1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.77
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200115 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200115 | 2013.8.14.323 |
| McAfee | Artemis!BA1AEE30EFAB | 20200115 | 6.0.6.653 |
| Tencent | Win32.Trojan.Crypt.Pepm | 20200115 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | kkrunchy |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'kkrunchy', 'virtual_address': '0x00001000', 'virtual_size': '0x005fd0c7', 'size_of_data': '0x0000d000', 'entropy': 7.316037555942182} | entropy | 7.316037555942182 | description | 发现高熵的节 | |||||||||
| entropy | 1.0 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 44 个反病毒引擎识别为恶意
(44 个事件)
| ALYac | Gen:Packer.Krucky.B.ceW@a8Qja3k |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Packer.Krucky.B.ceW@a8Qja3k |
| AhnLab-V3 | Trojan/Win32.Occamy.R266782 |
| Antiy-AVL | Trojan/Win32.Fuerboos |
| Arcabit | Gen:Packer.Krucky.B.ED199DD |
| Avast | Win32:Malware-gen |
| BitDefender | Gen:Packer.Krucky.B.ceW@a8Qja3k |
| BitDefenderTheta | AI:Packer.15E710FC1F |
| ClamAV | Win.Packed.kkrunchy-7049457-1 |
| Comodo | TrojWare.Win32.Pakes.~d7@1m1x6k |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.0efab3 |
| Cylance | Unsafe |
| Cyren | W32/Trojan.WPAV-0125 |
| Emsisoft | Gen:Packer.Krucky.B.ceW@a8Qja3k (B) |
| Endgame | malicious (high confidence) |
| F-Secure | Heuristic.HEUR/Crypted |
| FireEye | Generic.mg.ba1aee30efab3d01 |
| Fortinet | W32/Krucky.630E!tr |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.dblgn |
| K7AntiVirus | Trojan ( 00547edb1 ) |
| K7GW | Trojan ( 00547edb1 ) |
| Lionic | Trojan.Multi.Generic.moSu |
| MAX | malware (ai score=86) |
| McAfee | Artemis!BA1AEE30EFAB |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.pc |
| MicroWorld-eScan | Gen:Packer.Krucky.B.ceW@a8Qja3k |
| Microsoft | Trojan:Win32/Wacatac.D!ml |
| NANO-Antivirus | Trojan.Win32.CFI.fojgcb |
| Rising | Worm.VBInjectEx!1.99E6 (C64:YzY0OtdLk4hIyxwV) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/NeerDam-A |
| Tencent | Win32.Trojan.Crypt.Pepm |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_GEN.R002C0RAD20 |
| TrendMicro-HouseCall | TROJ_GEN.R002C0RAD20 |
| VIPRE | Packed.Win32.Krunchy (v) |
| Yandex | Packed/FRBR |
| eGambit | Unsafe.AI_Score_100% |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| kkrunchy | 0x00001000 | 0x005fd0c7 | 0x0000d000 | 7.316037555942182 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000b970 | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000b970 | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000b970 | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000b970 | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000b970 | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000b970 | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x0000df18 | 0x0000005c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_VERSION | 0x000529c4 | 0x000002e0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
MZfarbrauschPE
kkrunchy_
<lW`RB
@si.|9
cCN;[uNy
1-rWKD
6~s<%|bC8I
" co^?DlX:d
aP\tdhg|
#Hj+-5c
B|u6`>C
#d+F3ntASNJ
X6HA^z'[1Y
\{H`,3~ {SQ}:
OHQ1g]lSO8geB
wy|CZL
^BO(( 5Gt
h&|:gRQ)?9U
cq<g{9L
\}d_0b<F
9)<LL.]
$],m?f;Z?P
m*yYhs9TD
)9aW{)x
xI5pHU
PV*TyS6
^9<9E(
cqALW.
