1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20191019 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_90% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191019 | 2013.8.14.323 |
| McAfee | None | 20191019 | 6.0.6.653 |
| Tencent | None | 20191019 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '', 'virtual_address': '0x0000e000', 'virtual_size': '0x0000a000', 'size_of_data': '0x00009200', 'entropy': 7.884582428438031} | entropy | 7.884582428438031 | description | 发现高熵的节 | |||||||||
| entropy | 0.9864864864864865 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 50 个反病毒引擎识别为恶意
(50 个事件)
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Trojan.Heur.D.cmHfbatUMJf |
| AhnLab-V3 | Trojan/Win32.Downloader.R6541 |
| Antiy-AVL | Trojan[Downloader]/Win32.Small |
| Arcabit | Trojan.Heur.D.cmHfbatUMJf |
| Avast | Win32:Trojan-gen |
| Avira | DIAL/Dialer.Gen |
| BitDefender | Gen:Trojan.Heur.D.cmHfbatUMJf |
| CAT-QuickHeal | Trojan.GenericPMF.S4595280 |
| CMC | Trojan-Downloader.Win32.Small!O |
| ClamAV | Win.Downloader.19186-1 |
| Comodo | TrojWare.Win32.Downloader.Small.ai32@1ozpjf |
| CrowdStrike | win/malicious_confidence_90% (D) |
| Cybereason | malicious.8e8662 |
| Cylance | Unsafe |
| Cyren | W32/new-malware!Maximus |
| DrWeb | Trojan.DownLoader.44864 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Agent.KW |
| Emsisoft | Gen:Trojan.Heur.D.cmHfbatUMJf (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/new-malware!Maximus |
| F-Secure | Dialer.DIAL/Dialer.Gen |
| FireEye | Generic.mg.99a6e6f8e866267d |
| Fortinet | W32/Small.CCA!tr |
| GData | Gen:Trojan.Heur.D.cmHfbatUMJf |
| Ikarus | Trojan-Downloader.Win32.Agent |
| Invincea | heuristic |
| Jiangmin | TrojanDownloader.Small.gxh |
| K7AntiVirus | Trojan-Downloader ( 004d0fb21 ) |
| K7GW | Trojan-Downloader ( 004d0fb21 ) |
| Kaspersky | Trojan-Downloader.Win32.Small.cca |
| MAX | malware (ai score=89) |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee-GW-Edition | BehavesLike.Win32.PWSGamania.nc |
| MicroWorld-eScan | Gen:Trojan.Heur.D.cmHfbatUMJf |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Trojan.Win32.Small.bdqeci |
| Panda | Trj/Downloader.LMS |
| Qihoo-360 | HEUR/QVM11.1.A789.Malware.Gen |
| Rising | Downloader.Agent!8.B23 (TFE:5:iuPqZxx1MPT) |
| SentinelOne | DFI - Suspicious PE |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.high.ml.score |
| VBA32 | BScope.TrojanDownloader.Agent |
| Yandex | Trojan.DL.Small!KfFO1B3DDSk |
| Zillya | Downloader.Agent.Win32.4237 |
| ZoneAlarm | Trojan-Downloader.Win32.Small.cca |
| eGambit | Unsafe.AI_Score_94% |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2006-10-03 10:22:57
PE Imphash
fe47084b4e0d85226f5873197afddbf6
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| 0x00001000 | 0x0000d000 | 0x00000000 | 0.0 | |
| 0x0000e000 | 0x0000a000 | 0x00009200 | 7.884582428438031 | |
| 0x00018000 | 0x00001000 | 0x00000200 | 3.201999115087285 |
Imports
Library KERNEL32.DLL:
• 0x418078 LoadLibraryA
• 0x41807c GetProcAddress
• 0x418080 VirtualProtect
• 0x418084 ExitProcess
Library ADVAPI32.dll:
• 0x41808c RegCloseKey
Library RASAPI32.dll:
• 0x418094 RasEnumDevicesA
Library SHELL32.dll:
• 0x41809c ShellExecuteA
Library WININET.dll:
• 0x4180a4 InternetOpenA
L!This program cannot be run in DOS mode.
