2.7
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.59
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200727 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Downloader.Tiny.c | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200727 | 2013.8.14.323 |
| McAfee | VTFlooder!C76AA4C35AAF | 20200727 | 6.0.6.653 |
| Tencent | Trojan.Win32.VtFlooder.a | 20200727 | 1.0.0.1 |
静态指标
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000e00', 'entropy': 7.205364847460314} | entropy | 7.205364847460314 | description | 发现高熵的节 | |||||||||
可执行文件使用UPX压缩
(3 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
| section | UPX2 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 62 个反病毒引擎识别为恶意
(50 out of 62 个事件)
| ALYac | Gen:Variant.Razy.711653 |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Razy.711653 |
| AhnLab-V3 | Trojan/Win32.Vflooder.C1453219 |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Trojan.Razy.DADBE5 |
| Avast | Win32:Trojan-gen |
| Avira | TR/Crypt.XPACK.Gen |
| Baidu | Win32.Trojan-Downloader.Tiny.c |
| BitDefender | Gen:Variant.Razy.711653 |
| BitDefenderTheta | Gen:NN.ZexaF.34138.bqW@aeSmpTm |
| Bkav | W32.FamVT.VtfodsVM.Trojan |
| CAT-QuickHeal | Trojan.Vflooder.E3 |
| ClamAV | Win.Malware.Vtflooder-6723768-0 |
| Comodo | Packed.Win32.MUPX.Gen@24tbus |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.35aafa |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/S-bd9a8e13!Eldorado |
| DrWeb | Trojan.Flood.22062 |
| ESET-NOD32 | Win32/TrojanClicker.Tiny.NAM |
| Emsisoft | Gen:Variant.Razy.711653 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-bd9a8e13!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.c76aa4c35aafac33 |
| Fortinet | W32/Vflooder.A!tr |
| GData | Gen:Variant.Razy.711653 |
| Ikarus | Trojan.Win32.TrojanClicker |
| Invincea | heuristic |
| Jiangmin | Trojan/Badur.cky |
| K7AntiVirus | Spyware ( 0049c3e41 ) |
| K7GW | Spyware ( 0049c3e41 ) |
| Kaspersky | Trojan.Win32.Vtflooder.cft |
| MAX | malware (ai score=89) |
| Malwarebytes | Trojan.Flooder.UPX |
| McAfee | VTFlooder!C76AA4C35AAF |
| MicroWorld-eScan | Gen:Variant.Razy.711653 |
| Microsoft | Trojan:Win32/Vflooder.B |
| NANO-Antivirus | Trojan.Win32.Crypted.dbpklq |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM19.1.D7D4.Malware.Gen |
| Rising | Trojan.Vflooder!1.A171 (CLASSIC) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-AHNL |
| Symantec | Downloader.Upatre |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(3 个事件)
| dead_host | 74.125.34.46:80 |
| dead_host | 104.244.42.193:80 |
| dead_host | 104.244.42.129:80 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-08-07 15:06:08
PE Imphash
3d8c26f4cb1782a87c3bb42796fb6b85
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00005400 | 1.9601880330287247 |
| UPX1 | 0x00007000 | 0x00001000 | 0x00000e00 | 7.205364847460314 |
| UPX2 | 0x00008000 | 0x00001000 | 0x00000200 | 3.417706440053802 |
| .imports | 0x00009000 | 0x00001000 | 0x00000400 | 3.212395201352827 |
Imports
Library KERNEL32.DLL:
• 0x402000 Sleep
• 0x402004 lstrlenA
• 0x402008 CreateThread
• 0x40200c VirtualFree
• 0x402010 GetModuleFileNameW
• 0x402014 GetTickCount
• 0x402018 ExitProcess
• 0x40201c GetFileSize
• 0x402020 VirtualAlloc
• 0x402024 ReadFile
• 0x402028 CloseHandle
• 0x40202c CreateFileW
• 0x402030 lstrlenW
• 0x402034 MultiByteToWideChar
Library ole32.dll:
• 0x402088 CreateStreamOnHGlobal
Library SHLWAPI.dll:
• 0x40203c StrStrA
Library WINHTTP.dll:
• 0x402050 WinHttpCrackUrl
• 0x402054 WinHttpOpen
• 0x402058 WinHttpConnect
• 0x40205c WinHttpOpenRequest
• 0x402060 WinHttpSendRequest
• 0x402064 WinHttpQueryHeaders
• 0x402068 WinHttpReadData
• 0x40206c WinHttpCloseHandle
• 0x402070 WinHttpReceiveResponse
L!This program cannot be run in DOS mode.
wy3*3*3*3*6*:4*8*3*(*(:
*0*(::*2*Rich3*
.imports
EEEEMQj
27UREPh
E3EEEEEMQj
UREPMQ
RPQRh"@
EEPMQUREP
Qjhx#@
EMQUREPMQ
QjU REP
EUREPMQUR
9U}$EMT
--------%015d
Content-Disposition: form-data; name="apikey"
Content-Type: text/plain
a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088
Content-Disposition: form-data; name="file"; filename="1.exe"
Content-Type: application/x-msdownload
Content-Transfer-Encoding: binary
--------%015d--
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
lstrlenA
CreateThread
VirtualFree
GetModuleFileNameW
GetTickCount
ExitProcess
GetFileSize
VirtualAlloc
ReadFile
CloseHandle
CreateFileW
lstrlenW
MultiByteToWideChar
memset
memcpy
CreateStreamOnHGlobal
StrStrA
wsprintfA
wsprintfW
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReadData
WinHttpCloseHandle
WinHttpReceiveResponse
`.rdata
@.data
UR+Eo2
WQF*,Cx
mNL.|LZ
PUR!n%j<EZds7s<
0P#aKR
d>7,Y0
*`0Wj%3
x @ah4t!
