1.1
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Unruy-AA [Trj] | 20200412 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Clicker.Cycler.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200413 | 2013.8.14.323 |
| McAfee | Downloader-BPA.j.b | 20200413 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b3b6fc | 20200413 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.data', 'virtual_address': '0x00005000', 'virtual_size': '0x000154fc', 'size_of_data': '0x00006800', 'entropy': 6.859074562988492} | entropy | 6.859074562988492 | description | 发现高熵的节 | |||||||||
| entropy | 0.6933333333333334 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Trojan.GenericKD.30875256 |
| APEX | Malicious |
| AVG | Win32:Unruy-AA [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.30875256 |
| AhnLab-V3 | Trojan/Win32.Cycler.R37162 |
| Antiy-AVL | Trojan/Win32.Unknown |
| Arcabit | Trojan.Generic.D1D71E78 |
| Avast | Win32:Unruy-AA [Trj] |
| Avira | TR/Click.Cycler.AB |
| Baidu | Win32.Trojan-Clicker.Cycler.a |
| BitDefender | Trojan.GenericKD.30875256 |
| BitDefenderTheta | AI:Packer.D20B6CB61E |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Downloader.Unruy-6912807-0 |
| Comodo | TrojWare.Win32.TrojanClicker.Cycler.A@1es5wl |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.412372 |
| Cylance | Unsafe |
| Cyren | W32/Unruy.B.gen!Eldorado |
| DrWeb | Trojan.Siggen8.10551 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Unruy.AY |
| Emsisoft | Trojan.GenericKD.30875256 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Unruy.B.gen!Eldorado |
| F-Secure | Trojan.TR/Click.Cycler.AB |
| FireEye | Generic.mg.cdd89a34123724b5 |
| Fortinet | W32/Unruy.BK!tr.dldr |
| GData | Trojan.GenericKD.30875256 |
| Ikarus | Trojan-Downloader.Win32.Unruy |
| Invincea | heuristic |
| Jiangmin | TrojanClicker.Cycler.no |
| K7AntiVirus | Trojan-Downloader ( 0055e7951 ) |
| K7GW | Trojan-Downloader ( 0055e7951 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=82) |
| Malwarebytes | Trojan.Unruy |
| McAfee | Downloader-BPA.j.b |
| McAfee-GW-Edition | BehavesLike.Win32.Downloader.tt |
| MicroWorld-eScan | Trojan.GenericKD.30875256 |
| Microsoft | TrojanDownloader:Win32/Unruy.C |
| NANO-Antivirus | Trojan.Win32.Cycler.byvara |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM07.1.8849.Malware.Gen |
| Rising | Downloader.Unruy!8.D8 (TFE:dGZlOgWseQMxk69k4g) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Unruy-Gen |
| Tencent | Malware.Win32.Gencirc.10b3b6fc |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2009-11-21 02:49:19
PE Imphash
b144870e3a37e200b228432e9ff61d95
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000283b | 0x00002a00 | 5.7131319507269875 |
| .rdata | 0x00004000 | 0x00000294 | 0x00000400 | 3.4755064667549775 |
| .data | 0x00005000 | 0x000154fc | 0x00006800 | 6.859074562988492 |
Imports
Library KERNEL32.dll:
• 0x404000 GetFileAttributesExA
• 0x404004 HeapDestroy
• 0x404008 HeapFree
• 0x40400c HeapCreate
• 0x404010 HeapAlloc
• 0x404014 GetProcessHeap
• 0x404018 CloseHandle
• 0x40401c QueryPerformanceCounter
• 0x404020 ReadFile
• 0x404024 SetFilePointer
• 0x404028 CreateFileA
• 0x40402c ExitProcess
• 0x404030 GetModuleFileNameA
• 0x404034 Sleep
• 0x404038 GetProcAddress
• 0x40403c LoadLibraryA
• 0x404040 VirtualAlloc
• 0x404044 VirtualFree
• 0x404048 IsBadReadPtr
• 0x40404c lstrcmpiA
• 0x404050 FreeLibrary
• 0x404054 HeapReAlloc
• 0x404058 GetModuleHandleA
• 0x40405c GetStartupInfoA
• 0x404060 GetCommandLineA
L!This program cannot be run in DOS mode.