O9_.j_.j_.j$2j^.j2jN.j_.jW.j=1jV.j_.j
.j1j:.j1jM.jRich_.j
SUlQQM
koK|fE
mX{+3=:
u9SWVM
}t 9y~
8+QTUl7ukH
Qp u[[r
g}t+]'.~
caQB)^46
P.vJYP
5YVYAhm>"G%</-PC
t]~NW4 e|P|J;|F|$
ggA#AQP
GWS+Jd
G<k.3^#3e+cYax
|;f \*P
,W'sNZ
$][&.%<mRt
9V~6)=
n'h;AG
^/&U[9m"tfJ
YJH539Mp
o+u.A;Mu
Hn8E|>
mv>Si'?RK|D9
{ZZ ~V
d9P)>[3
,>Q''|{
a P1f2V
{a.zTt0C|A
~)wzu~
]pgb#t`pYNOL;|EAZ
vfE ~(+x![aaQ
wHyKyt
X|S7-~})eX[`Y#|
~xlI8QVj
k#^VC.
QKk$:p]
V<~}p7^h1L`
tn6MpQ
r=:/en=
P`_B#v
nf_ke1dm|
Z*^Y;>|
("M`X`nS[
!eXPp-QbVB
`Rtj9,?P{Y
d<1s[e
Wv<Y=4C&
AS #V`
(Cxh}H/e
;~,-ZQ
guktS<}Kl/l;
8B@3"|M1
82\0(&W|;5+2>
8$kVYP
>^dYQQSWxru@d'
ws6erk1R
?+S^"9C
l)L^+9s
@mKD6(V)5t7(-V
6#FrF~ri
R+DVu&c
Zo;t A:
uLRABm
8Tt+1AoR
|-z)[`a+Zr
0Eee.Knm
u;A}<v.
gj[{2Vn\>
}`Ys~fW
q:gP'.C
mvP2@th$'
h"d-.2
r>dbCv9Sl3
3{.v6P
h\OnJhpSN,h`2
lX0\bg?
<l;_^h
x|Wznd7(
__f0+]
1,$h9?
&S:oS,cS[
tOIj|h"|
*X_`[P.VLz[W+. ^
w,$h"9
%F'e\'I.
'[p8]u
g_sLQ`*
Bs<tsLm
P!bEYa
08W!E0YB[
$OV7KzK>4*q
kCUU3 O$
V8YShi,"
l#lvXF
!_-k"Oz,m
JJ\u_'$}
\,# ,p
"x$G,yVU2U
1+5'6\
@0HB0(Pjd?
L_oW&f
s|DWHSP
,J%9Pa
dLrXKF.adPdp?|.
06K#F46[
xaIk@2c
T$$(9B
G;3|WjDu
X@K#|P6
[4SP\4`.l
&:cQljC
iM3jiG
r:GD(Ej
,h0%mvC
U<F}Y^ux
&P.of`+St*M9}3
`W?!@%
hp<L^ 6
tZHt(Hua
{QhhoBhd
;h`49$g
Zu"h\
Q`3VMTQ
Q2G,I`
J rXC>
A&HHargx
+.st)4`!
ShSw@;'
7&Z#hM+-[Rt{!v
(u7`H0
$`HI*&
PC.@,&
W:3H!h$"V
SRW,IL4x
}HN OTG5h
dp'6l3
]%\ #2
@X#9aV%*
k=baEhtM`F5W
>3b\C5Cg25
K'`2pE$?
^D'>U[
lB&q"%
`6|63~
@6`13MJV
9BKDp@'c!c
@Q*HMd?
$,k<di
HGVP:X
$/cer#
-uJ yc+V
*\]2%Hh_v0-1(_^&U3[
LA^/D%
\slUkTKh'M=="
(<I/u}"
;5"s^h,$%
-zyd_d;s
WAm}uQ
jwY9Yu!
0 B)|Wy{
r)$f@}
#F!G?;
wPhe$+X~g,h
)'eK[$-
tZw7kA+2
aAL$VC
8VD^mUV
~4)wDVSU
>VCHYP^
5sYXxF.AEA ?S~@tu
E{+aB9
y"8lPkk
m0mm`Gm[Mt
uRFGHt
u8Zo&%7t+NuwW%
SS_|L^
#J>_e_
2(YRW^d
hA @06{
x4xxz^r
0x3$\M}t
%;_E{fKuT
NB9Lwb3I.
