1.3
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.61
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20191217 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191217 | 2013.8.14.323 |
| McAfee | GenericRXGP-KT!DD70D100B5A2 | 20191217 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0cc14 | 20191217 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x0000f000', 'virtual_size': '0x00007000', 'size_of_data': '0x00006200', 'entropy': 7.8382833206000795} | entropy | 7.8382833206000795 | description | 发现高熵的节 | |||||||||
| entropy | 0.98 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(3 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
| section | UPX2 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| ALYac | Trojan.Agent.DNSR |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.DNSR |
| AhnLab-V3 | Malware/RL.Generic.R246075 |
| Antiy-AVL | Trojan/Win32.AGeneric |
| Arcabit | Trojan.Agent.DNSR |
| Avast | Win32:Malware-gen |
| Avira | HEUR/AGEN.1004962 |
| BitDefender | Trojan.Agent.DNSR |
| BitDefenderTheta | AI:Packer.0C979D2F1E |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Malware.Cmifao2i9nl-6825052-0 |
| Comodo | Virus.Win32.Agent.VP@8ek9ga |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.4d7806 |
| Cylance | Unsafe |
| Cyren | W32/Trojan.ECUA-4313 |
| DrWeb | Trojan.DownLoader23.51365 |
| ESET-NOD32 | a variant of Win32/Agent.NCK |
| Emsisoft | Trojan.Agent.DNSR (B) |
| Endgame | malicious (moderate confidence) |
| F-Prot | W32/Trojan2.PZDI |
| F-Secure | Heuristic.HEUR/AGEN.1004962 |
| FireEye | Generic.mg.cebe2f14d78063df |
| Fortinet | W32/Agent.NCK!tr |
| GData | Trojan.Agent.DNSR |
| Ikarus | Virus.Win32.Agent |
| Invincea | heuristic |
| Jiangmin | Trojan.Agent.brls |
| K7AntiVirus | Trojan ( 0000e1321 ) |
| K7GW | Trojan ( 0000e1321 ) |
| Kaspersky | Trojan.Win32.Agent.neyndy |
| MAX | malware (ai score=80) |
| Malwarebytes | Trojan.Agent |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXGP-KT!DD70D100B5A2 |
| McAfee-GW-Edition | BehavesLike.Win32.Ransom.mc |
| MicroWorld-eScan | Trojan.Agent.DNSR |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Trojan.Win32.RP.fkilpx |
| Qihoo-360 | HEUR/QVM11.1.F0A1.Malware.Gen |
| Rising | Trojan.Agent!1.B5F1 (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Downloader |
| Sangfor | Malware |
| SentinelOne | DFI - Suspicious PE |
| Sophos | W32/CTSInf-B |
| Symantec | ML.Attribute.HighConfidence |
| TACHYON | Trojan/W32.Agent.60440.C |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2015-05-05 21:45:31
PE Imphash
f1a539a5b71ad53ac586f053145f08ec
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x0000e000 | 0x00000000 | 0.0 |
| UPX1 | 0x0000f000 | 0x00007000 | 0x00006200 | 7.8382833206000795 |
| UPX2 | 0x00016000 | 0x00001000 | 0x00000200 | 2.9046664760200502 |
Imports
Library ADVAPI32.dll:
• 0x416064 RegCloseKey
Library KERNEL32.DLL:
• 0x41606c LoadLibraryA
• 0x416070 ExitProcess
• 0x416074 GetProcAddress
• 0x416078 VirtualProtect
Library ntdll.dll:
• 0x416080 NtClose
Library USER32.dll:
• 0x416088 wsprintfW
L!This program cannot be run in DOS mode.
F.'}'}'}>>}'}><}'}>?}'}_b}'}'}'}
=}'}Rich'}
&2>{<L`6|
"2yBXj4y
<2Hb|<
*>Vnyyzy
MBkIgv
CorExitProcesD
r:uVfsB
a *es"c`
?Jha C.
a"a?7vknVxeRekmxm.l
i&oJk5=
9ltZ=
?eG2*2
#;5>;prnu
1yA^tmt#pwem33p
}'ak?<8\
*f3m_3_[$sM
LzmWd mW
gsby00X
ss Sk cv/r
%WfKLO-i
c /*l)4
sD'Mvi!
i? {xDXg[-Ca5v<TcO
8gS3G7TnOBS;G
n/mO ?
0w|\]f
l]cKgd!
aB:Ek<+
<uOMs_
k r'l-
7FlsAlloc
GetValu
S|AIniti
izeCrc
|k4c"onEx
maphof
"WpTh.dStackGuamranFeW5poolTimehO>_)WaF/
Clbsvsn
sh;WeBuffs
wpILibryWhenp!
RurnBxC
~Numbaw16Logw7
JnkWg~Defaul
Dir`ieZ
EnZsdm[
omp6tHngw
DF YpC n?U rUNa@Is
id)LCMh
We&ui.
s[7{Nn
jv('J.eA
c_&ygrzgsz
sC~?88s01
PMM/dd/yd
(,HH:mm:=pW
TeW3 hyp"
nnk s#B'r#
l?eR9X>vNv
Vmr#Zh=l/~
#J{SH
gD)pBoA_W
Wdowas'
kPopuxwObjJ
H ( *9 H
_[A #B
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`?!T
ABCDEFGHIJKLMNOPHQRSTUVWXYZ?
