1.3
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | TrojanClicker:Win32/Vtflooder.e23e8fff | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200526 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.hd | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200526 | 2013.8.14.323 |
| McAfee | Artemis!BA7106B693AC | 20200526 | 6.0.6.653 |
| Tencent | Trojan.Win32.VtFlooder.a | 20200526 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000e00', 'entropy': 7.205364847460314} | entropy | 7.205364847460314 | description | 发现高熵的节 | |||||||||
| entropy | 0.875 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(3 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
| section | UPX2 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 64 个反病毒引擎识别为恶意
(50 out of 64 个事件)
| ALYac | Win32.Hematite.C |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Win32.Hematite.C |
| AhnLab-V3 | Trojan/Win32.Agent.R110400 |
| Alibaba | TrojanClicker:Win32/Vtflooder.e23e8fff |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Win32.Hematite.C |
| Avast | Win32:Trojan-gen |
| Avira | TR/Crypt.XPACK.Gen |
| Baidu | Win32.Trojan.Kryptik.hd |
| BitDefender | Win32.Hematite.C |
| BitDefenderTheta | Gen:NN.ZexaF.34122.cmJfaWLAUjd |
| Bkav | W32.FamVT.Badur.C.Trojan |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Trojan.Downloader-63174 |
| Comodo | TrojWare.Win32.VTFlooder.A@5c5lsj |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.693ac5 |
| Cylance | Unsafe |
| Cyren | W32/Flooder.C.gen!Eldorado |
| DrWeb | Trojan.Flood.22062 |
| ESET-NOD32 | Win32/TrojanClicker.Tiny.NAM |
| Emsisoft | Win32.Hematite.C (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Flooder.C.gen!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.ba7106b693ac52a8 |
| Fortinet | W32/Hematite.C!tr |
| GData | Win32.Hematite.C |
| Ikarus | Trojan.Win32.TrojanClicker |
| Invincea | heuristic |
| Jiangmin | Trojan.Badur.az |
| K7AntiVirus | Trojan ( 0040f8bb1 ) |
| K7GW | Trojan ( 0040f8bb1 ) |
| Kaspersky | Trojan.Win32.Vtflooder.cft |
| Lionic | Trojan.Win32.Generic.m4vu |
| MAX | malware (ai score=100) |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | Artemis!BA7106B693AC |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.nt |
| MicroWorld-eScan | Win32.Hematite.C |
| Microsoft | Trojan:Win32/Occamy.AA |
| NANO-Antivirus | Trojan.Win32.Crypted.dlnpqg |
| Paloalto | generic.ml |
| Panda | Generic Suspicious |
| Qihoo-360 | Win32/Trojan.Flooder.8e7 |
| Rising | Trojan.Vflooder!1.A171 (RDMK:cmRtazpbBMLKdeyh/C193Oyh/mx1) |
| Sangfor | Malware |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-08-05 22:51:54
PE Imphash
8c9bb9d690553503983713582e1e58f7
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00000000 | 0.0 |
| UPX1 | 0x00007000 | 0x00001000 | 0x00000e00 | 7.205364847460314 |
| UPX2 | 0x00008000 | 0x00001000 | 0x00000200 | 3.417706440053802 |
Imports
Library KERNEL32.DLL:
• 0x40808c LoadLibraryA
• 0x408090 GetProcAddress
• 0x408094 VirtualProtect
• 0x408098 VirtualAlloc
• 0x40809c VirtualFree
• 0x4080a0 ExitProcess
Library ntdll.dll:
• 0x4080a8 _wtoi
Library ole32.dll:
• 0x4080b0 CreateStreamOnHGlobal
Library SHLWAPI.dll:
• 0x4080b8 StrStrA
Library USER32.dll:
• 0x4080c0 wsprintfA
Library WINHTTP.dll:
• 0x4080c8 WinHttpOpen
L!This program cannot be run in DOS mode.
wy3*3*3*3*6*:4*8*3*(*(:
*0*(::*2*Rich3*
UR+Eo2
WQF*,Cx
mNL.|LZ
PUR!n%j<EZds7s<
0P#aKR
d>7,Y0
*`0Wj%3
x @ah4t!
EPQh(%TH
QUvlVOI(#>
$F{A._
,_|#PCi
T(]5"7f
hl#@2t!
DUR`oYFn@p#
PhxsP!!<
ef%eaPJl
"1d,0t
jchl%p/E
&^B_Y9
P5%~JkuX
Me:}~k
77Gt"6$u
VjYL%F6
-?A%015d
-Dispositi
: form-data; name=
k"apikey"3.Type'
xt[lain
a0283a2c3d557
00d064874239b5346fb991317e8449fe43c9279d758088
icaD/x-msdownload
ransfer-Encodg4b
S{ary3--"4|
atnfm)d
2SigeF
s]u%toElI]xg
8F~s{(
N[ m. )
XA8VUsE//
/Opit Kx'-_X7u
}rstuvwxyz{$>?@ABCDEFGHIJKLMNOPQRSTUVW XY
Z[\]^_`abcdefghijklmnopq
lstrnACreateTh
VirtualFe
GetModul
TickCount
ExitProcess
_(SizeHAll
seHand
Mr}tiByoWideCharxwm;mA{_wtoi
=;cpy TStm
mOnHGpb <:w
D]vwsprifA
m{kgPEttpWaU
ma]5$^Hvive
,/T,$`
<eB`.ro
0'v+LI
XPTPSWXaD$j
KERNEL32.DLL
ntdll.dll
ole32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
CreateStreamOnHGlobal
StrStrA
wsprintfA
WinHttpOpen
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
R�E�S�O�U�R�C�E�_�F�A�T�O�K�E�N�I�Z�E�R�
K�E�R�N�E�L�3�2�.�D�L�L�
s�m�s�c�o�r�e�e�.�d�l�l�
n�r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.