3.4
中危
63 个模型检测该样本为恶意!
重新分析
更多

0d83829261d0cd817226ecbcb912a295d1ed67024373f40ff35e3cace5f78501

0d83829261d0cd817226ecbcb912a295d1ed67024373f40ff35e3cace5f78501.exe

分析耗时

135s

最近分析

380天前

文件大小

23.7KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER ZBOT
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.49
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Malware-gen 20200215 18.4.3895.0
Baidu None 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20200215 2013.8.14.323
McAfee PWSZbot-FMO!8910C45A7B6F 20200215 6.0.6.653
Tencent Malware.Win32.Gencirc.10b39b83 20200215 1.0.0.1
静态指标
检查进程是否被调试器调试 (2 个事件)
Time & API Arguments Status Return Repeated
1727545341.609875
IsDebuggerPresent
failed 0 0
1727545342.03125
IsDebuggerPresent
failed 0 0
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报) (1 个事件)
section .code
行为判定
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
分配可读-可写-可执行内存(通常用于自解压) (6 个事件)
Time & API Arguments Status Return Repeated
1727545341.609875
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x025c0000
region_size: 397312
allocation_type: 8192 (MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1848
success 0 0
1727545341.609875
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x02620000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1848
success 0 0
1727545341.624875
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x02750000
region_size: 4194304
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1848
success 0 0
1727545342.03125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00450000
region_size: 69632
allocation_type: 8192 (MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2660
success 0 0
1727545342.03125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00460000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2660
success 0 0
1727545342.04625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x02430000
region_size: 4194304
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2660
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\budha.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545341.828875
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\budha.exe
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\budha.exe
parameters:
show_type: 0
success 1 0
网络通信
一个或多个缓冲区包含嵌入的PE文件 (1 个事件)
buffer Buffer with sha1: 791a8663e48079beb63889d68f986f65d38c7004
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意 (50 out of 63 个事件)
ALYac Trojan.GenericKD.1424483
APEX Malicious
AVG Win32:Malware-gen
Acronis suspicious
Ad-Aware Trojan.GenericKD.1424483
AhnLab-V3 Trojan/Win32.Zbot.R99409
Antiy-AVL Trojan/Win32.Bublik
Arcabit Trojan.Generic.D15BC63
Avast Win32:Malware-gen
Avira TR/Spy.Zbot.brbrb.2
BitDefender Trojan.GenericKD.1424483
BitDefenderTheta Gen:NN.ZexaF.34090.buX@a0sA5Xci
Bkav W32.IntrasrotyLTAAI.Trojan
CAT-QuickHeal TrojanDownloader.Upatre.A5
ClamAV Win.Downloader.Upatre-5744087-0
Comodo TrojWare.Win32.Zbot.BRBRB@55tvps
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.a7b6f6
Cylance Unsafe
Cyren W32/Trojan.ZAZP-0316
DrWeb Trojan.DownLoad3.28161
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Emsisoft Trojan.GenericKD.1424483 (B)
Endgame malicious (high confidence)
F-Prot W32/Trojan3.GPR
F-Secure Trojan.TR/Spy.Zbot.brbrb.2
FireEye Generic.mg.8910c45a7b6f6371
Fortinet W32/Waski.A!tr
GData Trojan.GenericKD.1424483
Ikarus Trojan-Downloader.Win32.Upatre
Invincea heuristic
Jiangmin Trojan/Generic.azouk
K7AntiVirus Trojan-Downloader ( 004b972f1 )
K7GW Trojan-Downloader ( 004b972f1 )
Kaspersky Trojan-Spy.Win32.Zbot.qtgn
MAX malware (ai score=86)
Malwarebytes Trojan.Email.FA
MaxSecure Trojan.Upatre.Gen
McAfee PWSZbot-FMO!8910C45A7B6F
McAfee-GW-Edition BehavesLike.Win32.SennaSpy.mm
MicroWorld-eScan Trojan.GenericKD.1424483
Microsoft TrojanDownloader:Win32/Upatre.A
NANO-Antivirus Trojan.Win32.Zbot.cqjthu
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM19.1.4227.Malware.Gen
Rising Trojan.Waski!1.A489 (RDMK:cmRtazpzmuGmLPLUcT9Xa8QCbhwt)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Troj/Mdrop-FPC
Symantec Downloader
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (4 个事件)
dead_host 13.225.4.62:443
dead_host 13.225.4.125:443
dead_host 76.223.54.146:443
dead_host 13.248.169.48:443
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2004-10-05 19:20:04