M4G}/o-
vGCrwAUa
8^=hp@dQ
t.R$t(4v
hB-}dRT
;pPOPlm
fiX3[y
07`)G5#keY
<A+@C w5
SbUL*m*6
C*t)3";iWQW6n
Zo-+;r>)p3h
x^|.EKY
@G<)g B
6SdZ!g
R[6V7)
Fm[+>B
D!t7Y3!5Y$!"t
Q 9Hl()
T"p2YX
M4.!O<
BA]Cih
nvf+tD9
<8csmt
t 2aTY
1RSqTSjf
?3JRA8
)$Y%5C
Z/%w`El
Q"+D!@
M/l@o0U
eYZCuOH t;s-
*uU#:v&s
myht lw
6zl2^`
R-wtQ:&Y*0b-G
Z#@=t3,6s
rGE$h6
oKM@0Y
$D&sw]
<B#DV-:hp
]'&'<+G
bm&$=5
i_m:~K
3?A=t!
R|WRPW"
vJ5XWv-
ru6S3P
#5d@0+A
HS~2+3{;
wtg }i]
^f#X4@mR
~!XVl+>
kK81&<
v95c}Rf XL~8
3[7@~FI6M
ZQ/GEv
?+;|<4uM
xXH\PpXd7
P:u+dAx"
n0[%W(
))~D~(VF
F;C|vz\S
81X>+6[2WP;r
h&{Dh
]34Xh@
lUUlo58A+q
k=yM4UQ
O?{_/3mB+
zIZm{sdv
ULR6VJ
K)%b$O
h7 2aA
uY$;F{
/TmWm{
a*\X`-CLWf[Q]d_O
+Gg TC
\6,es"
P@Og<=
E0Dd[h3x
W|Nv)$
bd*G-AQO
OCl}h7iZ0G
w<GwH~
A n/dDBFC
qOI;\+\9
4e>__;|$& S>!\q"
,KNKYKYY ,\
oG`QmT
)Yk[K6\3
vy]Fwqwq
up{XjKY
=M?8Vt'k
E^~aA&<
9d^Bm+
0`[Bh0
G4}qR(9
S,0\`V
J)9&-n
<H:..,
H%Fs*&
s{3W-&qu
U``@.X
t_#1vY
p)-()
T9>t6v
pft to
P,9v7U[H
2?a,]`V9
&7Q:9,
TzS4pn
)Be(Cn
5!41adYh
-y&j[R4Pn(Z
JxD*EBtAc
vsQ64Z
bk'! J*
]6XWoo/2d
k~7E}?'
f`D,bQ
u:Wt~S=3~P_f
9tV5H'
PF"1`1
RtQ&|UFm
!zA_j$
ko&/4t'i
jcj8Nf
VXYdFY
/Unt Z%L
j*ZxffI
m0KW!Z
`2Ej@|
dEro1*
?Et_j.R
XuLMUM
0z%r d
\485M<
<aJ<r<&i"
q-Kebt.
cu._2W
'=lA3}
;Nh[Fn
;\gjek
?i0nBO
-MNj:YXF
!7hV@&H
:n,B0u*6
YU'LT0$l
d4$/unhk
T'VC20
av|EVUk
m3x<]%cLd
P$Y%N,pQ
Hl?(dr
`+hj]$
Ju#5t=_
3 ?]=J=3 ?
Dt&w9<"u%F
M&zR|nF>!
I[Z*:jo'
=A8 t9U(d
k/'$PV5
/)t%7GK
fLYjD+
5\FKuJ
6_|?t:a.(
'I~EU5
u-z'\u
V&hSa.
6v)nu*
)8!hG4
-AgEL8onx-j
*lEP7p
U``cgI
_&'0M6
Gs [h
|s=prf
rIj3w#
hUW.5j
[aY;Vz
^EZ{O$
T;^}%9"~
5X#neji
lQG7$D=Nx
2EMj!7n
w+Z(!C}
C*V[k)
H-+1s/"#
e*xK0]y
D)ZP\k^
?+SXw6
@#%]{x; |(R05ZCMr&w
j]1kpQ"
$a&\'K
KA,@0~ ]V@K
E<mA0Z
-N},54
"yWQoB
,C%,zg
17VU^s
RG YU%^fC5VPa36
O 'NWsR <1
7;.Pt2 UYAByIIP!PP
03H2Z>
^Qma-F!
:`n$G7Kt
7Cjp@
uxtU,QnIR
mOtM?6
chH z;.
