0.9
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.52
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:PWSX-gen [Trj] | 20200728 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_70% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200728 | 2013.8.14.323 |
| McAfee | GenericRXKN-ME!C793FDAD6896 | 20200728 | 6.0.6.653 |
| Tencent | None | 20200728 | 1.0.0.1 |
静态指标
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 47 个反病毒引擎识别为恶意
(47 个事件)
| ALYac | Gen:Variant.Razy.686197 |
| APEX | Malicious |
| AVG | Win32:PWSX-gen [Trj] |
| Ad-Aware | Gen:Variant.Razy.686197 |
| AhnLab-V3 | Trojan/Win32.Stealer.C4089074 |
| Antiy-AVL | Trojan[PSW]/MSIL.Stealer |
| Arcabit | Trojan.Razy.DA7875 |
| Avast | Win32:PWSX-gen [Trj] |
| Avira | HEUR/AGEN.1134262 |
| BitDefender | Gen:Variant.Razy.686197 |
| BitDefenderTheta | Gen:NN.ZemsilF.34138.bm0@au7Gtfc |
| CAT-QuickHeal | Trojan.MsilFC.S14876647 |
| Comodo | TrojWare.MSIL.PSW.Agent.DSA@8rmdbs |
| CrowdStrike | win/malicious_confidence_70% (D) |
| Cybereason | malicious.01281b |
| Cynet | Malicious (score: 85) |
| Cyren | W32/MSIL_Agent.BIL.gen!Eldorado |
| DrWeb | Trojan.PWS.DiscordNET.24 |
| ESET-NOD32 | MSIL/PSW.Discord.FE |
| Emsisoft | Gen:Variant.Razy.686197 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/MSIL_Agent.BIL.gen!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1134262 |
| FireEye | Generic.mg.c793fdad689656ce |
| Fortinet | MSIL/Agent.RMF!tr |
| GData | Gen:Variant.Razy.686197 |
| Ikarus | Trojan.MSIL.PSW |
| Invincea | heuristic |
| Jiangmin | Trojan.PSW.MSIL.yeg |
| K7AntiVirus | Password-Stealer ( 00566a2e1 ) |
| K7GW | Password-Stealer ( 00566a2e1 ) |
| Kaspersky | HEUR:Trojan-PSW.MSIL.Agent.gen |
| MAX | malware (ai score=86) |
| Malwarebytes | Spyware.PasswordStealer |
| McAfee | GenericRXKN-ME!C793FDAD6896 |
| MicroWorld-eScan | Gen:Variant.Razy.686197 |
| Microsoft | PWS:MSIL/Dcstl.GA!MTB |
| Qihoo-360 | HEUR/QVM03.0.E04E.Malware.Gen |
| Rising | Stealer.Agent!8.C2 (TFE:dGZlOgwjcBlMk9FZ0w) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Disteal-K |
| Symantec | ML.Attribute.HighConfidence |
| VBA32 | TScope.Trojan.MSIL |
| Yandex | Trojan.PWS.Agent!8j7JHcZBd/c |
| Zillya | Trojan.Agent.Win32.1328637 |
| ZoneAlarm | HEUR:Trojan-PSW.MSIL.Agent.gen |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2020-07-29 04:39:17
PE Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00002000 | 0x00003ca4 | 0x00003e00 | 5.593624778672833 |
| .rsrc | 0x00006000 | 0x00000600 | 0x00000600 | 4.076916304110733 |
| .reloc | 0x00008000 | 0x0000000c | 0x00000200 | 0.08153941234324169 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_VERSION | 0x00006090 | 0x0000032c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_MANIFEST | 0x000063cc | 0x000001ea | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library mscoree.dll:
• 0x402000 _CorExeMain
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
v4.0.30319
#Strings
StealerBin.exe
StealerBin
mscorlib
System
System.Net.Http
System.Management
System.Web.Extensions
System.Core
StealerBin.Properties.Resources.resources
<Module>
DigitalProductIdVersion
WinProdKeyFind
value__
UpToWindows7
Windows8AndUp
KeyDecoder
Object
RegistryKey
Microsoft.Win32
Environment
