2.5
中危
67 个模型检测该样本为恶意!
重新分析
更多

d65a7c05e60a965d1737970d9c6c65819792db006a0406854305156a1a07220a

d65a7c05e60a965d1737970d9c6c65819792db006a0406854305156a1a07220a.exe

分析耗时

71s

最近分析

391天前

文件大小

34.3KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN WORM MYDOOM
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.66
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/runner.ali1000044 20190527 0.3.0.5
Avast Win32:Mydoom-EG [Trj] 20200726 18.4.3895.0
Baidu Win32.Worm-Email.Mydoom.a 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Kingsoft None 20200727 2013.8.14.323
McAfee GenericRXAA-AA!8C38A1616707 20200726 6.0.6.653
Tencent Worm.Win32.Mydoom.l 20200727 1.0.0.1
静态指标
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机 (1 个事件)
Time & API Arguments Status Return Repeated
1727110794.749875
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具 (2 个事件)
section {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00005000', 'size_of_data': '0x00004600', 'entropy': 7.897902341253568} entropy 7.897902341253568 description 发现高熵的节
entropy 0.8974358974358975 description 此PE文件的整体熵值较高
可执行文件使用UPX压缩 (2 个事件)
section UPX0 description 节名称指示UPX
section UPX1 description 节名称指示UPX
网络通信
与未执行 DNS 查询的主机进行通信 (4 个事件)
host 148.243.84.14
host 114.114.114.114
host 8.8.8.8
host 160.205.20.18
在 Windows 启动时自我安装以实现自动运行 (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar reg_value C:\Windows\lsass.exe
文件已被 VirusTotal 上 67 个反病毒引擎识别为恶意 (50 out of 67 个事件)
ALYac Worm.Mydoom
APEX Malicious
AVG Win32:Mydoom-EG [Trj]
Acronis suspicious
Ad-Aware Worm.Generic.23834
AhnLab-V3 Win32/Mydoom.worm.22020.H
Alibaba Trojan:Win32/runner.ali1000044
Antiy-AVL Worm[Email]/Win32.Mydoom
Arcabit Worm.Generic.D5D1A
Avast Win32:Mydoom-EG [Trj]
Avira TR/BAS.Samca.zictf
Baidu Win32.Worm-Email.Mydoom.a
BitDefender Worm.Generic.23834
BitDefenderTheta AI:Packer.DFC754A81F
Bkav W32.MyDoomLB.Worm
CAT-QuickHeal Worm.Mydoom
ClamAV Win.Worm.Mydoom-5
Comodo Worm.Win32.Mydoom.Q@308v
CrowdStrike win/malicious_confidence_100% (W)
Cybereason malicious.16707a
Cylance Unsafe
Cynet Malicious (score: 100)
Cyren W32/Mydoom.CJDZ-5239
DrWeb Win32.HLLM.MyDoom.33808
ESET-NOD32 Win32/Mydoom.Q
Emsisoft Worm.Generic.23834 (B)
Endgame malicious (high confidence)
F-Prot W32/Mydoom.M
F-Secure Email-Worm:W32/Mydoom.gen!A
FireEye Generic.mg.8c38a1616707aa25
Fortinet W32/MyDoom.M@mm
GData Worm.Generic.23834
Ikarus Email-Worm.Win32.Mydoom
Invincea heuristic
Jiangmin I-Worm/Zhelatin.sq
K7AntiVirus EmailWorm ( 0000439f1 )
K7GW EmailWorm ( 0000439f1 )
Kaspersky Email-Worm.Win32.Mydoom.l
MAX malware (ai score=84)
Malwarebytes Worm.Agent
McAfee GenericRXAA-AA!8C38A1616707
MicroWorld-eScan Worm.Generic.23834
Microsoft Worm:Win32/Mydoom.L@mm
NANO-Antivirus Trojan.Win32.Mydoom.cuyllc
Paloalto generic.ml
Panda W32/Mydoom.DN.worm
Qihoo-360 Worm.Win32.Mydoom.A
Rising Worm.Mail.Win32.Mydoom.l (CLOUD)
SUPERAntiSpyware Worm.MyDoom
Sangfor Malware
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (3 个事件)
dead_host 148.243.84.14:1042
dead_host 10.136.124.136:1042
dead_host 160.205.20.18:1042
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1970-01-01 08:00:00

