1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.97
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:SillyP2P-X [Wrm] | 20190920 | 18.4.3895.0 |
| Baidu | Win32.Worm.Agent.bf | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_80% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190920 | 2013.8.14.323 |
| McAfee | W32/Xiquitir.ow!p2p | 20190920 | 6.0.6.653 |
| Tencent | Trojan.Win32.Small.p | 20190920 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | zCOudfzz |
| section | waecTbTU |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'waecTbTU', 'virtual_address': '0x0000a000', 'virtual_size': '0x00005000', 'size_of_data': '0x00004a00', 'entropy': 7.842925069359726} | entropy | 7.842925069359726 | description | 发现高熵的节 | |||||||||
| entropy | 0.8604651162790697 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Generic.Malware.SN!hidprn.96E41361 |
| APEX | Malicious |
| AVG | Win32:SillyP2P-X [Wrm] |
| Acronis | suspicious |
| Ad-Aware | Generic.Malware.SN!hidprn.96E41361 |
| AhnLab-V3 | Worm/Win32.Agent.R287264 |
| Antiy-AVL | Worm[P2P]/Win32.Small.p |
| Arcabit | Generic.Malware.SN!hidprn.96E41361 |
| Avast | Win32:SillyP2P-X [Wrm] |
| Avira | TR/Crypt.FKM.Gen |
| Baidu | Win32.Worm.Agent.bf |
| BitDefender | Generic.Malware.SN!hidprn.96E41361 |
| CAT-QuickHeal | Trojan.GenericRI.S7237852 |
| CMC | P2P-Worm.Win32.Small!O |
| Comodo | P2PWorm.Win32.Small.P@32rtt9 |
| CrowdStrike | win/malicious_confidence_80% (D) |
| Cybereason | malicious.4a9536 |
| Cylance | Unsafe |
| Cyren | W32/FakeMS.AQ.gen!Eldorado |
| DrWeb | Win32.HLLW.Xiquit |
| ESET-NOD32 | Win32/Agent.NIQ |
| Emsisoft | Generic.Malware.SN!hidprn.96E41361 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/FakeMS.AQ.gen!Eldorado |
| F-Secure | Trojan.TR/Crypt.FKM.Gen |
| FireEye | Generic.mg.b440a384a9536d6c |
| Fortinet | W32/Agent.NIQ!worm |
| GData | Generic.Malware.SN!hidprn.96E41361 |
| Ikarus | Worm.Win32.Agent |
| Invincea | heuristic |
| Jiangmin | Worm/Small.cr |
| K7AntiVirus | Trojan ( 0051918e1 ) |
| K7GW | Trojan ( 0051918e1 ) |
| Kaspersky | P2P-Worm.Win32.Small.p |
| MAX | malware (ai score=87) |
| Malwarebytes | Trojan.Agent |
| MaxSecure | Trojan.Malware.143695.susgen |
| McAfee | W32/Xiquitir.ow!p2p |
| McAfee-GW-Edition | W32/AutoRun.worm.aasu |
| MicroWorld-eScan | Generic.Malware.SN!hidprn.96E41361 |
| Microsoft | Trojan:Win32/Fuerboos.C!cl |
| NANO-Antivirus | Trojan.Win32.Small.femmss |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM11.1.049B.Malware.Gen |
| Rising | Worm.Soltern!1.A328 (TFE:1:BldfT3eYE1) |
| SUPERAntiSpyware | Trojan.Agent/Gen-MSFake[All] |
| SentinelOne | DFI - Suspicious PE |
| Sophos | W32/VB-FFH |
| Symantec | W32.SillyP2P |
| TACHYON | Worm/W32.Gusanillo.Zen |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2004-05-07 07:02:15
PE Imphash
365b1d12b684a96b167a74679ec9e4e3
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| zCOudfzz | 0x00001000 | 0x00009000 | 0x00000000 | 0.0 |
| waecTbTU | 0x0000a000 | 0x00005000 | 0x00004a00 | 7.842925069359726 |
| .rsrc | 0x0000f000 | 0x00001000 | 0x00000c00 | 3.494614321630595 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000f408 | 0x00000128 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | None |
| RT_ICON | 0x0000f408 | 0x00000128 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | None |
| RT_GROUP_ICON | 0x0000f534 | 0x00000022 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | None |
| RT_VERSION | 0x0000f55c | 0x000003fc | LANG_SPANISH | SUBLANG_SPANISH_MODERN | None |
Imports
Library ADVAPI32.dll:
• 0x40f9a8 RegCloseKey
Library KERNEL32.DLL:
• 0x40f9b0 LoadLibraryA
• 0x40f9b4 ExitProcess
• 0x40f9b8 GetProcAddress
• 0x40f9bc VirtualProtect
Library USER32.dll:
• 0x40f9c4 MessageBoxA
L!This program cannot be run in DOS mode.