get_Is64BitOperatingSystem
OpenBaseKey
RegistryHive
RegistryView
OpenSubKey
GetValue
get_OSVersion
OperatingSystem
get_Version
Version
get_Major
get_Minor
GetWindowsProductKeyFromRegistry
GetWindowsProductKeyFromDigitalProductId
digitalProductId
digitalProductIdVersion
ArrayList
System.Collections
RuntimeHelpers
System.Runtime.CompilerServices
InitializeArray
RuntimeFieldHandle
get_Item
set_Item
String
DecodeProductKey
get_Chars
ToString
Concat
Substring
get_Length
Insert
DecodeProductKeyWin8AndUp
_savedTokens
WebClient
System.Net
CompleteOs
Chrome
StealFound
OperaGX
List`1
System.Collections.Generic
IndexOf
AddRange
IEnumerable`1
RemoveAt
ToArray
FileInfo
System.IO
Directory
Exists
DirectoryInfo
GetFiles
FileSystemInfo
get_Name
EndsWith
FindTokenfile
ReadAllBytes
Encoding
System.Text
get_UTF8
GetString
Contains
_FilePath
NameValueCollection
System.Collections.Specialized
WebException
get_Headers
WebHeaderCollection
UploadValues
get_Response
WebResponse
GetResponseStream
Stream
StreamReader
TextReader
ReadToEnd
IDisposable
Dispose
TokenCheckAcces
Exception
Convert
op_Equality
ReadAllText
Delete
StartSteal
HttpClient
Dictionary`2
TaskAwaiter`1
HttpResponseMessage
JavaScriptSerializer
System.Web.Script.Serialization
DownloadString
Deserialize
get_UserName
FormUrlEncodedContent
KeyValuePair`2
PostAsync
Task`1
System.Threading.Tasks
HttpContent
GetAwaiter
GetResult
tokenReport
ManagementObjectSearcher
ManagementObjectCollection
Enumerable
System.Linq
IEnumerable
ManagementObject
Func`2
Select
FirstOrDefault
get_NewLine
AppendAllText
SaveTokens
StringReader
StreamWriter
Enumerator
ReadLine
FileStream
FileMode
GetEnumerator
get_Current
TextWriter
WriteLine
MoveNext
RemoveDuplicatedLines
GetFolderPath
SpecialFolder
Thread
System.Threading
get_Count
StealTokenFromDiscordApp
StealTokenFromChrome
IEnumerator
System.Text.RegularExpressions
OpenText
Matches
MatchCollection
Capture
get_Value
Distinct
ToList
TokenStealer
Folder
checkLogs
StealTokenFromOpera
StealTokenFromOperaGX
.cctor
<YourFuckingLocation>k__BackingField
CompilerGeneratedAttribute
DebuggerBrowsableAttribute
System.Diagnostics
DebuggerBrowsableState
<YourFuckingCountryCode>k__BackingField
<YourFuckingISP>k__BackingField
get_YourFuckingLocation
set_YourFuckingLocation
get_YourFuckingCountryCode
set_YourFuckingCountryCode
get_YourFuckingISP
set_YourFuckingISP
YourFuckingLocation
YourFuckingCountryCode
YourFuckingISP
<>9__10_0
ManagementBaseObject
GetPropertyValue
<OperatingSystem>b__10_0
Program
STAThreadAttribute
Resources
StealerBin.Properties
resourceMan
ResourceManager
System.Resources
resourceCulture
CultureInfo
System.Globalization
GetTypeFromHandle
RuntimeTypeHandle
get_Assembly
Assembly
System.Reflection
get_ResourceManager
get_Culture
set_Culture
EditorBrowsableAttribute
System.ComponentModel
EditorBrowsableState
Culture
GeneratedCodeAttribute
System.CodeDom.Compiler
DebuggerNonUserCodeAttribute
Settings
ApplicationSettingsBase
System.Configuration
defaultInstance
get_Default
SettingsBase
Synchronized
Default
<PrivateImplementationDetails>
F28AE27DD8812234DDF5415F8A106C988C96F8937B0F08B8B22893837E8816F6
__StaticArrayInitTypeSize=48
ValueType
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
DebuggableAttribute
DebuggingModes
