0.9
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.61
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Vilsel-CT [Trj] | 20200123 | 18.4.3895.0 |
| Baidu | Win32.Trojan.VB.x | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200123 | 2013.8.14.323 |
| McAfee | Generic VB.z | 20200123 | 6.0.6.653 |
| Tencent | Trojan.Win32.VB.ctb | 20200123 | 1.0.0.1 |
静态指标
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 65 个反病毒引擎识别为恶意
(50 out of 65 个事件)
| ALYac | Trojan.Generic.7592665 |
| APEX | Malicious |
| AVG | Win32:Vilsel-CT [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.Generic.7592665 |
| AhnLab-V3 | Trojan/Win32.Vilsel.R1968 |
| Arcabit | Trojan.Generic.D73DAD9 |
| Avast | Win32:Vilsel-CT [Trj] |
| Avira | TR/ATRAPS.Gen2 |
| Baidu | Win32.Trojan.VB.x |
| BitDefender | Trojan.Generic.7592665 |
| BitDefenderTheta | AI:Packer.CCA612A91C |
| Bkav | W32.BaragoneC.Worm |
| CAT-QuickHeal | Trojan.VilselMF.S8128215 |
| CMC | Trojan.Win32.Vilsel!O |
| ClamAV | Win.Trojan.Vilsel-4621 |
| Comodo | TrojWare.Win32.Trojan.Vilsel.loy0@1qq4nk |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.179b93 |
| Cylance | Unsafe |
| Cyren | W32/VB.DS.gen!Eldorado |
| DrWeb | Trojan.Copyself.102 |
| ESET-NOD32 | Win32/VB.OZA |
| Emsisoft | Trojan.Generic.7592665 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/VB.DS.gen!Eldorado |
| F-Secure | Trojan.TR/ATRAPS.Gen2 |
| FireEye | Generic.mg.c566ecb179b93e34 |
| Fortinet | W32/Agent.OZA!worm |
| GData | Win32.Trojan.Vilsel.A |
| Ikarus | Trojan.Win32.Vilsel |
| Invincea | heuristic |
| Jiangmin | Trojan/Vilsel.adtk |
| K7AntiVirus | Trojan ( 00013e901 ) |
| K7GW | P2PWorm ( 000fc32e1 ) |
| Kaspersky | Trojan.Win32.Vilsel.loy |
| MAX | malware (ai score=80) |
| Malwarebytes | Worm.VBAgent |
| MaxSecure | Trojan.W32.Vilsel.loy |
| McAfee | Generic VB.z |
| McAfee-GW-Edition | BehavesLike.Win32.Vilsel.lt |
| MicroWorld-eScan | Trojan.Generic.7592665 |
| Microsoft | TrojanDropper:Win32/VB.IL |
| NANO-Antivirus | Trojan.Win32.Vilsel.fwrjnb |
| Panda | Trj/Vilsel.V |
| Qihoo-360 | Worm.Win32.Mau.A |
| Rising | Trojan.VB!1.BAD4 (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-VBInject |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2009-01-06 12:02:14
PE Imphash
bfbf457d52153d2191e67bb6c9212334
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000a2c0 | 0x0000b000 | 4.452522369133977 |
| .data | 0x0000c000 | 0x00000fb8 | 0x00000000 | 0.0 |
| .rsrc | 0x0000d000 | 0x00005bd0 | 0x00006000 | 4.080855996589235 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000d460 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000d460 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000d460 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000d460 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000d460 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x0000d460 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x0000d404 | 0x0000005c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_VERSION | 0x0000d1e0 | 0x00000224 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library MSVBVM60.DLL:
• 0x401000 MethCallEngine
• 0x401004 None
• 0x401008 None
• 0x40100c None
• 0x401010 None
• 0x401014 None
• 0x401018 None
• 0x40101c EVENT_SINK_AddRef
• 0x401020 None
• 0x401024 DllFunctionCall
• 0x401028 None
• 0x40102c EVENT_SINK_Release
• 0x401030 None
• 0x401034 None
• 0x401038 EVENT_SINK_QueryInterface
• 0x40103c __vbaExceptHandler
• 0x401040 None
• 0x401044 None
• 0x401048 None
• 0x40104c None
• 0x401050 ProcCallEngine
• 0x401054 None
• 0x401058 None
• 0x40105c None
• 0x401060 None
• 0x401064 None
• 0x401068 None
• 0x40106c None
• 0x401070 None
• 0x401074 None
• 0x401078 None
• 0x40107c None
L!This program cannot be run in DOS mode.
