1.0
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.52
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | TrojanDropper:Win32/Gepys.270e8923 | 20190527 | 0.3.0.5 |
| Avast | Win32:Kryptik-MGB [Trj] | 20200908 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200909 | 2013.8.14.323 |
| McAfee | Dropper-FGJ!8B838672B19A | 20200909 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0c4c7 | 20200909 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | AUTO |
| section | DGROUP |
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 55 个反病毒引擎识别为恶意
(50 out of 55 个事件)
| ALYac | Gen:Variant.Razy.551534 |
| APEX | Malicious |
| AVG | Win32:Kryptik-MGB [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Razy.551534 |
| AhnLab-V3 | Trojan/Win32.Dofoil.C170768 |
| Alibaba | TrojanDropper:Win32/Gepys.270e8923 |
| Antiy-AVL | Trojan/Win32.ShipUp |
| Arcabit | Trojan.Razy.D86A6E |
| Avast | Win32:Kryptik-MGB [Trj] |
| Avira | TR/Crypt.ZPACK.Gen7 |
| BitDefender | Gen:Variant.Razy.551534 |
| BitDefenderTheta | Gen:NN.ZexaF.34216.luX@aGbFBUb |
| Bkav | W32.AIDetectVM.malware1 |
| CAT-QuickHeal | TrojanDropper.Gepys.A |
| ClamAV | Win.Packed.Dyreza-6975170-0 |
| Comodo | TrojWare.Win32.Kryptik.BEI@4zquan |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.2b19af |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Trojan.SEVA-0231 |
| DrWeb | Trojan.Mods.1 |
| ESET-NOD32 | a variant of Win32/Kryptik.BEIF |
| Elastic | malicious (high confidence) |
| F-Secure | Trojan.TR/Crypt.ZPACK.Gen7 |
| FireEye | Generic.mg.8b838672b19afaaf |
| Fortinet | W32/Kryptik.BDUE!tr |
| GData | Gen:Variant.Razy.551534 |
| Ikarus | Trojan.Dropper.Gepys |
| Invincea | Mal/Generic-S |
| Jiangmin | Trojan/ShipUp.th |
| K7AntiVirus | Trojan ( 0040f4c81 ) |
| K7GW | Trojan ( 0040f4c81 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=89) |
| Malwarebytes | Trojan.Injector |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Dropper-FGJ!8B838672B19A |
| MicroWorld-eScan | Gen:Variant.Razy.551534 |
| Microsoft | TrojanDropper:Win32/Gepys.A |
| NANO-Antivirus | Trojan.Win32.Mods.crhxhb |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | Win32/Trojan.78a |
| Rising | Dropper.Gepys!8.15D (TFE:2:wNFvJSW3SkM) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2012-02-23 18:52:19
PE Imphash
886278c9edb60be878adc8f899c633b7
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| AUTO | 0x00001000 | 0x0000215d | 0x00002200 | 6.4237769592877285 |
| DGROUP | 0x00004000 | 0x00029d7f | 0x00029e00 | 5.339749579620513 |
| .idata | 0x0002e000 | 0x00000474 | 0x00000600 | 4.105477333913605 |
| .reloc | 0x0002f000 | 0x00000000 | 0x00000400 | 5.224387968273324 |
| .rsrc | 0x00030000 | 0x00000000 | 0x00000800 | 3.8700573468738235 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_DIALOG | 0x0002d4dc | 0x000002f0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0002d4dc | 0x000002f0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0002d4dc | 0x000002f0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library CRYPT32.DLL:
