2.5
中危
65 个模型检测该样本为恶意!
重新分析
更多

03957b5c1cc8d2e2f81245ddf3dbb7af9e04dfad9b6f14b1b54e0312178a27bc

03957b5c1cc8d2e2f81245ddf3dbb7af9e04dfad9b6f14b1b54e0312178a27bc.exe

分析耗时

73s

最近分析

392天前

文件大小

48.6KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER BUBLIK
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.73
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Crypt-QDX [Trj] 20200217 18.4.3895.0
Baidu Win32.Trojan-Downloader.Small.aw 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20200218 2013.8.14.323
McAfee Downloader-FWH!BA11B6A6EDD5 20200217 6.0.6.653
Tencent Trojan.Win32.Bublik.bkis 20200218 1.0.0.1
静态指标
检查进程是否被调试器调试 (2 个事件)
Time & API Arguments Status Return Repeated
1727545289.328375
IsDebuggerPresent
failed 0 0
1727545289.764875
IsDebuggerPresent
failed 0 0
行为判定
动态指标
分配可读-可写-可执行内存(通常用于自解压) (2 个事件)
Time & API Arguments Status Return Repeated
1727545289.422375
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00401000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1856
success 0 0
1727545289.827875
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00401000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2060
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\wefi.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\wefi.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\wefi.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545289.593375
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\wefi.exe
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\wefi.exe
parameters:
show_type: 0
success 1 0
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (1 个事件)
dead_host 82.98.135.44:443
文件已被 VirusTotal 上 65 个反病毒引擎识别为恶意 (50 out of 65 个事件)
ALYac Trojan.GenericKDV.1397311
APEX Malicious
AVG Win32:Crypt-QDX [Trj]
Acronis suspicious
Ad-Aware Trojan.GenericKDV.1397311
AhnLab-V3 Trojan/Win32.Zbot.C216253
Antiy-AVL Trojan/Win32.Tgenic
Arcabit Trojan.GenericV.D15523F
Avast Win32:Crypt-QDX [Trj]
Avira TR/AD.Yarwi.yepnd
Baidu Win32.Trojan-Downloader.Small.aw
BitDefender Trojan.GenericKDV.1397311
BitDefenderTheta Gen:NN.ZexaF.34090.dqZ@aGsVHtpi
Bkav W32.AIDetectVM.malware
CAT-QuickHeal TrojanDownloader.Upatre.A4
CMC Trojan.Win32.Bublik!O
ClamAV Win.Downloader.Upatre-5744092-0
Comodo TrojWare.Win32.TrojanDownloader.Upatre.MAUA@5rueuc
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.6edd59
Cylance Unsafe
Cyren W32/Trojan.ASJU-5483
DrWeb Trojan.DownLoad.64694
ESET-NOD32 Win32/TrojanDownloader.Small.ABH
Emsisoft Trojan.GenericKDV.1397311 (B)
Endgame malicious (high confidence)
F-Prot W32/Trojan2.OABQ
F-Secure Trojan:W32/Agent.DUPG
FireEye Generic.mg.ba11b6a6edd59430
Fortinet W32/Bublik.AEOV!tr
GData Trojan.GenericKDV.1397311
Ikarus Trojan-Spy.Zbot
Invincea heuristic
Jiangmin Trojan/Bublik.gfu
K7AntiVirus Trojan-Downloader ( 0040f6c11 )
K7GW Trojan-Downloader ( 0040f6c11 )
Kaspersky Trojan.Win32.Bublik.bkis
Lionic Trojan.Win32.Generic.lNlt
MAX malware (ai score=83)
Malwarebytes Trojan.Email.FA
MaxSecure Trojan.Upatre.Gen
McAfee Downloader-FWH!BA11B6A6EDD5
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.pt
MicroWorld-eScan Trojan.GenericKDV.1397311
Microsoft TrojanDownloader:Win32/Upatre.E
NANO-Antivirus Trojan.Win32.Bublik.cqjjgp
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM20.1.5301.Malware.Gen
Rising Trojan.Crypto!1.9F10 (RDMK:cmRtazr/Jeyjmjb/C3k23+FUwucF)
Sangfor Malware
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2013-11-13 03:57:55

PE Imphash

77bc4c94329925fab055077cd2ff036a

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00000e68 0x00001000 6.5499043031925845
.rdata 0x00002000 0x0000040c 0x00000600 3.899640358956631
.data 0x00003000 0x00000100 0x00000200 3.4479910817237003
.rsrc 0x00004000 0x00001f10 0x00002000 5.211126083410176