PE Imphash

476a0becca039396e718130f94fed7e5

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00000492 0x00000600 5.18616300357988
.code 0x00002000 0x00000109 0x00000200 3.29845804546039
.data 0x00003000 0x00002d48 0x00002e00 5.081380140621906
.idata 0x00006000 0x00000560 0x00000600 4.009801410274016
.rsrc 0x00007000 0x00001138 0x00001200 5.2915775859195335

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x000070e8 0x00000ea8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x00007f90 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MANIFEST 0x00007fa4 0x00000193 LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library user32.dll:
0x406194 GetMessageA
0x406198 DefWindowProcA
0x40619c PostQuitMessage
0x4061a0 GetDoubleClickTime
0x4061a4 GetQueueStatus
0x4061a8 LoadIconA
0x4061ac RegisterClassA
Library GDI32.dll:
0x406388 CreateBitmap
0x40638c IntersectClipRect
0x406390 ExcludeClipRect
0x406394 UpdateColors
0x40639c CreateCompatibleDC
0x4063a0 DeleteObject
0x4063a4 TextOutA
0x4063a8 SetTextColor
0x4063ac Rectangle
0x4063b0 CreateSolidBrush
0x4063b4 GetStockObject
0x4063b8 CreateFontIndirectA
0x4063c0 GetTextMetricsA
0x4063c4 CreateFontA
0x4063c8 RealizePalette
Library Msacm32.dll:
0x406510 acmStreamOpen
0x406514 acmDriverPriority
Library ADVAPI32.dll:
0x40625c RegCloseKey
0x406260 RegQueryValueExA
0x406264 RegOpenKeyA
0x406268 GetUserNameA
0x40626c GetLengthSid
0x406270 RegCreateKeyA
0x406274 RegSetValueExA
0x406278 RegDeleteKeyA
0x40627c RegEnumKeyA
0x406280 RegDeleteValueA
0x406284 RegCreateKeyExA
Library kernel32.dll:
0x4060dc GetModuleHandleA
0x4060e0 GetProcAddress
0x4060e4 HeapCreate
0x4060e8 HeapAlloc
0x4060ec GetACP
0x4060f0 ExitProcess
0x4060f4 FreeLibrary
0x4060f8 GetCPInfo
L!This program cannot be run in DOS mode.
`.data
.idata
Q15Q19
>]KLTSSS]
b`cd%R
dIsG]Rfb
mciSendStringA
CreateWindowExA
user32.dll
LoadCursorA
TranslateMessage
Winmm.dll
CLOSE NEW TYPE WAVEAUDIO ALIAS rec
LoadLibraryExA
user32.dll
GDI32.dll
Msacm32.dll
ADVAPI32.dll
kernel32.dll
GetModuleHandleA
GetProcAddress
HeapCreate
HeapAlloc
GetACP
ExitProcess
FreeLibrary
GetCPInfo
GetMessageA
DefWindowProcA
PostQuitMessage
GetDoubleClickTime
GetQueueStatus
LoadIconA
RegisterClassA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
GetUserNameA
GetLengthSid
RegCreateKeyA
RegSetValueExA
RegDeleteKeyA
RegEnumKeyA
RegDeleteValueA
RegCreateKeyExA
CreateBitmap
IntersectClipRect
ExcludeClipRect
UpdateColors
GetTextExtentPoint32A
CreateCompatibleDC
DeleteObject
TextOutA
SetTextColor
Rectangle
CreateSolidBrush
GetStockObject
CreateFontIndirectA
GetTextExtentExPointA
GetTextMetricsA
CreateFontA
RealizePalette
acmStreamOpen
acmDriverPriority
AAAAAAAAA
AAAAAAAAAA
AAAAAAAAAAA
AAAAAAAAAAAAA
vvvvvvvvvAAAAAA
qqqqqqvvvvvvSAAAAAA