/<kRkRkR
^iRYjR\gRXWR
AlRkS\RDiRTjRRichkR
zCOudfzz
waecTbTU
20|ojBh@FToo
m^pQePh
xh0]}'
^6{$4TE'
@#04r6;
mnsOIU
63)o (a
Z"{e1G2
bHv$=|
SkDr3Ot8"kD
Q# 2Vw
c~l!h,@
aMvQLc[}
KI.\ ]A
0aYW,)G_
B,^ 661
G`,l\ g
58vk[^w
]Xe'=M6
[Bl_2C
^qd_EH,+
.W/nM%uA
<]l`.-
>H!I-?^
hRABWf
3-`UiL
+*9}wd
a1~@B8
b/##g"R
O!)b'nJ
O%ah\l
9(@N$'4<9
5[{5p*04^.W7P[XF
:wt4>"+
tA+gv2S
n7n#fB
rWu;m{6e')~c>
[44YuyUt
l3+B5r
+;r>)V]
P Yt.EKxY
Cc;e+t
.+PSS#=+t67)
W<:on.
fX35_[
xY `4-u
3;5~xww
Vi85|<!OQ=
Qr(4/&-
@/kvzouB
dPd%DX_eD
=M@#;t
ungVVxEG 6
AihOr]`$Y%HuQX
~]lPjl!
lu+u!9$
jO?{_smu
b-a!LRWl
H6_W<Jv
:o3qLo$
*fY+/hW<at
p2jIUw4}
C8>X a
:J-]D7
t3`X\X
N?~^_M
|8[#\D
hAWE6043F
ic uW|R[kN$
3OCc%n?iZ0(T
Bw<GwHywG~
p{dDBFC
8(ph~jj
SU=62M=@
D0<timX
dXYdnY
neQ%H[QD
QJ]V]0[$T!
9~&WP$|
ud pKmc#95 g~M
=j+T2>0@
F;L|81
Q5ix.o[
<w-%"\
T#Aeb7~{tHHt.
cy.E-qd
7_@;|?4-O
(nun{n!
M\L~Yy
~PS"=FR
3X_e e
7KYm5-
+#W!}b+
Q[1'2El t
q40Ph=
j9!uLWwg
\hhr`;;
T^4M\dlt
A5"LAx=
0`[ M,P
kl:Z`JY
bP%b0A
B]B0<l
3Ub4H%
"3vo96E4I-Tk[
V_zv 2?6
4bGG'w
vq^9^N](
105l`w.3
2?n>B)Zt2
cR3Y:+*G
H_jt,E
\PmlKo
caW,,>Y
#psM']<+
\9g~]tu@
-?mQ>k
iCGPCY~2
d4vc?)>
?kS\$K81&<
P6#v&?'6
,&_uR<<uSW
Cu SyP
[_[^67
Vt"<c[[
f'Y^"!@
TA%.hs;
L>o$q;r
3 7=3 ?$=
R<"u%kF
FNArF>!
Z3':V[<=t
GV*D)6
=A8 t,[
{EI"U4 .k;
+;A#VS)
7PSS:-
PV5WHZ"d`
xAKw7\5b_h
[EHJf`ZJ
I{6(X0;
4KjB;|2bj
EKDrAvh
l5 )s
95c}RDL
D|R9I|D
~FDh6M
LR7/GEq
DTUh|O
Ejh@de
~B A$t(v
dd_Gz]d&
Y[gVC20XC
]f>!s{
ak-|vItEVUk
#Bw]^A
3x<%Xw?
)_!hu}
j,#@<v)
hs'RcY,_&4Pl
jPC$#{^
UPUT],
UUuB[T
+yK,EO! T]j
@V;=WsR*
<16gB_
H~HOSJ
2V Uye+
yIIPPV
03KAar
<=+ >A&
^#+t-%m
{nG{{7
q>'V<h
?u ;V`
jU!gou
=M<tM?6
IO3Swuss=
kond=!DEr
nEC[ o
_xHTzP
t@Gp.$
RH4R_j
o}pIPn
U@yHwg
@=orV%b9,Tek
klo%!UK
Ivp-[t"K
7U@}n`
PBBB5t
4u_[j5@-zPV3zR#
LJk!^!
.h>g5.|^l
Vs Fuo!
Fu,@q%
:CwvXp
F!z`^KND/
A,>oB{E2ZXZ.