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x00004250 0x00001ca8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x00005ef8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MANIFEST 0x000040f0 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library USER32.dll:
0x402038 GetMessageA
0x40203c DispatchMessageA
0x402040 ShowWindow
0x402044 LoadCursorW
0x402048 TranslateMessage
0x40204c LoadBitmapA
0x402050 CreateWindowExA
0x402054 RegisterClassExA
0x402058 DefWindowProcA
0x40205c MessageBoxA
0x402060 SendMessageA
0x402064 LoadIconA
0x402068 PostMessageA
0x40206c SetWindowTextA
0x402070 GetKeyboardState
0x402074 PostQuitMessage
0x402078 GetClassLongA
Library KERNEL32.dll:
0x402008 HeapAlloc
0x40200c GetProcessHeap
0x402010 GetModuleHandleA
0x402014 HeapCreate
0x402018 DeleteFileA
0x40201c HeapFree
0x402020 HeapReAlloc
0x402024 SetFilePointer
0x402028 WriteFile
0x40202c ReadFile
0x402030 CreateFileA
Library GDI32.dll:
0x402000 GetStockObject
L!This program cannot be run in DOS mode.
R:)RSR
RRichR
`.rdata
@.data
@@@uhh
0jhu0j@ ujuEh0jjuhh
h @uhEE0
u 0j@j EujEhj
j0u 0@@ULV5d @
WWPWWh
t*=H @
u[_^]jjj jE h@
Euj j00E@E@@@uhuu0u
0j@@ Ehuh
@uE0huj h
h0@j@huh@hhj0Ejh u@j@j j juu0E jjhjjj@@h@
VWAAf9
uE@ME;ve
E;EsN$
E 0jh
Euuhjuh @@ 0u0E
hjjh0j@u@EjE0jUVW}
FG3@_^]
@jE@h0
h 0j0uu@ jE0h
u Eh@0hj@uj@
jj00j
0 @uEhEuE0hhE
u@h @ hju
h hjuu
E@j@u@0@
C!{<UdR!l
`0^L
=-Rm2 H}
[728zd
-Kf6+ej
YOx2!ei
D!2-jm
[ET5;`
zZ(}$0M}/r>EA
V]M.vz
v~/,4l
!N%79#
ntZ7 E
`]vjPp7
QXH"Yb6Py
8bh/mYbAut
;$}E'M$YB.&~
}fUU|fC
ivYQba-
5YB6"u
mYbY;4m
8~Y}f$J%Yb
8Z/cu# 8zwm
0_3#avzYQ
u7M~/l
gE! :zYQ
u7M~/l
#_}wz{
IZ;Y7u*0ng
A0f>EA:
'E%(f{
VN"Yb/
0Im-rrKwY
f/mYbAut;$)#EM
-31A3}p|U+_Fvz[Q`a
FfgK39*
>8{Y}f$J#4ve
UUpb/*
Q4PJ N7v's]
Y^|N$pt
7^|N)a|
wUga5cw
5Z{Nt/(B@
U;Z e E
@juE0E@
juu u@E 0j u@
jj0j
jh@Ej0Ej@hE0h E
jjj u u
jEEhh@
Iu[[_[+S@uju E0
uhuh@ uh
0@h00@EEj00
0 uu h
uE@h@ u@hj
jEuu@huhu 0uh@juu0 jhhuEEEuu @@ hjE0@ Eu
grounding
static
button
displayed
W]2+8R
3$ISA8
DJ"LN
&>@,".O[GP<4;G
GetClassLongA
SetWindowTextA
GetKeyboardState
PostMessageA
LoadIconA
SendMessageA
MessageBoxA
DefWindowProcA
RegisterClassExA
CreateWindowExA
LoadBitmapA
TranslateMessage
LoadCursorW
DispatchMessageA
GetMessageA
PostQuitMessage
ShowWindow
USER32.dll
ReadFile
WriteFile
SetFilePointer
HeapReAlloc
HeapFree
DeleteFileA
HeapCreate
GetModuleHandleA
GetProcessHeap
HeapAlloc
CreateFileA
KERNEL32.dll
GetStockObject
GDI32.dll
construct
"@R.5Wcb
[2c<_6%
\RU(@I<
Y<PATOQ7W%=
[1\<V)
c4j-`
5F:7X"
6P<D$A
4XOFRS=H1L
YI TW7
@uE0huj h
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
F;,{s
LB/#PD
;1TLxr
C9$!lc
F=_We]
-#<50-
kVPVOUOUNUOUOUNUOVOUOVOVOUOVOVP\U_XXQUOVP[UD@
I?qj.#
kbB6h`
G<4(kb
xxxtttttt
ODj_j_[P
MCVK/!,
------#
j_WLB6
.,--,
-/ / / / / / %
PCbW`TI<
0!/ / .3%
/ 1"1"1"1"1"1"0 4%K>REF91!6(K>PC>0/ / 9+M@THH:2#0!1"1"1"0!5'
1"1!1!1!1!1!1!4$2"+
3#4$0 +
3#3#3#3#3#2#7(!
4$F8F8F8F8F8F8>.@1A2B3B3A2A2B3B3B3A3A2B3B3B3B3A2A2A2A2A2@1H9!
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
c:\40ab8b0050e496fb00f499212b600ddb.exe
C:\lj8gSflS.exe
C:\3aOg71iG.exe
C:\b4f3dOIB.exe
C:\4NZm6hVI.exe
C:\7smC8u8P.exe
C:\f6KwSvXW.exe
C:\K5ezXnf3.exe
C:\EWhtVbbh.exe
C:\db85b8f4640c6cc9b99619103f70208e8b7f452f4980147f51fd8614691efd0c
C:\Cmoal9dM.exe
C:\CTmSAJOe.exe
C:\BbbkT0Ah.exe