S?wk99/p
3;8|%z7;FK1
4w02J"0:9
"_#ExViG%
:D5juC]
^>u(z@2 ABQn,
Mw.V_}i
7'1^nEqqh%
{t} K
]M|JE@xLs
Yl S7}
ff*2L:Y6x$Yj
z"W64
\kg@*|V$4J
t~NSV4
*IaX H
ksaJcZ
Z8Vf]y
! rth(2@
+ V)`8B@[
W|H&VV
PHy3oAh{1S<1y"u\s'
hMEw4>x
j^4#{6<7x
d4jZ`9
}:J/Ux=%8
I2?tQDq
S uLT#:
KQ;_b@-
kHzSf5.y>\-
cHX17{
3i-trr
kdB.`Zy32>B\
$*me|{
>f>T4":b>S!}0
Q:kyYPW
t8m|[:"
E!)G_]u
J/M;~U<OC
8MZ${]S
pwnK8X
411F6Yfw
<4{=sO
S2%[6P?u5P:y~p
v>$$u}NefL
"&zBe(~^D^<
|&E^\f
D3Y*o4fl7`
^T3wP5U
Iy@D.YZWFF
EUp=Ayy
?Vzm;rv
`(@!*:
mfNtKJ0HF`
"&N {TrB
C!8vym?&VM
V/1 1h,0S
n3!iF_
j9a\H<YI >p Bd[3"jVyn
F"r~aJ
t3<x?Z;
r\0*p9;@!O*BG-*b[P
Ww^!>$Xi_]
?i ":P*fB6
0r}^bWMyL
9)=t~T
~#!_Q=
\4XoL3
Vc;yktnhW
yB]rB\
R.)BJQ
)Pr5N]
9C;=ov}
UIYC6n
FES!J,m'5
8I/nJU6iD\< ;LQH*Vo
F`O\d^F9#i1J-vg
ueI"fEl
J5Zb^Oh
`2xsDj
lTcMz]ag
]Es}e[
:PPS2P
MybU&<
M2rq/*29Z{
iu$?nZ
)R'G),xVyh%Q@
>QK=*j
ZA:[{-`V|@v
tcQ,}0HD2
J(~V:N
,.KS<9
r/r/bse
2)*" #,
XURDN\'fjHS
^nJV0sU6
?duqz/1($
" f;U+{6_(
g;D3f*s"0l#Z&9pAn}?F)}
e]eY=V}]G#
vti.lBk
0zaI;6}`
^v\D5WH0LQbb
np<a5'kc7
%C0Cd(X
>Nsvu9wUI
e7dAp3~-}V&j
$s,Fq5M8
lZ/]9rQ35
duo00e:uo /S
nw.e8<=
CL-8MX
f@'C%`s:
ualetc
>2'oF;qN<u8dY#
VXp+2A
5CfIw?z6
vP@8P;M(
*ke-M-CD
Qj.ZZX|)
slJY{t~Fe&{
d[-yZ s%e
!FyM9?
1\FELy_f
^/R<q#F2N
mtBx,c
vbPgk/ f{,QL
Tj!ThKl
v`$\6,v^Z
NDPDNWbV
5)*uE-PznDJMrUL}S
F'B'i1r
VB\M\n?
d]4*NC
RidBs0(.
2}0[@Z8Rz"{
(.bL0xA L
A{_4B_9
@5>v<pZ
{9'HA87:
<'lQ M?<PI1j8
HHroG.J}
QRk?X,S
iJO0X4!7
C4,`K7
Us~=(8]N
a8vD/gU_4f
'R-j4b
+hR=@o|xM<W-*4U"
{^[D)!A8
gd>Vcv
|zB>u_
&(X5c=
gZhl7Z]W~qv
g/d%G+f~
ovEI_s$DB
M tgr"Lq'
/>"^.n
;_?WpP"
!3h^{k]
X{-5;4'c
!-1P|K"
*&$q'[hv
U idVe
1o{+2@X.(
A_y <U
=6Vn!MM{")2
/vsi(I$;
(CH\~h~U5
}"(.D"elm
k=aX6_$1dv#_QZ+
ezd} uyalP
aeO &v
`R#0r|yc
#O@gCs
YW1mf[T9}g
!"[uq&
0&mveEZai6
kIu,;t`_
qJwB9v(M
95kW/mOQ
w5p]lR0)
PA8LT0
Iu+f-R
!3l|_%}
Ix4aWOv
;Y$=?z
jy:kQ [Gj
jd=Xx1=
"jJpC&
JVWRPn
B%zJzy\
7>%<s-aF.