PE Imphash

5d02f6de12eb07fb22fe87e05e50d6a0

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
UPX0 0x00001000 0x00006000 0x00000000 0.0
UPX1 0x00007000 0x00005000 0x00004600 7.897902341253568
.rsrc 0x0000c000 0x00001000 0x00000800 2.6495694551935207

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x0000c3c4 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x0000c3c4 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x0000c4f0 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library KERNEL32.DLL:
0x80c58c LoadLibraryA
0x80c590 GetProcAddress
0x80c594 ExitProcess
Library ADVAPI32.dll:
0x80c59c RegCloseKey
Library MSVCRT.dll:
0x80c5a4 time
Library USER32.dll:
0x80c5ac wsprintfA
Library WS2_32.dll:
0x80c5b4 gethostname
L!This program cannot be run in DOS mode.
iiiiM,
hPD4e4(
M4M4M4|tld\4MTLD803M(
`XPD;@
IEFrame
ATH_Note
rctrl_renwn
c:\sDec
nSep3ug
/%s, %u
.2u:um
nkmrnetG
{Staiex
Kazaa Lk
ry P6I
W0RAR.v.3Z.od.key#
p 5.0 () C
lcomhdeRe$tvor.
dnsapi%{.dllphlp
w@kPa_9le
{cabu'mass
vGubm{l
crosoftd
the.bgold-Uk;s}ca
"Z+cre
iWKQg^
foG+lc-
zcWxrrsf.)OW
+rr ,ar+
og3gnu
.m{6Ov
;WRdN`do8a0;oa
lekk5bnda
ymav_-!'5b_
8o@d0(
@e*.*KAdtpRN
USERPROFILE
:\yaha0
`v.;D
7e ig;`
lud A
nvQl\+n
:gb puw2D
k3Srb\2aqFqh
5'%i~Ba.=x|
\c$Yf/j
n*ikyQA9
"p3f,FoeSA
\k,Nv EXZrr
naht%w.^
aF:H$Wh'i|s W-1MTc
Ei+!d/.s
Z@vU<$t>?Pl,e%p>0|Bcts@$F
amsQaeA
(`r[a<b
1w-f6}
!b []=-
G_n!CZ]y
lbAs9Y2
Z Lkn,$T.
F:$f]
,YS5dG
;hjX>\lmpt
[STkMdbMHK66-3
L82:tt
+Djg9!?]:Fm1f
Ve-DAE
"MONWz
$<("P"C"8
N&!Vo<SDj=
tQ"K O4"a
x14c;<#n
ABCDEFGHIJK
6LMNOPQRSTUVWXYZ cfgt
jklmFpq
!_vwxyz23456789+/qsX-P
zExp 6.00.26
3IMEO,4P
uTBy@Mfid;
V9Jw,t6-Ty@m-PDt/xP
9Zr="R"s
q-V51O
48X.5sNPs+a^vI?Gp}appmI/%Gk
[mnOf&4nfn-EdAbMv64"DDi{QHL
\HC=u'%Zu>i7bk\2,
'-$uhjp
>a{QUIT
>'PTZ5
-xYIHEL
LO87`+
nTPS&)\\*
|2~^]H+
:.] KlhJ
of.twa
rer\\MicM/s7n5'O'ndYO+CkfCu_+5
/eu]G?;P_6OIX]
8*P7Sh
C_^w7[
_'F$3^D
|lfk=Pj
pxeDSE