C:\j4tex8ag.exe
C:\5Bno1E8k.exe
C:\_cGbfD2R.exe
C:\APJnpj3j.exe
C:\FpXqC0i2.exe
C:\W3XUQbJ0.exe
C:\u364wzWs.exe
C:\OF9areus.exe
C:\T28Jp9JK.exe
C:\DM2roxig.exe
C:\OorEOseg.exe
C:\oihP_I1t.exe
C:\8EdqVSZU.exe
C:\d5p7jEU8.exe
C:\Kr5XOG0e.exe
C:\dMtAxSAw.exe
C:\oxwNKMje.exe
C:\1XljcYnn.exe
C:\fgbYwrti.exe
C:\RvL89ATr.exe
C:\ffd003cea658f9a333910a986e907208f38ed2c81b65f645c4c1dd00f6bde78f
C:\ab6f4fe27db3efbeb81e8f2e8ef65e4da8c81bc8f90a002a52d4b3ad0a2e0d88
C:\bUH4Zmsc.exe
C:\vdAKnh1h.exe
C:\i16MxrmH.exe
C:\Opeg9PuJ.exe
C:\PVzRdoNb.exe
C:\EuNHrhzp.exe
C:\AOOAdrJH.exe
C:\UuTSD9Fi.exe
C:\YASpT4jD.exe
C:\60f5fde079a385e1ed84d701bed661e872ee370842f0be5e421fc64bbc4e3ad1
RESOURCE_FATOKENIZER
KERNEL32.DLL
smscoree.dll
nruntime error
TLOSS error
SING error
DOMAIN error
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
- abort() has been called
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
WUSER32.DLL
((((( H
CONOUT$
C:\Users\admin\Downloads\25e92fb434cab5da9e4e59400367f94bf1f4de760d45f2774120c517b3bf78b7.exe
C:\68a765d1ecb41dc3fc8e010a967da6f0056ce3a6fb61c629705bbea9ddff21a4
C:\c423b8bc1371fcac08e941a6a4caceee7a0d2a244c3f1a61fe377cddec68c7fc
C:\8f7d7cb4ecf0c8afd909d537d50b9c8773e6a65f20b7e1daedc01edd18c20c15
C:\c807c6b54e369ed3b0c41d40fba3ce6ce79c1495f87058a3a05d70d20247e0da
C:\f6ca89623b83ff5c8df741b35acd0199b18c1274dd1bfb4c23954bd08124226f
C:\cbf83d27f2f29d57f34c6b80fa3fd89096fbc42af166906344e9a6817d4ff1d9
C:\06556693271afff162afc8383a1f4af7c1a4a5d1fa46dc435cc2b316c350a191
C:\Users\admin\Downloads\wefi.exe
C:\8f5319b6e262b348053fc7bfd9cf088045973fbacc745090c686c30fa20ea21c
C:\Users\admin\Downloads\wefi.exe
C:\2508c0fca62d0b6d2542657e03fdec66c21e0fe04335288710b20cef0293b73a
C:\Users\admin\Downloads\wefi.exe
C:\1725745e904bcdcda2cbbdbdf546487a23c1f50578f103eb89b31e563bb074be
C:\Users\admin\Downloads\wefi.exe
C:\571d84c42a6e71de41c844c5504ff9169f0da0269add72e23578f39a432eb7b9
C:\2022aec24efba34906eff820c0404d99f8b1897f9f3d41cc18ec5d6cd9873858
C:\ba085d9238232f94be467b5f1a3c5a7e8d176eff2ab27b19c01801d7cc50f71a
C:\Users\admin\Downloads\wefi.exe
C:\134fcd7d50ef20ac28dde95c33ee863d007374ebee7deb989ef3e99cb773fb6a

Process Tree

03957b5c1cc8d2e2f81245ddf3dbb7af9e04dfad9b6f14b1b54e0312178a27bc.exe, PID: 1856, Parent PID: 1784

default registry file network process services synchronisation iexplore office pdf

wefi.exe, PID: 2060, Parent PID: 1856

default registry file network process services synchronisation iexplore office pdf

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 58485 8.8.8.8 53
192.168.56.101 57665 114.114.114.114 53
192.168.56.101 51758 114.114.114.114 53
192.168.56.101 51758 8.8.8.8 53
192.168.56.101 52215 8.8.8.8 53
192.168.56.101 52215 114.114.114.114 53
192.168.56.101 62361 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 167f2beac9d06310_wefi.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\wefi.exe
Size 48.8KB
Processes 1856 (03957b5c1cc8d2e2f81245ddf3dbb7af9e04dfad9b6f14b1b54e0312178a27bc.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a22bafd6529c075819cd5ed39b7444a0
SHA1 0666ea669d27e20a7d2b32aacd2889a010991c9e
SHA256 167f2beac9d063104eb2cfb82aece74b97910913cfaee4a7a145111a2715cb6c
CRC32 DDDD56C1
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.