UUUwUJ
URichU
`.rdata
@.data
YYEhx@
E@EE;E}
E@EEUQ}
E@EE;E
E@EE;E
E@EE;E}
uYYEU<
;u^;Ms
EEMM?}
;ujM+M;Us
UE;Es{j
EpPEp4
MH4hx@
EM+H4Mj
E@EE(EE
@8Ehx@
E@EE(EE
E@EE@@EE@
EE@@EEM;H
E@EEM;H
GetFileAttributesExA
HeapDestroy
HeapFree
HeapCreate
HeapAlloc
GetProcessHeap
CloseHandle
QueryPerformanceCounter
ReadFile
SetFilePointer
CreateFileA
ExitProcess
GetModuleFileNameA
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadReadPtr
lstrcmpiA
FreeLibrary
KERNEL32.dll
HeapReAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
JJJ;;J
YyY*Y1Y%Y
JJnj(1
SJt#JYFJ
JJ+JJ+
6J:JJ;:
J+<J:J@:fJnJnnJJJJs
dCZZCZZ:S
ZzJ0#JwCZZZ*N
]UdCZZ
<*J+KJ
%SSJ+?ZzJ
WCZZnJJ+J(Z
* Z*JQ
fZzCZZ
J;0cJ0
<ZJKJFJ+K&
Z*ZbJ+\wG
J\J+dZ*
JJ+J:]
UdbJ+wJJQ?J+
dTJjnJ
:J;<*J+J+j0JZzJ J!J`J
hJ+zWZZ]S!J
qJJ@ J
J.WZZJ
ZZZzJ+*J+
uJ+ZZ]
UWCZZZ
*ZzJw'CZZ]J+ZJsJ{<J{J{J{G[6
?ZZZTJtJJ.
JJdtZZZ8J
S!J*tSJJd
UJ+Q?J+
JJJ.J+JWZ*W<
J+?J*0J+dJ+
*J.4Jaq
]Z*WJA
JwZG2
dJEEE
WZ@Z*qs
ElG! J
]JxQS!JJ
JjJ+Z*n
J+Z*(ZzJ{Jn
HJi>CZZ
Z*ZZZ]dW
J%JKJQ`[J[
]dYpJJ+
Z*WZzJJ%
-J!ZzJ
wJ:J+fJjJ
JesSJe8J
*S!nJj
d2ZZ?J+S
J J[ZUJ+JQE
Z* ZJ+;JJ
QJ\;nJ
J+h+5:J58J+Y53DJ5J
J\ZZQ9JJ.JJ+,(G~
J\=JcJQJqJ+sJ0
dqWd2
nJ+jfJ
rbCZZTJ+0Z:J OJs
:Z#J+J+J
ZzJ-$CZZJ+VJ+.J+s#
gJ\)yo
ZZ] J\J+
ZZ8J+^GY4J^JbJ
JjuGJG
J[(J[(J+
GJ;JJ+JQ G
ZZzJ(ZJ
FJ-gJ-gZZk+
GUiJJJ
WZ*qZJ+
*JFJ\sUJ+OJO\J
]GGJOJ+J+
J+Oi$S
J+YJ+QYJ
5J+J(J@(J(JcJ+bJE
nZ*&ZZJJ\UJ\
]GJ{JE*Z
Js7Jj%JN
*ZJU7Jh*J
5qJ+OJ
JOpJOpJ\OpJ\OJ:
J+wjJ+
ZZZZ*Jd{j
0}t}t1
d2Q}tJ\@=oSJ+dWJ2
dZZ?J+
J+JZJQJ+
2J!Z*GJs J+
WqJ+SJ
FJ+Jt?J
GJJ+6uJ+}
J;*ZzJ(J>J5(J5(J5(J{J5(J{
J@aJnJ
ZJYJJ+G
5J[J+5{J
j]J.[J
J+WJ+J
JJ+(2ZZ]]J`GJ`
dJ+_zJ+JS
J3pZZJ\
J+0bJF
JwJ+mJn
2JVmJ+
ZzJ.Z*Gb
JsJQJJ6J\!JUJUJUJ+Q?J+
J]]GJ\J.JcJ
I7WJ#J+Z
J2J+jJ+!J
ZJ[5JGJJJ8Jd%WJ
JIlJI^
1JQfJf
J WdJ0Z*JmJQ:dJ:rH
JJ\[GYJJa]*
d JbyJ+qCZZ?J+
GeJxJ<J-
#xJ#J+GtJ#J#J#J# J#J
SJ+\J\JJ+G!JS
JJJQkJDJ
QsMJ+D}
J+JJ@CZZW
x*J+m J%J\Y
GJ(J*WJ\
>ZZ]JEJzc JWJ
xJ; xQJ
WCZZ Y
JzZ*CJbKZZ`
J[%JJFJ
JJFZ*=JjJQ
uJ+FJj
@J;@*8WbJJcJ;
pZZ]JW
ZZJ\JqQ
x@J+\^8Y
JJJJxJ+\i^QJ\\d
J+HdWJ+J+
WJ+}Js
JJ;J\s
JjYJs@
JQsJjy
TCZZ]]
ZJ(qJ+Y
LJ}J+ J
AJ+(JJ
%7J+0(GJdJ+
JJ\J+ JzJ+Z
JzG!J)JJ\9J
(7J(J.7J\J.