"Om[,AC
Z4#T4>
x7#':
r3?$;"
u62j@68\34
B+pN};nf
>`Ec__a
bGs'\r:
|Z\hvYK'c<
x2y4zl*R~En@
[j5MH>DaoV%
R0Ng!=,7S
-AHli(C;cN
) t]Z@
H4(X~_@L
;-,{M;
d) hH"
pe({g[)vv
6rv:Q"0Co~W%62$]
OAAZVzO5YJ@R5}8
kB@>50:'H
h4*&4iQ7>"
4'Pq&#~s2F
5v,&Sm
Pr8xKZ
r@Oyn
@3'ebkJv-Jue
5KYdR>5\B2E
Fg,N65
q[Y_jr<R
G'{-\TM
Z(__|F
vT"EfFc
itYp=Lz,gj]lj
5Jn$'?6gO
GebA7I6HIn
*XF7Qy
\QX8[atDR
WP)"/0jQGljR
Dz8*P:w5&
lF8&D'
$d^c{[=PqPi
0-jwVSR
PrZ;mlr
^%`iraLx
^MW]wp
tCE%C>6o4
7WiNR*
K,_2V-jg5)
2v2ZsE+fj
\r3P!pD
92]/X"3L
LIeX@I
ZD8qfK/q
nA`&QT
)UTqC!;
Snrv{pZ0?e
5|s%|w5
!m(zn!O4d%Ww
nn#Jb,B
L^{'3dent
+QkfH~5
zHUB~\
hYepwwd
`<Q],J
C;4Tv3
1*vIjm~?V3w<n
"sYB|Z
6#%bX)
:/#c519l
+.;p|0r"
N{~ ZQ
,Y=QI^oS
~>z#Y-
P v:b^S;
\(o@D6q.m
B60@eG?75a;J$
5`4ioH
0X~s<nl&
oP>;iiD5Q=mul
wAoAeN
4WpG;PG5XZ
BZ(W4;
$b4~Gg+/
U;RS;Q
a$]#[~
Dr*SR{m
Sb6qHgY!
Wd1%uW;
nUh;U37w9[j
]fIi;I):
vpfc6ct`1
\G{nB""@W
yuFzG{B,xLnfZ{bq
X-mAz<(v
$0gMyA8bdsH
&pF9tdq6#}(
qkI)Mp+
<IJWs i}%W:bHH
*+`6k]v
S:$]E'`1$Q
ro".p^l~J}
X=p!%D
ED/U407
$ZFJCc:sE7s5
480C?TDKw4pb
I$IC7M.
+*^Zs!9r-4i
V[7NF7GT`G:
6aUbl`iF
h/I`:-_
-xe?Bi"-rApCNdg
^|b/gWK
%Y'}n}
BWn1D_|UpC
xG_][r-
_t`h@*
.|<Qn]0e
Ak Vdv
e92,Or
:|ufUS
*3V 9&r
0a9&-w)d@
bY!a.v]Z8u(^OIG
Uq$]4}P.
~]3K1 ,
'x[2Ot'
<$'5#D-M
/(?#F9r
QTirNX1J=K-
aVPHZ}
Hq$b^v/lvLY>,
7[I|DWZaoL
dS}0w;
wv;#O`\3~2
Mk3ssup>BdEG
dCCf#S!+
D+?A3$g}?
ZhxgVm
'GPEeS
<U]"!"x
0zcjA1b,E^
yj!p,D(vG?v
;d[ZfOl
C0@Y?pvx%4+rG
<,Le>DK
|qsi Nd<x~\4wPUSL
w;9jz]
Y` ]t0}
r9EP+g
iOP2vD}O
L W8@<ztC[
2,q=q5O3O
/L8x!]