qqqqqqqqqqqvAAAAAAAAA
qqqqqqqqqqqqvvAAAAAAAAA
pppppppqqqqqvvvvAAAAAAAAA
ppppppppppppqqqqvvvAAAAAAAAA
ppppppppppppqqqqqqvvvAAAAAAAA
kkkkkkkkkkkkpppqqqqqvvvAAAAA
kkkkkkkkkkkk~
pppppqqqqqvvAAAA
kkkkkkkkkkkkz{|}ppppppqqqqqvvvAA
llllllkkkkkkwxywkkppppppqqqqvvvA
lllllllllllkrstukkkkpppppqqqqqvv
lpppppqqqqqq
555555555<<<
kkkkkklllkk
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
hNNNNNNNNNNNNNNNNNNNNNNNNNNNNNh
cBBBBBBBBdBBBBddeBBBdBBBBBBBBBc
[\\\\\\\\
\\\\\\\\\[
NOOOOOOOO
OOOOOOOOON@
=HUVWIXYZ
B11111111
771111111BG5?>IJKKJLM
7((((((((
*((((((7<=
122222222
22222222215
())))))))
(( ))))))(
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
DPPPPPPPPP
&PPPPPPPP
LPPPPPPPP
RPPPPPPPP
>PPPPP
*PPPPPPP
PPPPPP
PPPPPP
PPPPPP
LPPPPP
LPPPPP
LPPPPP
PPPPPP
PPPPPP
PPPPPP
LPPPPP
LPPPPP
PPPPPP
PPPPPP
PPPPPP
PPPPPP
PPPPPP
PPPPPP
PPPPPP
PPPPPP
PPPPPP
&PPPPPP
1PPPPP
>PPPPPP
PPPPPP
>PPPPPP
1PPPPP
VPPPPPPPP
>PPPPPP
PPPPPPP
JPPPPP
1PPPPP
>PPPPPP
*PPPPPPPPP
JPPPPP
>PPPPPP
RPPPPPPP
>PPPPPP
*PPPPPPPPP
*PPPPPPPPP
JPPPPP
RPPPPP
*PPPPPPPPP
*PPPPPPPPP
JPPPPP
%PPPPPPPPP
PPPPPP
^PPPPPPP
*PPPPPPPPP
*PPPPPPPPP
*PPPPPP
*PPPPPP
*PPPPPP
>PPPPPP
>PPPPP
*PPPPP
C:\Users\Dteam\AppData\Local\Temp\Temp1_Message.zip\Message.exe
C:\DOCUME~1\ADMINI~1.VMG\LOCALS~1\Temp\A7A3092E6838734C55EF4F4EB6E7DD8925E9662A
C:\Aklci7ZS.exe
C:\FsA3ldMu.exe
C:\FbhI97CJ.exe
C:\sBKp5Pov.exe
C:\1m8TBptd.exe
C:\QE7yvQIs.exe
C:\mJdotOyE.exe
C:\MdEHB3qj.exe
C:\k50MVQdH.exe
C:\88zRI22h.exe
C:\0R79nBux.exe
C:\MtAkEsVn.exe
C:\Fea7FfUe.exe
C:\fUZiYOiJ.exe
C:\U2JhtXnE.exe
C:\BDcFcVPQ.exe
C:\TbO4Qzdd.exe
C:\xWmVUpWm.exe
C:\gJDR6Oe8.exe
C:\Users\John\AppData\Local\Temp\TpiviiIuA.exe
C:\Users\John\AppData\Local\Temp\edialbiCapaw.exe
C:\Users\admin\Downloads\5a8ca889a968e5ab0660878f0aa95c18.exe
C:\eb9ae244bf593c7c0a02866813ff4c818914fbc2fb89f4f0421c883086f01001
C:\af264c3e6ae7b9e91f99744f265c7826ad110e7b060d29e6788da7a3e16277d6
C:\1e1a97d1e5c0b1964e0840e03ba279b8a259cb94959e18636fc99fb1b6a1cb37
C:\7815da847da22d1b5d3a7b0f6dd504cc3c301a070ac8cc945458b4be0b6f63e4
C:\Users\admin\Downloads\budha.exe
C:\8db3d9de6e409202aca01de393b1f738d80db34699067842badb98355028ec6a
C:\Users\admin\Downloads\budha.exe
C:\ecc2d13cf74bba4e0a9888edfbabaa988be24450063ab6e3986e8b89c2c22860
C:\d3e1d70955d3f5a6ad00a4eb3ff1c103ae991db32e7977cac16bf3071776a061
C:\Users\admin\Downloads\budha.exe
C:\4060ab7116c1041b53601219728a758010ba1a1725b5613db0fbf5a3d947522c
C:\Users\admin\Downloads\budha.exe
C:\d34812f0a9a0cf0a7398ceb18fff5d7eae6f1d48c572557f71b842a181f55046
C:\Users\admin\Downloads\budha.exe
C:\55dabf3a8989b04e7e65e65bdb32aa1f7971a2ff09b2321b19dec1dd57965127
C:\9257210d63264d941dcb51ea5bd19796d46c57b005c5c8bd55f819e39b5ad887
C:\abbe2c87d16ce95c2b41e450fbad40f24e0a0b1f3c4aec9da64598ae1ca88175

