4�6�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�b�x�3�s�8�p�A�2�.�e�x�e�
C�:�\�R�t�P�M�N�P�2�J�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�f�i�l�e�.�p�e�3�2�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�l�u�s�e�r�\�D�e�s�k�t�o�p�\�c�m�y�1�n�m�v�F�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�0�e�2�3�b�9�e�9�0�b�8�4�9�4�1�6�9�d�d�4�c�e�0�9�7�4�f�f�0�4�a�7�7�7�9�b�b�7�a�5�b�5�a�d�2�e�d�9�b�b�9�b�e�7�6�d�d�b�f�4�0�8�5�1�.�e�x�e�
Process Tree
-
036ae268bc59c78d5f664a42344b67f921b66d87495d807bff6e1857c60a0c85.exe (2948)
"C:\Users\Administrator\AppData\Local\Temp\036ae268bc59c78d5f664a42344b67f921b66d87495d807bff6e1857c60a0c85.exe"
- szgfw.exe (3008) "C:\Users\ADMINI~1\AppData\Local\Temp\szgfw.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | f47323c351662fb6_szgfw.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\szgfw.exe |
| Size | 8.8KB |
| Processes | 2948 (036ae268bc59c78d5f664a42344b67f921b66d87495d807bff6e1857c60a0c85.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | bae890125886d9c04b983136964afc12 |
| SHA1 | a5bab48cc03ca5292d6816eb6cac8db3a4724923 |
| SHA256 | f47323c351662fb65ee9c917e592b5e8ddaad75e73de6b432e411751c780ee28 |
| CRC32 | F35B4D01 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.