GU"MY"N
+D3{Vsy]B:
&fo<Ujm7
l[ S_B
4VZY9v
E}zrew9VF
Belf|H
s~o*8JI
o/sg%]$
R!X Z@xM
szgFj`
9G;}jvV4
/\VoE*^flXV
D9<lw8
./nlGB7H
Pyo*ce5y
#/iYOuIb0gZSUN&
5q_gz/h
;4ZK<E:
e@x~W&
p/qI>]
h->,fo`?p$M
5~`bc{
oLMmq)P
1Pm#bd~P
[$L4vk
}]%z/z ]
5zG{N[
UpX}~H_hc
cjW6Ae-FU"j[_
9[>r4N
z5`jf&SyDh/w
,1QjTSz
p b:[
T?8n'9RuQ^
rR$sf%L?
JkWn!i
wL\MNH^^78 G`{]
WxKv<m(Sy
%n#B:\
qU__/zC rJ
?=0l~M
_<|#Mo
PuQ/1P=2J
aWs1tOM_aiwe
mQ/fm-'Z
u&~&yWo1LK2GW3|
_0ibNP
2WcUcC
[`Zk5c
xa2WGW
;Ebq+b
+L ]x<{Z
;{h!pjw
8/VH]}U2)z{r^pxYm.
\l3Ab/
Quvdioq`9NKY
kpd3/M^s
wE"9b%Pv
J9iJ2F=&
7i^`BRJ
B0 #e'
qCJXZ(
9L`hs]
jm^X\/X
cK[lX`%n
NNFOrIo==lzH{t>)wP
|rqf&sb
R9>tcE
HB'/K;=]`gy
ROlq:J*x
/!Q p1
}%jeQwhB20de<A
kX7,]g8
f%5<~GKezO
nI8CE8zahj
[R;1VnM
K-0%%,
ItM1{.
&j7Fit
|ECB/|0[
K3;WCZ
iA0L,&cz+*Z
TpyBtaW
~@_iPWAE
dN;Un4LUlJ?
=P|x9J
w|!Hb5r
|kZ~SO%vV
3|MxF$Yn#M
% \FZ;
~MOrqq
'2%dIW+t0
i*Xf"_
#2J#I`
c#E~`@r
r!F\s)Ts
D$>RJ#.[
NEuV;3l;5BL2Z
UNb<G%
u'YlLp>j
uNB;wR
uDdL[r
'8[]M%Rt>,Q1Kt
m-Si{0P
Z00<t [a.Q{\?
?Q'-W{zf
Q(Hho}X
n2oQs Fu
Y~qhi['2{dam
I?~=MULI%
9zbd-}
*[l &y
q U5"(jm^>
HPn^T(
-%^F`y
G(tb,5
h,@zmn2
S:&^;e]
x{IP3
1%mCca'
u}j"MWJ
b]W({}+U)(*n
yC0z^a
U),`f.Q
\zn5 MM.q
&~*s_@
z[4L<q=Y`O
jSC^-tB
m;88^zx^k
=W^Wtt
Rs?~_}Ha
M =;N!:
]'~O62
J[mm>X|L rAVoj~R"-z`*
h6==GDL5
Q]eNd-.
vJJ'Fhym{wa
F7$*4K|n)
S</q?f=^
4-_o!9u6
f[( EU.
T9x0Ry[1$
LN[?W5Vz0
[^"8{[:
,L#@S
2'$GfD
(>RK2\EZ
z3=EnJ
:w7~K$
Rfgd_p.g
$Y` E
<Dq!N?
jl-s^\-_fJ}
Cw"nR[N
iANOBdP[
nYS"7M
]=j0R1
h$p@s'I
s\N<kn{Vl
Oy J6n.Y6lvCY_Oxd
uHO#`RGc
<>rp[%
9cRHDmD4<@<
$tn*n&
m_DaJL
W-:-Ih
bG_*ed R
}8J0fz P+t:
QB&b!&
`3GEnr}:Q;js63
&#~3%!P
0I^dmBS7p6
hX>N|vY XW
\l|{{$Srs!