EPQh(%TH
QUvlVOI(#>
$F{A._
,_|#PCi
T(]5"7f
hl#@2t!
DUR`oYFn@p#
PhxsP!!<
ef%eaPJl
"1d,0t
jchl%p/E
&^B_Y9
P5%~JkuX
Me:}~k
77Gt"6$u
VjYL%F6
-?A%015d
-Dispositi
: form-data; name=
k"apikey"3.Type'
xt[lain
a0283a2c3d557
00d064874239b5346fb991317e8449fe43c9279d758088
icaD/x-msdownload
ransfer-Encodg4b
S{ary3--"4|
atnfm)d
2SigeF
s]u%toElI]xg
8F~s{(
N[ m. )
XA8VUsE//
/Opit Kx'-_X7u
}rstuvwxyz{$>?@ABCDEFGHIJKLMNOPQRSTUVW XY
Z[\]^_`abcdefghijklmnopq
lstrnACreateTh
VirtualFe
GetModul
TickCount
ExitProcess
_(SizeHAll
seHand
Mr}tiByoWideCharxwm;mA{_wtoi
=;cpy TStm
mOnHGpb <:w
D]vwsprifA
m{kgPEttpWaU
ma]5$^Hvive
,/T,$`
<eB`.ro
0'v+LI
XPTPSWXaD$j
KERNEL32.DLL
ntdll.dll
ole32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
CreateStreamOnHGlobal
StrStrA
wsprintfA
WinHttpOpen
KERNEL32.DLL
lstrlenA
CreateThread
VirtualFree
GetModuleFileNameW
GetTickCount
ExitProcess
GetFileSize
VirtualAlloc
ReadFile
CloseHandle
CreateFileW
lstrlenW
MultiByteToWideChar
ntdll.dll
memset
memcpy
ole32.dll
CreateStreamOnHGlobal
SHLWAPI.dll
StrStrA
USER32.dll
wsprintfA
wsprintfW
WINHTTP.dll
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReadData
WinHttpCloseHandle
WinHttpReceiveResponse
j�j�j�j�j�j�
j�j�j�j�j�j�
j�j�j�j�j�j�
t�w�i�t�t�e�r�.�c�o�m�
/�p�i�d�o�r�a�s�6�
C�o�n�t�e�n�t�-�T�y�p�e�:� �m�u�l�t�i�p�a�r�t�/�f�o�r�m�-�d�a�t�a�;� �b�o�u�n�d�a�r�y�=�-�-�-�-�-�-�%�0�1�5�d�
/�v�t�a�p�i�/�v�2�/�f�i�l�e�/�s�c�a�n�
w�w�w�.�v�i�r�u�s�t�o�t�a�l�.�c�o�m�
O�p�e�r�a�/�9�.�8�0� �(�W�i�n�d�o�w�s� �N�T� �6�.�0�)� �P�r�e�s�t�o�/�2�.�1�2�.�3�8�8� �V�e�r�s�i�o�n�/�1�2�.�1�4�
C�o�n�t�e�n�t�-�T�y�p�e�:� �a�p�p�l�i�c�a�t�i�o�n�/�x�-�w�w�w�-�f�o�r�m�-�u�r�l�e�n�c�o�d�e�d�
Process Tree
- d9f5f90ab7487b0a24adda7117aa9b9f666f5d8ebf32787ca0e920e4fb9c3799.exe (2264) "C:\Users\Administrator\AppData\Local\Temp\d9f5f90ab7487b0a24adda7117aa9b9f666f5d8ebf32787ca0e920e4fb9c3799.exe"
DNS
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49166 | 74.125.34.46 www.virustotal.com | 80 |
| 192.168.56.101 | 49167 | 104.244.42.65 twitter.com | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 65473 | 114.114.114.114 | 53 |
| 192.168.56.101 | 49642 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 114.114.114.114 | 53 |
| 192.168.56.101 | 52215 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
| Name | 730d7ea516e77bc1e32c6bdbff9cb0e9d3e2e0b0 |
|---|---|
| Size | 27.3KB |
| Type | data |
| MD5 | 990913299a712a2cea963cdd69581d75 |
| SHA1 | 730d7ea516e77bc1e32c6bdbff9cb0e9d3e2e0b0 |
| SHA256 | f82df281d99f16bffe5803317fea5e618e19512f829a3488e04f2a4944bd6dc6 |
| CRC32 | 72CC4246 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |