SmartHawk

1.1

低危

56 个模型检测该样本为恶意！

重新分析

下载样本

05dcc91647facc64f928e5264afba7c7ddabd0b90edb7992834f9a36e9af33a2

05dcc91647facc64f928e5264afba7c7ddabd0b90edb7992834f9a36e9af33a2.exe

分析耗时

132s

最近分析

390天前

文件大小

6.0KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN BACKDOOR ODOR

DACN 0.12

FACILE 1.00

IMCLNet 0.54

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.15s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.54	Unknown	0.17s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Kraton-A [Trj]	20191024	18.4.3895.0
Baidu	Win32.Backdoor.Padodor.a	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20191024	2013.8.14.323
McAfee	BackDoor-AXJ.dll.gen	20191024	6.0.6.653
Tencent	None	20191024	1.0.0.1

分配可读-可写-可执行内存（通常用于自解压） (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545301.45275 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6c241000 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1848	success	0	0

与未执行 DNS 查询的主机进行通信 (2 个事件)

host	114.114.114.114
host	8.8.8.8

文件已被 VirusTotal 上 56 个反病毒引擎识别为恶意 (50 out of 56 个事件)

ALYac	Gen:Variant.Ulise.939
APEX	Malicious
AVG	Win32:Kraton-A [Trj]
Acronis	suspicious
Ad-Aware	Gen:Variant.Ulise.939
AhnLab-V3	Trojan/Win32.Padodor.R37539
Antiy-AVL	Trojan[Backdoor]/Win32.Padodor
Arcabit	Trojan.Ulise.939
Avast	Win32:Kraton-A [Trj]
Avira	TR/ATRAPS.Gen
Baidu	Win32.Backdoor.Padodor.a
BitDefender	Gen:Variant.Ulise.939
CAT-QuickHeal	Backdoor.Berbew.G6
CMC	Backdoor.Win32.Padodor!O
Comodo	Backdoor.Win32.Padodor.gen0@1c5gkz
CrowdStrike	win/malicious_confidence_100% (D)
Cylance	Unsafe
Cyren	W32/Padodor.A.gen!Eldorado
DrWeb	BackDoor.HangUp.43952
ESET-NOD32	a variant of Win32/Padodor.gen
Emsisoft	Gen:Variant.Ulise.939 (B)
Endgame	malicious (high confidence)
F-Prot	W32/Backdoor.PXB
F-Secure	Trojan.TR/ATRAPS.Gen
FireEye	Generic.mg.bd0b5f4be28bd36b
Fortinet	W32/Qukart.K!tr
GData	Gen:Variant.Ulise.939
Ikarus	Backdoor.Win32.Berbew
Invincea	heuristic
Jiangmin	Backdoor/Padodor.d
K7AntiVirus	Spyware ( 000021441 )
K7GW	Spyware ( 000021441 )
Kaspersky	Backdoor.Win32.Padodor.gen
MAX	malware (ai score=89)
Malwarebytes	Backdoor.Padodor
MaxSecure	Trojan.Proxy.Qukart.gen
McAfee	BackDoor-AXJ.dll.gen
McAfee-GW-Edition	BehavesLike.Win32.BackdoorAXJdll.xz
MicroWorld-eScan	Gen:Variant.Ulise.939
Microsoft	Backdoor:Win32/Berbew.dll
NANO-Antivirus	Trojan.Win32.Padodor.dklrza
Panda	Bck/Webber.gen
Qihoo-360	HEUR/QVM39.1.C36F.Malware.Gen
Rising	Backdoor.Berbew!1.AE6C (CLASSIC)
SentinelOne	DFI - Malicious PE
Sophos	Mal/Padodor-A
Symantec	Backdoor.Berbew.F
TACHYON	Backdoor/W32.Padodor.6145.W
TotalDefense	Win32/Webber.W
Trapmine	malicious.high.ml.score

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2004-05-28 04:07:43

PE Imphash

0ed11c14a2759c69bfa93dd64e1f1654

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x000005e8	0x000005e8	5.779821035395537
.rdata	0x00002000	0x00000054	0x00000054	0.1623261801753929
.data	0x00003000	0x000000ac	0x000000ac	1.3636259990393553
.idata	0x00004000	0x0000026c	0x0000026c	3.914742821790486
.reloc	0x00005000	0x00000098	0x00000098	4.600576551509637
.edata	0x00006000	0x00000040	0x00000040	2.751727600473842

Imports

Library KERNEL32.DLL:

• 0x100040c4 ExitProcess

• 0x100040c8 GetEnvironmentStringsA

• 0x100040cc CloseHandle

• 0x100040d0 GetSystemDirectoryA

• 0x100040d4 OpenMutexA

• 0x100040d8 RtlUnwind

• 0x100040dc WinExec

Library CRTDLL.DLL:

• 0x100040e8 _fdopen

• 0x100040ec _open_osfhandle

• 0x100040f0 fclose

• 0x100040f4 _cexit

• 0x100040f8 malloc

• 0x100040fc printf

• 0x10004100 raise

• 0x10004104 setbuf

• 0x10004108 sprintf

• 0x1000410c strcpy

Exports

Ordinal	Address	Name
1	0x10001348	_kk

L!This program cannot be run in DOS mode.
`.rdata
@.data
.idata
.reloc
.edata
t ;t$$t
_^[USVWUj
]_^[]U
]_^[]USVW}
P<$XP<$
Iohgjmka
jklmno
ExitProcess
GetEnvironmentStringsA
CloseHandle
GetSystemDirectoryA
OpenMutexA
RtlUnwind
WinExec
_fdopen
_open_osfhandle
fclose
_cexit
malloc
printf
setbuf
sprintf
strcpy
KERNEL32.DLL
CRTDLL.DLL
+00000
1!1111
2$2*2?223
5*565B5N5Z5f5r5~555555555
2 2$2(2,20242D2H2L2P2T2X2\2`2d2h2
dll.dll

Process Tree

rundll32.exe (1848) "C:\Windows\System32\rundll32.exe" C:\Users\ADMINI~1\AppData\Local\Temp\05dcc91647facc64f928e5264afba7c7ddabd0b90edb7992834f9a36e9af33a2.exe.dll,DllMain

Search
rundll32.exe (1848)

rundll32.exe, PID: 1848, Parent PID: 844

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
8.8.8.8

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255 A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	57665	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.