J7{JJJJ@%J
J;(JJ5:
2J2ZJKJ
3J03ZYJ
J JxZ*WJ+%
J\eexZ*GJj
>J+7J+
GJ0]]GNJJjQ
GJZZ!F
xYQ[lJ
NZZGJ!J+
JJ\JO SQJ1XJJ|%cGJ(FGJ(FGJ(FmJ\@OJ
d6TZZJ
*JGJ6J
GWJJDJQdJ
Y*J\@Y
[J+JjJ+KJ
qJ>8J+
J&J+dJKJ++J
Z3JJ<?Jy
J+{Z#J
J+dJ)J+
ZzJZJ=Y
JY>J+L%GYJ0
^J+J^JQ
JS!JQJ+z/CZZJ58q(
?SJ+M.
J+&u-J+JZ.J
J>J+l.J+
3J3&JYKJ
ZSJ@J+mJ+3J{ Jy4JyiJy
&J9aW:D
Z*W QJ
J0HQJ_lJ+\3
tNJ+^}Jf J
JJVJJsJuJ
J+J+WJ+
Q[JX*J\dRb
?ZZJzJJ+
NJ+Z#GtJ
JI8nQOH
FJ!JEJ
d6ZZZzJ+
J+j]YJJV+Z*2,"J
Z*J+>YGJ+s4JhQQ
qJ4qJbZZJ
dZzJ(YJ_
J+>y*JJ\J+5
J(GJj-J+j-J7J
J+JJ\J+
uZZJ+OWdJ
dUJ+NG
}J+7J+
J+7(nM
J{HjFJ7(J\N4Ju
*YJ+(bJ.
J+;joCJ
J^lJ;JhJdwrJdwJdwZZ
J+dwJ#
?lJdwJJdwJ
/\J(dwZJmXZZSJ;2J
J0duJduJ
J[\JduJ
YJ^\J\d|J
J.d!J+jnM
J$M*\Z*W_ZZ]J
;qJ+(8J+6ZNJYdJ
XJ+vwgJ
J+A\J J
J+9@G{J\
JkZZJ;0SSTJfS
JQJQJJ+NJbgZZ
7gZZJ+QjJN5t
*iJaGJNKJJ
JF.qZZJ{(
EkZZS~
H'ZZ]]JjJQ
ZZHJ;J+
ECZZJ-
J+JG6J
J+{[J{8J.{J.{+J+{J{"eJ@{PJ+(J{XJ(J{lJ.{
J(J+EJ
ZZ!JjJJ
QsSJ\SJJ
:ZZ]dJ>
NJ+J+eJ
J[mJjZZ#JjEJ+`
ZZJ.5I?J
ZzJJ5_Jd:SJ
J+JQJ+iJQJ+JQNJH
8J@J+hJQ2
J@0J8JJqJQKd WJQjJ
&XXXXJJ
qEdWWEZ#
>WdJ,\
J+6JJ,E
J+ISd2JGZ
wJYWJYJ
d J+ dJ+]JV EZxJ+IJ+J\J+iJ+;JYJ+s;.Z*WGJ~
J+W\\ZEJ+J
J+vJ\m
@WHSJ: J\
@J+:>J@EJ
dSJ{J@1J+
JjJ\fJ
J;aUEJ
JRJ+4fJ+JEdJ
JfJ+'Lq
2J+j!J]2d@\J+dW
WJUJ\d
JtJ+J+
d\J+dWE
E J+J+ =@J+WdUJ{
JWdfWJ
J+J+j%SJ
Z^JjJ+g
JZZJ+gedZZJgJ+/J
J/nZlJ
ZZZ]J+hqeJb
Z*J\PwZ*WJYZ*
FJ^J0J
XJ\l>J+J
J}Jw[GY
J\J\?LJ+yGJ
ZZZ]]J|
jJLXZNJodWJ.