sisisi
ldsiRichsi
`.data
MSVBVM60.DLL
h;RsQOsOs~OsQNs{Ps?|Ps
Ns[OsBsNOsNsNs
:RsNs$FPs}Ps
PsDROs\TPsOs5BskPs
Project1
frm_main
jjjjjjjjjjjjjjjjjjjjjjjjjj]
jjjjjjjjjjjjjjjjjjjjjjjjjj
dddddddddddddddddddddddddd
dddddddddddddddddddddddddd
__________________________r
stun$%12V44)
zzzzzzzzzzzzzzz{
Tikumn
/Z [qr
bcdddddddddef/YggggggggggggggYh
(YZZ[a((
(YYZZZ]
NEFGHK
deEFGHIyKL
12344* z
$P&'(Z
|bbbbbbbbbbbbbbb
UUUUUUUUUUUUUUUC
qrst!w@gylz///////
q`cDefE!gYjjiiijj2mnop
UUCCCDVWX
YZZ[\2^
CDEFvwJgL
23456789:<#$>
"#$%&'()*+,
bcdefghi
WXYZ[\]^_`a
LMNOPQRSTUV
CDEFGGGHIJK
9:;<=>>?@AB
345678
$%&'()*+,-.
-kkeJ/
.nnnnnnnS8
/qqqqqqqqqqq\@$
tttttttttttttttfI3
wwwwwwwwwwwwwwwwwwwpS<
zzzzzzzzzzzzzzzzzzzzzzzz\E&
}}}}}}}}}}}}}}}}}}}}}}}}}}M
H((wf,
I33lfZ
}KUUmfh
}]WWnf
urpg\B(
qkruvwyq]J4
gpwvvvvw{}tkW=!
kt{{{{{{{z{|
s#Keq |
fvhQC7Q
~Yn_YNA^
u]O7 q
w~~xkZD'~
+j!{tp
YZ~jLwd
Timer1
VB5! *
musicvn
Microsoft Windows
Project1
Project1
frm_main
class_main
module_main
module_bind
module_rnd
module_registry
module_until
module_path
module_check
Module1
module_funny
F;M"- KZO3f
+3qC:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
Timer1
kernel32
CreateMutexA
ReleaseMutex
CloseHandle
+3q"=h
VBA6.DLL
+3qZ|4%H[x8!=h
+3qClass
C:\WINDOWS\system32\msvbvm60.dll\3
advapi32.dll
RegSetValueExA
FindWindowA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
RegSaveKeyA
RegRestoreKeyA
RegEnumKeyExA
RegEnumValueA
RegCreateKeyA
AdjustTokenPrivileges
user32
LookupPrivilegeValueA
OpenProcessToken
GetCurrentProcess
FindWindowExA
SendMessageA
PostMessageA
GetFileAttributesA
ExitWindowsEx
GetWindowTextA
GetWindowTextLengthA
t4ltlx
qd<ldqt2
d>P#plx*#l
pxlhdP
qh<lll
Xlhqp/l
qh<lhqp
qh<lhqp
qh<lll
Xlhqp/l
qh<lhqp
l4lllt^
qh<lll
Xlhqp/l
qh<lhqp
qh<lll
Xlhqp/l
qh<lhqp
l4lllt^
qh<lll
Xlhqp/l
qh<lhqp
q<<l<qt
q@<l4l
Xl@qt/4
qh<lll
Xlhqp/l
qh<lhqp
l4lllt^
qh<lll
Xlhqp/l
qh<lhqp
ql<lliL\/p
ql<lliL\/p
<,ltJlt
1t/plt
*1xltJ
hd`\5L
>@#`lh*#\
tXl\qp/`
hXl0qp2
tXl0qp/`
qX<l\l
XlXqp/\
qX<lXqp
H`1h5H
\4l\lllt^
hXlXqp/\
lxlh*#\
%lxlhlt
qX<lXqp
qL<lPl
XlLqp/P
qL<lLqp
<`1h5<
<`1`5<
P4lPlllt^
`XlLqp2
lxlh*#P
qL<lLqp
qT<l\l
XlTq`2
qT<lTq`
\4l\lt^
qT<l\l
XlTq`2
\4l\lt^
qL<l\l
XlLq`/\
\4l\lt^
qT<l\l
XlTq`/\
qT<lTq`
0>,#<l@*#8
<@840,
x>0#<l@*#8
q<lq/@
MSVBVM60.DLL
MethCallEngine
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ProcCallEngine
u]O7 q
w~~xkZD'~
+j!{tp
YZ~jLwd
urpg\B(
qkruvwyq]J4
gpwvvvvw{}tkW=!