• 0x42e0f0 CryptBinaryToStringW
Library SHLWAPI.DLL:
• 0x42e0f8 PathAppendA
• 0x42e0fc PathAppendW
• 0x42e100 PathCombineA
• 0x42e104 PathFileExistsW
Library KERNEL32.DLL:
• 0x42e10c CloseHandle
• 0x42e110 CreateMutexA
• 0x42e114 ExitProcess
• 0x42e118 FreeEnvironmentStringsA
• 0x42e11c FreeEnvironmentStringsW
• 0x42e120 GetCommandLineA
• 0x42e124 GetEnvironmentStrings
• 0x42e128 GetEnvironmentStringsW
• 0x42e12c GetFileType
• 0x42e130 GetLastError
• 0x42e134 GetModuleFileNameA
• 0x42e138 GetModuleFileNameW
• 0x42e13c GetModuleHandleA
• 0x42e140 GetProcAddress
• 0x42e144 GetStartupInfoA
• 0x42e148 GetStdHandle
• 0x42e14c GetTickCount
• 0x42e150 GetVersionExA
• 0x42e154 HeapCreate
• 0x42e158 HeapDestroy
• 0x42e15c HeapFree
• 0x42e160 LCMapStringA
• 0x42e164 LoadLibraryA
• 0x42e168 MultiByteToWideChar
• 0x42e16c UnhandledExceptionFilter
• 0x42e170 VirtualAlloc
• 0x42e174 VirtualFree
• 0x42e178 VirtualProtect
• 0x42e17c WideCharToMultiByte
• 0x42e180 WriteFile
• 0x42e184 lstrcpyA
• 0x42e188 LCMapStringW
L!This is a Windows 95 executable
`DGROUP
.idata
.reloc
B.rsrc
ooerZYRV
j;C^ZSQR
[[ rNnTC
ZY[QRV
r%au^ZYSQ
Y[QRVW8
Fr[DW;@al@
_^ZYQRV
CsSGEt
h^ZYQRj
ZYQVW0
EEAE;E
tE_^YSQRP
9 EhVRi
ZY[RV$
E$MEE)
r_SQRVW
Ee_^ZY[QR@
ZYSQRV
rk}X5lcQ
@`_Pnr
d^ZY[RVW
C5\_clVh]
r_^ZRVW
r]ry`@
}3,_^ZSQRVWp
a;drn'r
_^ZY[S
EC,CtV=e
`EGnCY[SQ
PuiC4$EAY`y
}EtSre}
ts`Crt
;,VFrCS
jell@A=j
8iXhlr
lCT^QRV
h^ZYRV
Sfu^[^@u
VrdPEt
l`W^ZVW
SCm;o}
9r^orur
^ZYSQRV
K]ammfc
^ZY[R8
SraWkN
}l@_ubt
upuMr=E
uua\Er
Us@eZRV
3r^ZSQRVW
Sx;Semt~re
B_^ZY[Wh
l`0CUh
_SQRVWl
_^ZY[SQ
kho[Y^
N`;SeoV
gmvPnTulrFvt
eWc5rPE
rC_Yrj
psa3_^ZRV4
heQ@c`^ZSQRL
TUX@Vp3
ZY[QRV
rUr]Nx
W5^ZYVW
;_^SQR
ZY[SQR0
uHrn_N
UEC!1U
"1E~E~PE
]^ZY[SQRV
r@SmES`v_c
`^ZY[SQR8
\Cu^i@T
ZY[SQRV,
nPnErS
oVS^e@
VEchjH
[\iAHZY[SQRV
p `_sSr
u^ZY[SQRVX
MtrtS}
@rPSeC
n[moeN
UArS^ZY[QR
l^Z1QRVW
C@cWsMiEs`
_^ZYQRVW
cjUttxP
Wit`@S
s_^ZYSQRV
VE=S|u
^ZY[R$
o9|PP^bruS
LZSQRVW
_^ZY[SQRV(
a^ZY[VW<
mSWS``;r
SQeuERbLVenc3ztoE`ELFFazd
rPPEr.1dvE
`EdSncCEnVWl2
anPzEWrE
ernEllr
yiGdoPSE
dilsEoEnn
rav`ngAzPdAfEd1P
rEEdzEohapstitnVSES\mdnrSt
vdrnVndFFEerOaPFEunS
MiEewrtrdvE
PrnvnidpleEEEdletFVoEPPnE
npvnPXFeUEuElzEfV1ruIteEzVdElVPVEaP
rinEdF
tEEnSPEFcGV1lEe
Frrneaea
SES~ERB
lEUd+ldv
0NEFxs]
FR0aJe
+PeEhe
oNE]EW
>rj,K(^n
4Ph1lj
Kwu_G@
Uu_EVj<
hEhG4E
Sj"VWjfVQ
EY@8u>
E_U>Ak
1]E^Rx
8BCPW]
|<uEuY
HtYS@r
VYJRHP0+
5dG$=S
;I}[5I
j.oE)?
+b&HD=Sh~
q !Ej(
cRR$0g]qPP
h7HPWqc
C..onpp
ureRR0
KBY8ET,
GY"Ym26
q[$::['LY
/),',9
8$bu|;
5BB/l~Uqo.F
.n~:_`
[A5'dJ
u[j'<_
qsZ`8z
B2D8%F@(
6H:"WK
&]uEc;
I|Anho9
v!kvX^
5A%9A
=?z?a!
!K0%ID
-?K=Jl
41b8:0
+R6OiH
(o.w+U
XkFJzP
rHz4K#o>$,
a]_ cGZ
uh^`yP $=
!}.Q084>x&f?
D2,^;J'J
O6j?'fKDg!
HJ{I!6$6
"k!G|8,Ay
R R9v5
P0W_^TB!c&W
?3zp%{W
7'U+BK
P?<-B$
YE1#\i
"l6-_Ug
R<@mTLa
+yw2V7
p\xs#'gq
f7G{30
Sq]1[75S
REa2eC
M8Sv~!Zmt
Q=(v2\
9e:mxq
loLs=rY[
GC^gbjN4
GU{bwIGH
d)zef%">!iXVWc %1
=ng7 s?