IJJIJ.
JWJ=JJ=QjJlJ
F dWQ9
Z*WZ* Z*G
J+J+.JJJ\}x
.JJ-J+=JqcJ+Z
ZzJ\J=(J
J*Z>J+
tJJJUJ.J
k]GJe7J
J\\(J\Z*J+
JJ\@WZXJ7J
#J{J+Jk\J
;J\ZzJtJj^
*J+J+:tJ+duJ-J:*JYS!JdEJ@
wJ"J+~YJ
>"J8YJ
J.2J~*Jp
nJYd"ZZ?J+J(7m
-JgQJj\sJHI3TZZoJt
Z`3J9!GJ]J+s%J]:LJQ[J-OJ(J
8JQcJ_J9
ZZYJ~JYJ
ZzJZzJJhJ@sJ+
0JF Jd3G
GJ\.#J(
J\(J+(J;
J$t Z*
Z*J\d2Z*2Je
J@(J+)D
J+gJDJJ
Jd2ZzJ(J\KW
Je3J-J0J+^J+d`
SJ++J\+Z
J+UdJV@J;JJ+
JJ+[;CJ9K
JZ*0ZzJ\J
J[wJ@5J:hY
J5.\JJ}%#J
\J;5J\Y
:J+(J3
]JJF}J}GJ
JeJenJ+eZ*
JdJwJ@
J-JJ+J\Gx
J;J;J;bJ;J;VJ;6J;
J+;GJ;J+;G7J;J;lJ;J;J;J;XJ;fJ;J;J+;GJ;J+;YGqJ;J;J;
GWJ;WJ;JG
@J@J+@
J@VJ@J%J@J
@UJ@J@
@GJ@-J
@#J@;J
}J+@J@qJ
@lJ@*J
@qJ@QJ
@ J@CJkJ+@
@UJ@J@
@<J@LJ
@xJ@ZpJ
@jJ@J@
@J@)J@Y
@XJ@RJ
@2J@nJ@
G J@wJ
@J@oJ@
SGYJ@AJ
@:J@J\@G
@eJ@J\@G%J@J
@GJ@ J\@G#J@J
@bJ@SJ
@7J@2 J
@NJ@|J
@J@?J\@GJ@7J
J@(J\@YG
@J@OJ@gZZJ+EJ?J
\%d JmEEZ*D
]J*u+J
_J@C<
!J".J+\^\J\YJ
vZZZ]J+J
J{J\90J%\J~J\JaeJ9J
EZ*$J1W^.J+iJ+\
. JfJfPJ\Jo`JJ+
Z*J+FJFJ.IJ
WYJvGZ*J+hJ"_FJ
J+DJ+TxJvJ+
U22nM@n8h
2Jl2 I^
QJ9_2nnMJHJ+.USnJ(
WJlYW dS J9
QJ+lnHo
ZJYS*KJs
nM@J:WJtJ\
J+vQJy
J\%USQJ
]QHJ\EJ}p+
@WSJlJ\IJ
JCIW=J+k
@JoKJ
Kd JQmJJ
Z* [pZZJ
=S<J\dJ
cJ+Cr=
* J+j;J
JvF%SWJoJ
J+QjJWQ9
XJN<J\
J`J JJdJJ+S
Qj*JQj
J+QjJ\
G[7J+3@JjJQ
J+dJ+J[WJ+Q
J(J+&L
SJWdWGJ
dJuJ+ZQjJz#J
tJJ+J+DJ+
J+*J9<J
J+YRJQJ
pZZ](J
$JrJ+VGJ
GJJZ*2JQR
oZZ]J]JJ]p JF]
JsJ;sJ\sJ
J+[`OJ
cJQj[TJwjJ:QlJFpZZJvcZJ+GJ
WH~ZJ+7
?W2ZJ\G
2YlkJ.