AssemblyTitleAttribute
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
B)wCY1A)
18V6N5
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
WrapNonExceptionThrows
StealerBin
Copyright
2020
$89e097c7-84ab-46e1-ba25-3d9d5ed5d48e
1.0.0.0
.NETFramework,Version=v4.7.2
FrameworkDisplayName
.NET Framework 4.7.2
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
B�C�D�F�G�H�J�K�M�P�Q�R�T�V�W�X�Y�2�3�4�6�7�8�9�
S�O�F�T�W�A�R�E�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�
D�i�g�i�t�a�l�P�r�o�d�u�c�t�I�d�
F�a�i�l�e�d� �t�o� �g�e�t� �D�i�g�i�t�a�l�P�r�o�d�u�c�t�I�d� �f�r�o�m� �r�e�g�i�s�t�r�y�
B�C�D�F�G�H�J�K�M�P�Q�R�T�V�W�X�Y�2�3�4�6�7�8�9�
A�u�t�h�o�r�i�z�a�t�i�o�n�
h�t�t�p�s�:�/�/�d�i�s�c�o�r�d�a�p�p�.�c�o�m�/�a�p�i�/�v�6�/�i�n�v�i�t�e�/�j�j�P�s�x�g�
4�0�1�:� �U�n�a�u�t�h�o�r�i�z�e�d�
Y�o�u� �n�e�e�d� �t�o� �v�e�r�i�f�y� �y�o�u�r� �a�c�c�o�u�n�t� �i�n� �o�r�d�e�r� �t�o� �p�e�r�f�o�r�m� �t�h�i�s� �a�c�t�i�o�n�.�
S�O�F�T�W�A�R�E�\�M�i�c�r�o�s�o�f�t�\�C�r�y�p�t�o�g�r�a�p�h�y�
M�a�c�h�i�n�e�G�u�i�d�
9�0�0�5�9�c�3�7�-�1�3�2�0�-�4�1�a�4�-�b�5�8�d�-�2�b�7�5�a�9�8�5�0�d�2�f�
h�t�t�p�s�:�/�/�w�t�f�i�s�m�y�i�p�.�c�o�m�/�j�s�o�n�
h�t�t�p�s�:�/�/�a�p�i�.�i�p�i�f�y�.�o�r�g�/�
h�t�t�p�s�:�/�/�a�p�i�6�.�i�p�i�f�y�.�o�r�g�/�
c�o�n�t�e�n�t�
*�*�I�P� �I�n�f�o�r�m�a�t�i�o�n�*�*�
�I�P�v�4�:� �
�I�P�v�6�:� �
�L�o�c�a�t�i�o�n�:� �
�I�S�P�:� �
�C�o�u�n�t�r�y� �C�o�d�e�:� �
*�*�W�i�n�d�o�w�s� �I�n�f�o�r�m�a�t�i�o�n�*�*�
*�*�D�i�s�c�o�r�d� �T�o�k�e�n�s�*�*�
P�o�w�e�r�e�d� �b�y� �B�y�t�e�T�o�o�l�s�
u�s�e�r�n�a�m�e�
T�o�k�e�n� �S�t�e�a�l�e�r� �v�2�.�0�
a�v�a�t�a�r�_�u�r�l�
h�t�t�p�:�/�/�a�c�u�r�a�r�t�m�.�b�p�l�a�c�e�d�.�n�e�t�/�B�i�l�d�e�r�/�B�y�t�e�t�o�o�l�s�_�L�o�g�o�.�p�n�g�
S�E�L�E�C�T� �C�a�p�t�i�o�n� �F�R�O�M� �W�i�n�3�2�_�O�p�e�r�a�t�i�n�g�S�y�s�t�e�m�
U�n�k�n�o�w�n�
C�h�r�o�m�e�
D�i�s�c�o�r�d� �A�p�p�
O�p�e�r�a� �G�X�
�T�o�k�e�n�:� �
\�d�i�s�c�o�r�d�\�L�o�c�a�l� �S�t�o�r�a�g�e�\�l�e�v�e�l�d�b�\�
A�p�p� �T�o�k�e�n� �n�o�t� �f�o�u�n�d� �:�/�
\�G�o�o�g�l�e�\�C�h�r�o�m�e�\�U�s�e�r� �D�a�t�a�\�D�e�f�a�u�l�t�\�L�o�c�a�l� �S�t�o�r�a�g�e�\�l�e�v�e�l�d�b�\�
[�\�w�-�]�{�2�4�}�\�.�[�\�w�-�]�{�6�}�\�.�[�\�w�-�]�{�2�7�}�
m�f�a�\�.�[�\�w�-�]�{�8�4�}�
\�O�p�e�r�a� �S�o�f�t�w�a�r�e�\�O�p�e�r�a� �S�t�a�b�l�e�\�L�o�c�a�l� �S�t�o�r�a�g�e�\�l�e�v�e�l�d�b�\�
\�O�p�e�r�a� �S�o�f�t�w�a�r�e�\�O�p�e�r�a� �G�X� �S�t�a�b�l�e�\�L�o�c�a�l� �S�t�o�r�a�g�e�\�l�e�v�e�l�d�b�\�
h�t�t�p�s�:�/�/�d�i�s�c�o�r�d�a�p�p�.�c�o�m�/�a�p�i�/�w�e�b�h�o�o�k�s�/�7�3�7�7�7�1�0�7�4�5�1�0�3�8�9�2�7�8�/�k�K�d�R�O�R�t�f�x�Z�R�M�q�2�k�T�w�y�6�i�T�1�p�E�o�E�B�m�g�P�n�J�K�h�t�I�f�7�m�w�r�a�B�C�G�P�o�H�0�9�t�S�B�r�0�k�B�n�e�e�x�J�7�x�z�B�M�B�
\�u�p�d�a�t�e�l�o�g�s�s�.�t�x�t�
�W�i�n�d�o�w�s� �K�e�y�:� �
C�a�p�t�i�o�n�
S�t�e�a�l�e�r�B�i�n�.�P�r�o�p�e�r�t�i�e�s�.�R�e�s�o�u�r�c�e�s�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�o�m�p�a�n�y�N�a�m�e�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
S�t�e�a�l�e�r�B�i�n�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
S�t�e�a�l�e�r�B�i�n�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �
� �2�0�2�0�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�t�e�a�l�e�r�B�i�n�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
S�t�e�a�l�e�r�B�i�n�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.