c|pLh$;x
%pX+>u
wu&q<GG5Wqoh
Pi6twaire\Miicrosofiit\Winidows\iCurren
itVrsiion\RuH
p$Trl6y
I2\CSW|$
ldcC-o^S
jZY-i`;WR
6-F.;_
$j<_RP3
jh`OJ?b4q
fdg4u|`
YCppcM;u
u?IH+Sn
#<Kf#F
B0 ;xv+PV;tQ
3 @F;|/
wiiniGniet.dll[-
5PEKef9ut_
3$tv3Wj(-
B;POi8/x
6~W"B;}
8@le(7loC
WbPV$v5
\;C}0
>F@JuD.F'
V)$Y;t0Y|
b1?mp ,
K?GOGSU~m3f
ne,<};u<)Zt
Q0^]8PU
{;_t$@SDIC1\
U~R/('Rf4;
}e%Y-b$I0
nGUqtv
!cs_0?b
A$]~% {
pzw{ok
jd7FF6|=~
tVe;?Vd;t$hFBn
*gu;r_ipWl
JS:S>}tG
QSZxOO+N!
W*Xp0,
\<<@t?(T
+CY<Jo=B@9zO
Kyd+7h%
-0vYC1-NO/&<
'xqf,wOy/UH]
tb0UE,
0"8d5^7-S;1YU2vHf
x 0|8<
2+SJNr
F}.RU8
cbf0d_
x5FG['@
hv$~,\l\t3D
Qm{+8
.5a>3K
HyFQ~
J6f2/Xp
?GLa`;
bx3*oo
+KICY`D
h^ddk3T
o';Wto*9
vt\kQS
'UY3SQg
g%vAa+qYDW\&^
]G7F(O
=khY(QR
h~8ZnQ;t
GWSYf;
j2.`h
r2Ojx26hR<P
f+eqkNdw"Z
?I7\d;
@ZA{+[
H_tu(n
}8h+|-;O
;}e;}a;WZ
;~C;~?+b
M-JSQaH
P=/sSu
V|Ehmd
[GdlcO`1vUMp6l:p
jQ4Mhp
>Fzr?0
1EpDMlu[4EP`
djk7&s
04Sof,
,\Micro
,sof\W,
,AB\WAP
,ab bF
,ile NaP,m
#*u=9kY1d
8F,ZF>h=
<U<puY6ql_
buG:uCR<hu
sup>Y<s
btN<db7x
75<w_u
Kfuc['{8
\P#NYsYZ
Pu%8.@+u
#<8P>|f
&P2 jKk
\.ocal 6rSeti\.Qngs-V=TemFp5fr
yJ5fI:F/Wu]
]4Mbk$b
=#Lf$a
LLa7PP1d[
CYRtg-
+0S6-h
.5PfO5
guj,(,
g*<u?m
0<Q'Fzd|s0K
zV5Xme
P9d{Vj.
$Pt7lK
Y`f[5g;Pl
^:#CYx
bD^:3rS
@PA`Wz
/h(ht!h`
JbG!=!!++
~$k/&;t
}d4H1A|(}.
3*HWS.
Y]G2~
_`EPF0
|$3FP;
[mx#(|
pe\#kkV^S&Y
hXPkWPQ
,>kA&5
54oE'J
Z(MrSPPY
lJS^8
#[=9"E@
K8!PxC
Q"FhWQ"Yz72G
^$cG|$l
xo?~E< r8<=t4<+t0<,<
t(<v aULv7GR<Y
Od3GX%dy
,l_HHt
"}5vBR
+D5uUtm1Oh\9
VRG-'(
vm-!+_|
D#NQPWNy
KDDBS}g^Y
1@&o4,;[;
@5~)XZP;
7l[fW!c
bFO><:t9.5
$8&4E?ao8:ua
0}9-G^u
abM*^&
/dV!IV'LYs
-SRg@C
'Y1Hh<
=+(~.*%8g
,X3+(J-
;t..u
|#eXrk}
p&hh.`
9\X]$l
U3B@$`W
JIJHp`m
W{WP'O
RKhc4
ebKtW66
k|v*(\/#Rh
FAS5Cp"Y$
^xW0vvP
Je&"TnQra
+;rMSK%nv
J-TmtQ
$pPrYH;\y
.noj8f
wnYE;r
sm@f=AB
hh6Gfpn|#
|&^bBA+ZS
}^WB_X@
_(5^*'_
tSEFtP7
, aNM~XX
nl9YJ.u+YtV[i
X.Abvl7(d
_xFZ h
WN_KMe
CS;~S[`+{
Qr(`T,oYt>)
lOPuDHL%db
>q70}:
;?| 4l
w__;}a
YP"z'GC