4J++J+
6JeJ+)
J+iJ;V
=SJ+qJ+
JLd2J(r]J+rn)
mJ{ J(2
22JyJ JJ)JJ-@
JrJ+EWJ
JmJ\-J\P
Z`JJ\A]J;J\A]J(8JA]J;J\A]J
J{A]J0hLJ@
EJ%hEJ
J J\J\JJ,
JdUgZZZ3ZZJ
>ZZJTiZZ2;
]]J;F\ZZJTFJ+TFJW1J`
ZzJJ0|J
QJ+tCJuJ+MGJ
JKWJJEJ
Q|ZZ`J~>JX
J+[J+.JJ+
UZzJ.kJ+hJJ
dJJ+%J.[
Jh1JJ;
J`JUdJZ7JmJj#J\j#ZZJ
1XJ\1?XJ1JJ
^J+|J(J+>mJHI
J&JuqJ+;2W
J^J\(J
\J;/@JYJ;*\JcQWJ3
J+:J+GJ+J+J+<J+
&XZJeJ
ZUJ4J+J+
J+]5Jn
J ]]*J
Jw cW2.;
C*w>J+\
ZZCSd**
'CZZgJa*JJ@*J
@J<J<d
ZZZ]&J[J+~f
+MJwJ=
J\9x2i
ZZ*JWjJ+
;Jd2GG
diJ4+b,
'Jk<g%
WZZ]J
JrJriJJ
J+&JJcJ
Jd%Jh:
8J+#~O
#JZZZZ6F
I`e{tJF
;Q@.(F0J+Y
nJ_JJmmfL%iaUr
)ZZZZJ,J;
JQJtJJFU J(U
S#JQWJ
JU1}L*
JJjJ+@
}*#J\(Jy
rJj J+jJi
J\JdcJ\F#
UJ#1f*J+jUJQ:%
!Lr4r4
]!!JHJtJ LJ+
LJ+d#r
<_Lie%nee
JJ.!R1
J:#J[4Y{Y*
#11Y#JI
%y*J\JU_i`nfL
<J@YJ.J
JYJ<JJcJ@J
ar4UraU
YLr4a4YJ
LrLL]LJ
L4%J+J
#{mmJ\jJJ
UJJ++Y
YaJ@:J%SPJ+B J+jiJDUJDej
JJs!J+#*
xJ+*Jst<
J+jxRRR
}U%U%%RRJ!
J}J+J+JJY
#R1Jt1
JRy#J!1J
JJJs8JJ\
GJ+d%##J
#JRyJJ+5JJ
JjyJYy
n}J%J+*1Jj
RyJ1J+
J\j1#JJY
``&`p`<
|]7 eeIeceee9eNeeY
{d{{${{>{M{{T{{
tmt`ttatt]t
tHttMtt"tot
I*II)I&I3I I
n\n]nnnn
```W`Qt<[&MJ
e;eeYete4eexeeeF uV6v'{Q{{{N{{{q{W{G
twttt*t_tt,tt5tCt
IITI I
`Q`-`8`
`a```5`
`N```P```p`pc_
e.e-e:e`e
eeeeeHe|eee2ee
{{g{Z{;8uO
"Stt-ttttt&t
II|IIJ+
nn!nnn#nn,nOnnn
=|(````5```
&M'gWSeeQee-eeUe eGe#ee^e)ee
eHeee'ege
{{{{{*{O{b{{l{?{&{|{{{
kZtdtt
ttt2tt
``k`{RO
efeeReje
eeXeeWe\
tttt$tttttPtTtCtw:{
I(IYIIEI
II9I|I/I
n]nnGn
n9nNnHn
eiy#u[9>/
``^````&```g`K{
HMeFeeeeree}exeee
eeeeTeU]
"{{{{a{!{1{{{O{{
nLn[B3`Y`````.K
e$eegee
tatt<tct
tNttttta4
ninEnnn
nvn=nXnn
.``L``
:6nbnn7nnn3nqn2n n
0>VXpD
{5Gq8BF/3I<~"|b:kU[L;
zd&E!9clj
*'_rxT
kernel32.dll
VirtualProtect
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.