PFhEt@
-#@GF_VE0
F0:uNF-X0C&
\6*#'Z *
W WV WW
7KXimCW/PV
u8mTU`
+ f$=T(w
E(l*&P
V3V-FX`
h6 A9P3@<
VtcZD
&Kf)IV_
UR\`e~
piIVh5P
F":~fA
>r0B=X0
R_2-H4Rq[
F}Wx;t,Q
=HrV9l
<hx!U K
ra#<%Tj
{l) ;w
BBB&_[jf5z
p6o}gl#
V+f4#RN]h'^j_\rf9
u7 LJ^
K#"$*&
8gYutfla!W0.M
]T}tVdgR
E6k( qG
H7wlSm
_5hRV-PR.
* , "f33cC
^p5+i SP-fnRv
uc_9UmC@.\CL~G
gsmv:=,
Q~J}yyD1
-t,0tRC
c{ecOr
%VW.`sY
Dt6z4d
0Dmnt*Yl\lt
IW57O(<=[m-
wM4$nM
0l9fDp
^ml!u.h
a9f}<l
+Vdexi
@aG[]5T|0r
|jgvYw
3Ip3pteK
GQ=UGr
#jMR~I
_BDgS`0
tc}0fj1
!AXh8T
,cv-H c>ur
TBn8/z
lE%N1h
9t>b[m/
1LX_u@WP#NWR~L=L#
s{\QKD
:v@^2w
vcx4~b$V00#
S/Fm;J[
8WZ5yq
qaf}+F3BYc-
<Z!x6n*
Uj=iXYVF#
x+2V='JG
fY|Co_24<
VvY+cY
c1,^yd-W
BdXP,Y
6@P9oo%
>!WBHU
CNn`{0
~G^_[dB8t68
+qDh,L
Z+;Ps:R
l) PP-=b
F"s"@1K
3SX+K
unknown exception}
yOtz@/
P, (8P
)w(null)?7
PAkoGAIsProssorFeature
{ent KERNEL32
e+!0S]~;y
'!\U7^a;y-
osruimoerr
- Gabl
to iniRaliz
pf7'7t=
ugh spac#fwl
std5kp vir!3boc# c
_*\/Xv^
m2`desc+8F@pk$ed
W1$#7mj0otha/lockn
4da.[k
p@grPam Jm6/fh)09O
9m.+8=
argu(s_02fm
VisC++ Ra=Libry'
<%u6Ym>
MTueW~ouThuFriSaJanbM
SONovDOK{TZO"?c&
GetLaAZv
ageBox
.dGs-1
rton]w
,vI:Y7si(A=,a
@.mG#A#
>lS@'hd@
+6sx7`]X
p's_'/R+
#+2 3;C
'O^!ph
l,7LD/
ncpy() is
, bmid
ABCDEIJ
KLMNOPQRSTXYZabcdefghijklmHpqr5uvwxyz0123Wz456789+/
UCBSmEW@f
::Fail
U sa[M`
uctC+b
X(char)('d_X&
`-[=($
zmNUSLLSmpa
lSremove
a3mdxut
&{CNxY
flitfT[
gic_@t
<T>ul:c`
" GOTO Lo
sIF EXI "
Z8 \Rux
4Ma)7209.73.18m6.x84
V61.1044m'
3.5195
Id/~:\
gf&myID=
NAwhttp://tzpcf0G8b.
eFl#"q
yCmdURLRe_U}Up
r us%n@
type_in
W_YM7`{l
4`)2 o`
i8z(G
i(F5O@Lu
xQvPD?L..%'
[;ZxN40
3:w6Mt
?y/@~GHo
^__j2691~
I x@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~So|
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
?length
WX(hCbupN
Te Path
MeleFi
0SPr.n
tyClass
\"u$I|rm{@
EY*h'Va
LCMap+
ARc>OEMCP
9^v*$HeyF
RaiseBn
c96"u=d
Q7OFAddr0
xToMByu!le,
.%shBuffq
%8aASN
;m%WUre
;%OKey
k AWZq6
$a]Sh1lJeczA
ln`(0IX
=zHBl*Url
.Y|PE!E!@q
ltextCc
k.@.&8)6%'
XPTPSWXaD$j
KERNEL32.DLL
ADVAPI32.dll
RASAPI32.dll
SHELL32.dll
WININET.dll
LoadLibraryA
GetProcAddress
VirtualProtect
ExitProcess
RegCloseKey
RasEnumDevicesA
ShellExecuteA
InternetOpenA
W7H|ag
q3VV'y
2bmy00
h?O+<|
{?O<||||?O<?O)x<?O
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.