kt{{{{{{{z{|
s#Keq |
fvhQC7Q
~Yn_YNA^
-kkeJ/
.nnnnnnnS8
/qqqqqqqqqqq\@$
tttttttttttttttfI3
wwwwwwwwwwwwwwwwwwwpS<
zzzzzzzzzzzzzzzzzzzzzzzz\E&
}}}}}}}}}}}}}}}}}}}}}}}}}}M
H((wf,
I33lfZ
}KUUmfh
}]WWnf
bcdefghi
WXYZ[\]^_`a
LMNOPQRSTUV
CDEFGGGHIJK
9:;<=>>?@AB
345678
$%&'()*+,-.
|bbbbbbbbbbbbbbb
UUUUUUUUUUUUUUUC
qrst!w@gylz///////
q`cDefE!gYjjiiijj2mnop
UUCCCDVWX
YZZ[\2^
CDEFvwJgL
23456789:<#$>
"#$%&'()*+,
jjjjjjjjjjjjjjjjjjjjjjjjjj]
jjjjjjjjjjjjjjjjjjjjjjjjjj
dddddddddddddddddddddddddd
dddddddddddddddddddddddddd
__________________________r
stun$%12V44)
zzzzzzzzzzzzzzz{
Tikumn
/Z [qr
bcdddddddddef/YggggggggggggggYh
(YZZ[a((
(YYZZZ]
NEFGHK
deEFGHIyKL
12344* z
$P&'(Z
h�d�H�,� �d�
l�\�X�L�@�\�
~�x�k�Z�F�+�
R�:�u�]�O�:�&�
@�C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�D�u�c�D�u�n�
*�\�A�D�:�\�L�a�p� �T�r�i�n�h�\�V�i�r�u�s� �M�a�u�\�P�r�o� �3�\�P�r�o�3�.�v�b�p�
S�e�R�e�s�t�o�r�e�P�r�i�v�i�l�e�g�e�
S�e�B�a�c�k�u�p�P�r�i�v�i�l�e�g�e�
A�c�c�e�s�s� �i�s� �d�e�n�i�e�d�
S�y�s�t�e�m�
H�i�d�e�F�i�l�e�E�x�t�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�E�x�p�l�o�r�e�r�
L�o�g�o�n� �U�s�e�r� �N�a�m�e�
H�i�d�d�e�n�
S�O�F�T�W�A�R�E�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�E�x�p�l�o�r�e�r�\�C�a�b�i�n�e�t�S�t�a�t�e�
F�u�l�l�P�a�t�h�
S�O�F�T�W�A�R�E�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�E�x�p�l�o�r�e�r�\�A�d�v�a�n�c�e�d�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�P�o�l�i�c�i�e�s�\�E�x�p�l�o�r�e�r�
N�o�F�o�l�d�e�r�O�p�t�i�o�n�s�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�E�x�p�l�o�r�e�r�\�S�t�r�e�a�m�s�
S�e�t�t�i�n�g�s�
S�c�r�i�p�t�i�n�g�.�F�i�l�e�S�y�s�t�e�m�O�b�j�e�c�t�
C�r�e�a�t�e�T�e�x�t�F�i�l�e�
t�e�m�p�.�z�i�p�
S�h�e�l�l�.�A�p�p�l�i�c�a�t�i�o�n�
N�a�m�e�s�p�a�c�e�
C�o�p�y�H�e�r�e�
b�a�c�k�u�p�
S�y�s�t�e�m� �R�e�s�t�o�r�e�
u�p�d�a�t�e�
C�a�b�i�n�e�t�W�C�l�a�s�s�
E�x�p�l�o�r�e�W�C�l�a�s�s�
H�a�p�p�y� �B�i�r�t�h�D�a�y� �m�y�'�s� �B�o�s�s�
M�e�r�r�y� �C�h�r�i�s�t�m�a�s�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �W�i�n�d�o�w�s�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�0�.�0�0�5�7�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�0�.�0�0�5�7�
I�n�t�e�r�n�a�l�N�a�m�e�
m�u�s�i�c�v�n�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�u�s�i�c�v�n�.�e�x�e�
~�x�k�Z�F�+�
R�:�u�]�O�:�&�
l�\�X�L�@�\�
h�d�H�,� �d�
(�5�%�&�'�3�7�
3�4�4�5�6�:�
&�*�/�3�3�3�3�!�!�"�)�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.