lRtSMpW?xp5
hncaH0
wu)P/xAl
y@*-&@'_Z
!5&#cD
pBmu=i
fgT@EH5
[P71/}
&xE[f;
U`eb{[m&
&T#zW*
P]p=V^^Y[@~
n("F$A
l)>7`03V4i
G]%Djd
bNT!E"
~#6"azp
.l( G;(|
~k;~!,
rjv(kNhu
9t&ET`
lsc:qRH
PGtop&0=
At-^(Eehz{
GF?x\G
HYWWh>x=I
U,TempFNAU
ve;GMGlobalAl
Cas[M$g+
ZgViewOfUnm
vHtked
von)Vaab{
sCopyx
]ESl$lqAP/h
De;y-amc
%[audeChl4M]UByt"A[s
RnIPoi
;i6`H.
3l0Ao'Gg
g`VueE
_um{@0s
d#m{[1
,`BuffA
Low3lGwvr#w
#EAYMbp
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
wsprintfA
ARzDKM
pEB~4E
>BeBAA
CH?aC~e
B gw$Ba
%D92MH
dASZQ9
D'Cgo[
=+?"mLF
/Q#D}tS
OBA$@I!D
[E*\9t
/8.g e.P
f-ZkLQ mu.
SnBRb_
_cMgAo
%Ec;S$s
b>.n!1
sFD?(Cr
(p?s-C
#EiDWdm
WD\ ~O: AM
d1C@}H
CA|-{5C;
t/EBA)
s0D1HV
#LkVBT^
xDLdt50
Jz"ELS?s
D:M}Mp
E"s=>$
iNCARrB
PiA(z"
9Cu"AW
dC>D'JT
B _pE
RKT7v'
SJB}`n
RBzC#qC&
PzC:@CD2`
AHM4EB
,CWB}Qk
R)nu#<|
C7?+<jCA
DvHD-S
A0o?KA&"
[BrFYXDP
~xMDA/o
?kXSV@
CtYRA5}
MBCjbCqb
p-p=%E$
MD*6|@f!
y R?ii
'eqMCs
'pB+i@
[Z+D-E
!2C05+
_DgBB&
^;'9+|
*BH73C~>3Ex
>[*Br:
$=KK:8E
M#{e+w
v)P@!5qDm
AE6LAY
lQ~C@hD
8UBA1Bx
'd7ACjz
e#pBI'C
PhD-DHzD(}
dAjA{`
RCan|E
D iDz_d

Process Tree

d65a7c05e60a965d1737970d9c6c65819792db006a0406854305156a1a07220a.exe, PID: 2244, Parent PID: 1788

default registry file network process services synchronisation iexplore office pdf

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 56933 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name e3b0c44298fc1c14_lsass.exe
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name c4cb2c7a0a964908_gpban1l3.txt
Filepath C:\Users\Administrator\AppData\Local\Temp\gpban1l3.txt
Size 13.8KB
Processes 2244 (d65a7c05e60a965d1737970d9c6c65819792db006a0406854305156a1a07220a.exe)
Type data
MD5 e0adcd8056bb383615c6e15fefedcddc
SHA1 d5ad22fd4c0c1ef9c431c6437b2ee1f7a0d96608
SHA256 c4cb2c7a0a96490850ce058884fef8dd95c676b425a3530523cf0d637efb18d7
CRC32 FA91BA12
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.