E@?_vE
+WW/M<
#IQPwW.h
Dtf96]
Xm:&|B
\OarHbo];
wj{;7U9z
487*R#
sCN2Zi1b]
5LK\cH
=(DJoB8;
d]PP]T
H\(9iB
Bv~Bu,
t,? *q
5O= 6VJ
rB5YK{}
X7iGNb
*Bn0L,5)~`03
a)b<(0=D%hPE<3
?Du }RL,UKg_
3,@/Pw2
nOeSaB
Dx&'`v
t-w-9U
d=Q[6s
A! 1|x
G%N|RsX
UuKAoJ
nJ]fY,
E-,z0#
yu:Qd~
4W>0i fC:
}mt&20
!).bV`
*k?yzeNs%0
j.$p)`
x.O#aN
Oq1as.
>#!x;$]t
{3) N1=m
dN^9z*
Z8_!<,
,;X89
|)/rFdm@
nxG_FF
@w3'2! 6#
[u-[7b7k
H@>d?X
,W,l7"
=elll7 n
>(2C%2
tmnltr
wOp\dna
yyMlSo.LO
FoyhRe
aipYpdna
AOtdNtAu
CESeil
FNaeI\
CIrsL_r
ppIANTn
nipTw_
ntir_oLWA
p\_oLt
dpo\fes
(
HduWnnydF
TdsyaS
MyyruyndJs
meyouD
eoeunm
rrJOoJ
eNeANetS
dm/My2
*!"G=F>5
nruLP.
nnwrwne
.kt.>r
N a m*2co
nc iu
ga frsnu
c6ceal
h a gt
u 0)euah
otle1 nbtaa
cultio61
ent Rt
t t7dt
eueae6u6k
phrc x
eepk1m ne
6thaRx
1rdmR-
uhe reirp
obt6bl
puo_r
a lchc
ei6 i
22RcnRtroezi6nr5za o od
-at0oa5r
iuinsir
liiluvui
u0w i6i
-eCi2i
eC nzatiann
6oRt -
nniasu.
s rlep
bipig
cotTon
apm1 lmel
taRm3oz
iAorel am
r6zn ne
nrtlci
olinoc
.o l og
c- mttmr
dmeu rM
ifa le
onooc c
n ici felc
plun/Sa
aigflr
tpasoirkb
dlin zielngosn
a aT m
c tTi iat nviasttecdp
slouh ui.oc
s ac tni
iiztctd
a ylait syphnieo
neIi il a
iIckibooydrie
ygu ia itaoth
t iinhs.itcy
Te3OoNI3
6-St m AR
IrurS0
treer-
Wt@jtW
+8t}y+
t?43G*0
@:SypVGH
gsvDzg
o<EB9z2
DH.t`7
|cqW`u
Kg!8tEz`
g0WH<.a
Xi}rx3Y |J
]{J[Lr
hHxv@aG
J@zM5V
Pgv3tHqi{n
wEz\@E}
EU@#ZZ
stHg{{HzugY
sLvTtDe{tD<
P00{}mG=s
)o@]d4
|/ISg@
^g}<Hqg
t7~xMH<UY
DDr@4(D
@@z{gn10
JEv{@H@s
{JWKzC
wE/vtG
17X@Bo
@HC@5\q
?DN0Dr
s,oLCEDU
o|Y;5Lq
Sdu9~3
7HhzF@:ICDJC?Kz:
WDWtWn`
Hd6Wnm
ZGD|xJ;
l@jHvU%bY
J#@DwjqU
fE3Dy*3Y
]H_,0*3@D
<3U1[DY@)^)j/s
?S/oxj
ubtq@9<E
M`j};rxj
n<nE@l
h@VE3n@]4t
{k3Y@$XAD=^
h11h,I$
e3C9!ljjl
=V830@
t(qRV%
@qj9X_
TXnjh)
EJh1JqE
,RDhjha(-@R
jjVjEmh
CRYPT32.DLL
SHLWAPI.DLL
KERNEL32.DLL
CryptBinaryToStringW
PathAppendA
PathAppendW
PathCombineA
PathFileExistsW
CloseHandle
CreateMutexA
ExitProcess
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetCommandLineA
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetTickCount
GetVersionExA
HeapCreate
HeapDestroy
HeapFree
LCMapStringA
LoadLibraryA
MultiByteToWideChar
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
VirtualProtect
WideCharToMultiByte
WriteFile
lstrcpyA
LCMapStringW
0"0/080W0b0}00000000
1 1.1A1U1a1t11111122
3"303F3T3a3y333333
4/4B4L4z4444
5M5j5555555
6$606A6O6l6s66666666
727I7X7j7p77777777
8(858C8N8c8u888888888
9 9*9C9K9b9s999999999
:':4:>:]:n:
::::::::
;+;;;I;c;i;};;;;;;;;
< <*<<<X<b<s<<<<<<<<<
=!=8=C=R=j={========
>*>5>H>^>s>
>>>>>>>>
?1?@?O?V?\?b?e?h?n?o?t?z?????????????