MY`.I@}
uFWP[Sh0Wy
w< s.UUH$<
ogtfSLaj
Sm!eE,\M
}tVdgEkt
B/u>C1
VI`40 I
3P3<PcY4
d4S,A b
nVtc<kaB|Vj
g:)IV_j
sZ?ML}T
Fnav0p`S
L 8WKC
[t*,WPB
,:iiHVftiM,
x"8Pj4M4|4M
.>Tdw4
P, (8PX
)ww?(null
runtime error
- Kabloto iniValiz
|'7not=
spac#f{lowi8)a
on76std5pur+viokrtu!3c# c
b('4__*kex\/X
_N19opeX1s
desc+8!
#7mvmtha
4dpkma.
p@gram Jm6-
A*+0.}
+8argu(s
_`+fnng
VisC++ RLib
<%,klwlwn>
GetLa2A
Wd&essageBoxA3s%32.d*"g&
vXKKb}IO
Y@#EXE
COMI+RyAR
ISORRG,v1CD
MTDI5@RL
SUmWkm
TGTJm{TnW|3
OG6An|
ASN@VOOAU@
6AI"RMI
KSTJ}?k+
9vVdXVKDOTXTcD"naRT
jamp 5.0 (f
vers).exe
L4C3AAv
l|n&Dpde Photo
9.16_Its Work!]A
Ace8)wB[5 S
(A#:&& IJl>!
Pluu(DAP)$
RaA6}1
cckcM%~
CtaH 200
2 freeweL Z
3DTtuqR8
xh=SbDub8
.4OBjM mengx
Hharofe
azkaiQLHFfDdh[? KqI'
NOKIAX
lnapFe[;3MDLYnBaC-pZ jpa
jK9^mPk
T/;y LoV
okhcaON
o5_0Z$r
sGvr9/MovB
c i[.H
7".\Emu<
H,2MPoA
Ce Il3
l!H5^7b2D<"
]d!Ehl"
JqJc 6[H80,
CG`a6t
Zjmoi^
mrotoE
m[LCi< 6
SPhPx~N?a
f87SoQMn
$ADDQXGeB
8]hum=T
(/htixO&perVQ
CSh]:s-ee
roZ'84Ags-4(
xim0pk7
_MI#838
rb[:\Gu
NQ^B4h@Cts!3H?
B!Fo g9
FivoE*L0
-m-nSM5qc oE[t9a
_d7{abO
eO~eSOFT
8$\ys\#AZ1V
:R+ 6mb(2[t
6Suyoig
Oolrnk
ahphs-ld
EMULE.
QXg/;d?DSdaG+012345:J
Kazaa\\P
[y?yv!
w#?@~/
^__j2/``
U%QdTUU2"
StTypeW
*1ANam
soryAj
Ayce*)upInfoR
n<mLinc
Pr7OEDee
~n&Re{
Wrh0[h
UnhCnnmd
pt<te`d
ToMBy!les,
6h'Buff
}r/Load&JdOfp
exHP[`e
.r0%!V
XPTPSWXaD$j
33333330
{{{{{{{3
{{{{{{{33
{{{{{{{330
{{{{{{{330
{{{{{{{330
3333333
33?030
33333333
wwwwwwwwwww
DDDDDD@
DDDDDDGpw
DDDDDDGpw
DDDDDDDDDDD
wwwwwwwwwww
DDDpp@
ADVAPI32.dll
KERNEL32.DLL
USER32.dll
RegCloseKey
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
MessageBoxA
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�c�0�a�0�4�b�0�
C�o�m�m�e�n�t�s�
M�i�c�r�o�s�o�f�t�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
M�i�c�r�o�s�o�f�t�
F�i�l�e�V�e�r�s�i�o�n�
1�,� �0�,� �0�,� �1�
I�n�t�e�r�n�a�l�N�a�m�e�
M�i�c�r�o�s�o�f�t�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
D�e�b�i�d�o� �a� �q�u�e� �e�s� �u�n� �G�u�s�a�n�o�,� �n�o� �c�r�e�o� �o�p�o�r�t�u�n�o� �r�e�l�l�e�n�a�r� �e�s�t�e� �c�u�a�d�r�o�.� �j�e�j�e�j�e�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
M�i�c�r�o�s�o�f�t�
P�r�i�v�a�t�e�B�u�i�l�d�
M�i�c�r�o�s�o�f�t�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�,� �0�,� �0�,� �1�
S�p�e�c�i�a�l�B�u�i�l�d�
M�i�c�r�o�s�o�f�t�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.