Process Tree

0d83829261d0cd817226ecbcb912a295d1ed67024373f40ff35e3cace5f78501.exe, PID: 1848, Parent PID: 844

default registry file network process services synchronisation iexplore office pdf

budha.exe, PID: 2660, Parent PID: 1848

default registry file network process services synchronisation iexplore office pdf

TCP

Source Source Port Destination Destination Port
192.168.56.101 49165 13.225.4.125 knowledgehut.com 443
192.168.56.101 49166 13.225.4.125 knowledgehut.com 443
192.168.56.101 49167 13.225.4.125 knowledgehut.com 443
192.168.56.101 49170 13.248.169.48 cablemen.com 443
192.168.56.101 49171 13.248.169.48 cablemen.com 443
192.168.56.101 49172 13.248.169.48 cablemen.com 443
192.168.56.101 49174 13.248.169.48 cablemen.com 443
192.168.56.101 49175 13.248.169.48 cablemen.com 443
192.168.56.101 49176 13.248.169.48 cablemen.com 443
192.168.56.101 49178 13.225.4.125 knowledgehut.com 443
192.168.56.101 49179 13.225.4.125 knowledgehut.com 443
192.168.56.101 49180 13.225.4.125 knowledgehut.com 443
192.168.56.101 49182 13.225.4.125 knowledgehut.com 443
192.168.56.101 49183 13.225.4.125 knowledgehut.com 443
192.168.56.101 49184 13.225.4.125 knowledgehut.com 443
192.168.56.101 49186 13.248.169.48 cablemen.com 443
192.168.56.101 49187 13.248.169.48 cablemen.com 443
192.168.56.101 49188 13.248.169.48 cablemen.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 58485 8.8.8.8 53
192.168.56.101 57665 8.8.8.8 53
192.168.56.101 51758 8.8.8.8 53
192.168.56.101 52215 8.8.8.8 53
192.168.56.101 57665 114.114.114.114 53
192.168.56.101 62361 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name b624a92cc2bb1024_budha.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\budha.exe
Size 23.9KB
Processes 1848 (0d83829261d0cd817226ecbcb912a295d1ed67024373f40ff35e3cace5f78501.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5a1767e5c852ec9aa8eaa62108a65c35
SHA1 cb60ed1152e5be1b77f6b47849f00cb7732c2bbf
SHA256 b624a92cc2bb102427bdb547fe584d3136f410225131dc5ab3e11c0caf62738d
CRC32 4554DE01
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 791a8663e48079beb63889d68f986f65d38c7004
Size 5.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b6fc3a2f2c86ee15c289dfdb8e169ac3
SHA1 791a8663e48079beb63889d68f986f65d38c7004
SHA256 ab233ad790d1368c40506ec696acdc3d62a434d923a6ab71b0d587be615deb5c
CRC32 6A8F02A6
ssdeep None
Yara None matched
VirusTotal Search for analysis