K0ne9XC"fN1`z
H0)2DB
m6 E~iv6
R)5^0#I._Zi>8t
NICUbXM
0:*s|B:63Y*"
?`(;y/vrE
U@2 e%0 i#FuuS0I
$;=olLl
9`8(5*iG
YP|oD{
LguY25+:
OjF2aB
X_)y%W9
'tSJ_6
EGYtZG`
-0NhXR`yHB_/`3t
YAX@EtKaU
I@ofz$D_
.G:icp
QM[?VFj
E|QTr.he
cN|pf)
_ T=W^x<+(`_& _$v&
ZF=OO*S
@|"0vzx
5Y$eZEoz(M
aM]_M$
.nIU6eX~
yhj[ML
!4@SQ>2
88X*nyD
]z96_Ck6_
Qm_uK6
7{$;a~
f<|0r~\
2SbJP}
7a5T\c-
?W{bH)7
2ic}]Zj;R
IO*E_OV
i%F9uJ:!yk
b5#Yp~
caO}wXWI/
)_J4[Dgh=q
\A(CIq
<`pLEt8?2
>A$l%J
s'Mf8%L}=w
F3e>*c7#a\''
{?_GB)b7
="@#S`
&qJ=\1D)v'
!iKL&=~~@
/L0NgM~H
\kyoD[r$8l
e2D%jhS
w-qR+r"x&e-P
/"d-ul:bjXc
3=Sy~pfW79
LS7g0\gW$Pu;Hb0L
"uXm`v=
phH}n0b9Fk
!M~W{|u
1C1;E\u,EXEX@
`ULfE\
u@[[F1fP]SML
|@k@=0
}$+MTM t
Xf1;E(t
E(fE(=
ddddddddddddd
IIIIIIIIIIIIIId7I
ttttttttj
<<<<<<<T
1111111(o
Id7(1IIIIIIIIIIII
IIIII`
kkkkkkkk9
{{{{{{{{B
[fPFMlllll
[sTtpk_glllll
[wwwwnhGFlllll
[i>wTTTTTTTTwpNIMlll
[i)<<<<<<<<<<<<<<:nK_l
[i}<<<<<<<<<<<<<<<<<wl
[c*(((((((((((((((((wl
[>6cj0
"' 6Hx
.LjR=W
.Jbjx=l
[[[[[Y
[[[[[[
[[[[[[[
[~lR7#
Rqqqqq\G+
0uuuuuuuuugQ4
1zzzzzzzzzzzzzz\>
2}}}}}}}}}}}}}}}}}r
w)dgu6
Hg3&;wG
D9#?^}
!u}M9&
[q~b[Fllll
[c}ha[]dlll
[f}nKB\`lll
[f}ttttttttttnKG[llll
[@SStha[llll
[XwwwwwwwwwwwwwwSSSTTpNJBllll
[SSSSSSSSSSSSSSTTTTTTTTT:kK^l
[<<<<<<<<<<<<<<<<<<<<<<<<<<u9l
[A><<<<<<<<<<<<<<<<<<<<<<<<<<l
[V211111111111111111111111111l
[2(((((((((((((((((((((((((([l
[|%##########################Kl
[*'5[Dj{
"'/5H[DPY
! 6J[[Lj=
U:??Xyx
g=&P/a
j4/ @9Z5w
$>|WeK"3]dnrY Uf
59qZ{a
)�1�1�R�Z�c�k�{�{�
!�)�)�!�9�1�J�R�Z�s�{�
y�!�)�!�1�1�9�B�
y�B�J�J�Z�R�
}�Z�k�k�c�s�k�s�{�
!�)�B�R�R�c�Z�c�s�k�{�
)�1�1�R�Z�c�k�{�{�
!�)�)�!�9�1�J�R�Z�s�{�
y�!�)�!�1�1�9�B�
y�B�J�J�Z�R�
}�Z�k�k�c�s�k�s�{�
!�)�B�R�R�c�Z�c�s�k�{�
)�1�1�R�Z�c�k�{�{�
!�)�)�!�9�1�J�R�Z�s�{�
y�!�)�!�1�1�9�B�
y�B�J�J�Z�R�
}�Z�k�k�c�s�k�s�{�
!�)�B�R�R�c�Z�c�s�k�{�
Process Tree
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.