0.9
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.53
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win64:PWSX-gen [Trj] | 20190913 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190913 | 2013.8.14.323 |
| McAfee | PWS-FCKZ!84CD671CBD94 | 20190913 | 6.0.6.653 |
| Tencent | None | 20190913 | 1.0.0.1 |
静态指标
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 42 个反病毒引擎识别为恶意
(42 个事件)
| ALYac | Gen:Variant.Ulise.50412 |
| APEX | Malicious |
| AVG | Win64:PWSX-gen [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.50412 |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Trojan.Ulise.DC4EC |
| Avast | Win64:PWSX-gen [Trj] |
| Avira | HEUR/AGEN.1019322 |
| BitDefender | Gen:Variant.Ulise.50412 |
| CAT-QuickHeal | Trojan.Zenshirsh.SL7 |
| ClamAV | Win.Malware.Mikey-6840387-0 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.cbd945 |
| Cyren | W64/S-822a87a6!Eldorado |
| DrWeb | Win32.Tempedreve.21 |
| ESET-NOD32 | a variant of Win64/Spy.Tuscas.D |
| Emsisoft | Gen:Variant.Ulise.50412 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W64/S-822a87a6!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1019322 |
| FireEye | Generic.mg.84cd671cbd945c62 |
| Fortinet | W64/MikeyB.80!tr |
| GData | Gen:Variant.Ulise.50412 |
| Ikarus | Trojan.Tempedreve |
| Invincea | heuristic |
| Jiangmin | TrojanSpy.Small.auj |
| K7AntiVirus | Trojan ( 00547c941 ) |
| K7GW | Trojan ( 00547c941 ) |
| Kaspersky | Trojan-Spy.Win64.Small.h |
| MAX | malware (ai score=87) |
| McAfee | PWS-FCKZ!84CD671CBD94 |
| McAfee-GW-Edition | BehavesLike.Win64.Generic.xt |
| MicroWorld-eScan | Gen:Variant.Ulise.50412 |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| Rising | Spyware.Win64/Tuscas!1.B38F (CLASSIC) |
| SUPERAntiSpyware | Adware.Mikey/Variant |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Troj/Agent-AZUT |
| Yandex | Trojan.Agent!3uz5FC2oo88 |
| Zillya | Tool.SennaSpy.Win32.32 |
| ZoneAlarm | Trojan-Spy.Win64.Small.h |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2019-06-18 09:45:41
PE Imphash
7c5f9b19847a4e36080308f0e2c5add5
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000096f | 0x00000a00 | 6.079394555632724 |
| .rdata | 0x00002000 | 0x00000316 | 0x00000400 | 3.6712192457711463 |
| .data | 0x00003000 | 0x00000020 | 0x00000200 | 0.15908382530476972 |
| .pdata | 0x00004000 | 0x0000003c | 0x00000200 | 0.5727196336620997 |
| .rsrc | 0x00005000 | 0x000001e0 | 0x00000200 | 4.696122618599126 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x00005060 | 0x0000017d | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x140002000 VirtualAlloc
• 0x140002008 GetModuleHandleA
• 0x140002010 GetProcAddress
• 0x140002018 VirtualAllocEx
• 0x140002020 WriteProcessMemory
• 0x140002028 CreateRemoteThread
• 0x140002030 CloseHandle
• 0x140002038 VirtualFree
• 0x140002040 GetProcessHeap
• 0x140002048 CreateFileMappingW
• 0x140002050 MapViewOfFile
• 0x140002058 OpenProcess
• 0x140002060 UnmapViewOfFile
• 0x140002068 GetCurrentProcess
• 0x140002070 TerminateProcess
• 0x140002078 HeapAlloc
• 0x140002080 HeapFree
L!This program cannot be run in DOS mode.
dRich3
`.rdata
@.data
.pdata
@.rsrc
H|$ UHH@
E3HEHA
HM[t>E3EY
HD+uLEEt
DHMHMF
HuEuMA
uADHMHMF
HMHM=HMF
4Ht$`H|$hL+H\$XAH@]HHX
Hx ATAVAWHpH
DSLD[H
E3HH;t<
H3t)3t
A3E4BEA
HHH;uH
F\6FT6AFHDDI
HAuB|6H
L\$pIk(Is0I
$I[ 9I{8
IA_A^A\
LL$ HL$
SUVWATAUAVAWHHEi
HcZ<LH
tXIDH+H
H(IuL$
H[(HuH
M3HD$ @
L+M0+A+A;s[B
u/L|$0L
;E33HD|$(H\$
HHA_A^A]A\_^][H\$
Hl$ VAVAWHP
fD|$DLL$4EW
A0fW9f
IuHD$0EB
E3HD$(3H\$
E3E3HAQ
HD$pHD$
L9|$xtQD9|$ptJD3
HT$xLHDt$
L\$P3I[0Ik8IA_A^^H\$
LLL+AC
HIuH\$
KERNEL32
GetProcAddress
LoadLibraryA
VirtualAlloc
GetModuleHandleA
GetProcAddress
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
CloseHandle
VirtualFree
GetProcessHeap
CreateFileMappingW
MapViewOfFile
OpenProcess
UnmapViewOfFile
GetCurrentProcess
TerminateProcess
HeapAlloc
HeapFree
KERNEL32.dll
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.