161=1C1I1W1k111111
2,262L2]2k22222222
3'373U3_3q3|3333333
4#4:4P4Z4w444444444
5?5H5_5e555555555555
6&6:6C6L6R6a6k6v6|6666666666
7#707;7K7Q7\7c7j7p7x7~7777777
b}6uD'
#MN>x4rGy3s4
RTPk8,(~<
!IKTVr%_35
"HmRMgfH=H1.
^^B=aA
2f.u;
M-KUVcJ
$E,-;? N
)1|uK,
gcmp1<
ILTap!Z=z
m?5KU
<Gp/`e
{yRxI'dq4
P~FV78
/:7#fD{X"v
)duQ{o
#QK7)%r$
AFzPU]x)[M/aG
^A$o(fb7
H$JXT@
nbJqs!o"
Vt`}Sp
r9986z
WQ$haj?
P.]N5Pue2m`
2<L[ >5
[jfIpi
u3TPf~8)fz
^m2eJzaG
'KDj:j5r
5,1s C
}k<Sp&"SK3EM]r
i$BL2'
RcaD}yt
,!yzpGS<
7E:RPo
RUM4Z 9
&M.mXWS}
+Py4/=
-kMVKU
IK`_Y|z
EcWKzQFQ+F(]2
Z]lU=U_l<
$#CIt/`Q{
fnbv9g
T#i3;?PYy
Xw*9}2fW%
bdiF9-_
2;E"rNx
z!G&+/
z@test
yX;.U6Q
,X=w'KRz>Xfm&
am}G)p
<wEYOACN_V}
{3PN T7-
�B�D� �c�R�o�w�x� �L�t�k�I�E�N�o�K�f�J�B�J�z�l�c�l�I�J�h�W�M�X�e�k�A�i�q�c�w�H�v�u�b�F�e�x�I� �r�r�L�T� �Y� �I�t� �K�W�B�Y�J�A�I�q�R�V�G�R�D�H�K�l�S�K� � �B� �s�C�i�
M�S� �S�a�n�s� �S�e�r�i�f�
n�t�U�a�M�X�O�L�A� �z�O�d�l�E�c�m�S� �g� �d�u�o�p� �P�s�G�U�a�S�
D�D�z�m�s�W�S�X�Y�a�T� � �b�t�w�B�T�B� �d�C�C�A�S�a�A�J�J�y�k�V� �M� �U�s�w�G�W�Q�V�P�Q�Q�Q�B�K�d�U�m�k�F�O�Q� �I�u�k�s�N�F�k�e�c�C�d�q� � � �g�C�L�u�m�a�O�a�H�k�J� �k�e�Y�P�N�E�E�Q�y� � �I�C�E�m�c�s�Q�b�n�L�
M�S� �S�a�n�s� �S�e�r�i�f�
M� �N�n�R�I� �y�Y�M�E�M�b� �U� � �Q�V�W�j�W�j�D� � �O�G� �A�Y�v�H�W�B�U�d�f�x�Q�E�l� �Y�k�v�
b�s� �N�t�N�d�M�y�g�M�c�P�
c�f� �H�Y� �k�i� �G�J� �l�M�
�d�J�b� � �t�z�G�n�n�r�T�u�Y�w�f�r�b�f�S�E�R�B�E�T�n� �D�W�v�L�t�
S�y�s�L�i�s�t�V�i�e�w�3�2�
S� �T�K�z�B� �k�r� �S�n�p�l�n�p�s�l� �E�g�v�T�F�M� �K�s�n�B�L�f� �M�W�W�Y�R�h�c�F�f�y�A�s�O�O�R�i�x�J�C�l� �f�B�B�K�R� �F�t�n�Q�L�K�
M�S� �S�a�n�s� �S�e�r�i�f�
�E�T� �C� �M� � �U�H�R�T�I�N�Q�I�u�A�R�B�V�C�K�U�C�V�i� �q�t�l�W�g�J�F�v�H�
p�K�Z� �D� �x�P�p�l�V�F�O�s� �f�j�g�R�p�O�K�i�F�q�V�I�i�j�Q�G�f�L�D�x�w� �
D�b�t�w�E�r�v�I�A�F� �y�v�m�g�a�W�h�t�M�P�M�S�S�c�E�C�Z�z�i� �i�
Z�M�W�u�s� �f�j�
F� �b�D�H� �D�j�
o�u�b�s�z�Z�q�H� �s�W�r�w� �i�X�P�L�u�A�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.