[./'*p*x*
#G !"9r#$%&=
6 7(89r098>@?H@#G
PAXC`Dhr
FpGxIJG
#VWZ^~9re
#G,%8&D'
9rP)\*h+t,#G-/29r
4567/G
94A@CLDdE
#pF|GI
9rJKLN
e k0l@A
&|yB 3qgrl
9r@LXCd
$09r<HT`#G
l& \8r
Lv.?,s
9rDP\Mh9
Gtg> 6%
9rN8/t
#gGoZ(
P+_~878
r#GH1(x:G&4
/?@#gg
PS/P2\y6'7&
hgg$?9qvtf
#G>;@0v
T9q6r9
(V#gGh
#Ho`x8;r
]73 z@
|W #G_$b
4<OT{'
ut+aOijN.k
onn pvp_r/rh|9k
h%0ruF! o
o\p;ell_f_
Vw{*zoum.fn
ooiOs?vk
6a nolk;?ySv/
E2'GZ/
E?-rR'
[.r/h_;>
?-UGu/S
bO.pPxXNgRW
uUr`RoKwtiKA.vE&ttT
rRqyKOdDw9iUeYl]
vvBNOM7
NM>6Zxv
oEwokO
7NtKTe//s*YkZ
h$wb=mO&
4iK/t
ekW7gl
rwwsm_Mcg
GrilcS
mSEg_g/
:8VnC[1yNe
GLnBTHmC
OI2bCo*
SM_;6EP/fG
SqgY6'B_\vOgn
GTsR+OBW
CGK/nH?
WqLGA U7kf/B_P/Q
O7{3q-
wKgyz1;
c/WXl/b
/_ioadf
er!y/ypduvwt7e4Vbruo
w.qA<W
qpw[*e
.nnrm/
1KGns ;G
hmB?S
lioc Bnok?jj.n sEql
p/_yWv
g uGpwGup"
fu`-$/B
jRTIK#
5MKPRrhD%^T^VVXZ
Zj>l{MX
_q!tpv&xRz
@c2527
^.6 ?w
%p6Wg=<(RFzCxke&yZI
PF{xT2wro2Ds
jr478^H
l6/0tP
+&= QTI
Q`ME><x@,
9]vWF_G'm
;}r_^[D
XX_[]XPSGw
KW#DY?
xA@#@28
jD 4vlZP,
#ISp>G
0{hSP
`FEQ`d$/
p,-:&jvFb
C/|2iaQ
'Xwa?x
^f|$<.tJ&<3
$`8G<i
}56LqF,uh
!3W0 %T
>|O HcH
H|(o\h_` <
xH = I
W4QQJ/
Ju{fm>S
V'0|:c
8+F:^|u
<!POEj
EQO`YY
euZ0r}
Ska]Wa%
e4)C=dD7
o}Genuu_
ineIuV
luM\@_WE%?
N8csmu%x
S^`F`y
_F\pjd
9J~dFd
,*A&u di*4S
?x<vdj
~$jv$eK0g
r@DDHn\H~H
q&zvl#QjY;'s
i&Va{}p
L`fYNGh
g$&t3V
pjCXfh{
4\p0(l6_;
bl:hYc0x#
5W6\uah
]md$'x
uP"_wY_}8h
;HghrR^h
pnp-;}
{3jXh~
7"Sf*I=#Z
@VAy}pXu)@*<v5}!
-%iRp+
IBx@_{t'W7-u{h:
ho-|~tIU
_3^8~F|[S
v/j@j _
tDk[}
} wE }?Z^=[UU
vM`jG@z
6>r!0@
"Sxa/8
4Xu;`%p
&_y98j
~a"f;5\
tDwYdX
zukdg x0
lYP^Ge
N@-zILt
+WtGqER6
]}%;d6t
VHQVxzu
~~wYCg%
e@0pD
2 ,<=u\_
]6,K+C9*v
?Vj ^yw
vTG~hT-/Mi([
^21,"6!t
Mufd]D8\pd
Q@x8ug
WQeR0mh
pp|[>K;~N
6Q<P_)
hx?4+\VL
S\)H!k
d--*0z
@pPV1sP
W3dKT<'Y2
8N3sBh=7[
P?I/||j
j3N(Jg7
Nst6rxt
-|Du}~
Q4_[@a
/pl []
FlP\kFg?]k
t4J0;t(W8m
>v ;-(t&
WtA@I9,SG
'fO$fMc
V].!;VfIGh[lUe8
;aqnh {
po33S{qxt`
M,A3)}
VZfm.s_W~W
9$[/+rA0(=}b3
>4J{02#S%
FP-^r&
n9]vO}]t!PV
xvlUh$
[s^MUgFk0
t5ADt+
|C;vf9x
ROuk`]_^%[(
Rn8cchY
FWD__5
sGlmV"cS
/j(P3MP
) v$mT6i
%#HMra
5w<Cw6
/y&>t1
vYJHrp$0w
^{DluHPU
0 ~^w\VzQ
-EzIR=
G`pg`VM1uA
D(r@;}&kVdU
bA?9:C
tAa0r2"
J_Bild
9u&z3r
3v%O +*
_[ t.|
WK~?(m$
?)$9}t
;tO9=0G%iSJM0
ZUe(hu
|b#?nT$
;v.4v\
(QBJ(U1L
lRQ2tG
8"1w{H
$V5714
YO;r"D
Ufg*YH]@
>Z6B0s$[
"WtL)||$R
OVdgkL;=
0gh>(n00
en+o 0}l
<|DD<<<;(hB
Wt1|9Wp+
';;22+hCd
FqkOHgbNZ
,'wAWS3
nP}>v`~p0g&
FFJu8O
lZIu$t
!++Qc`/?
YkVX!#
(}^ZKu
FV4crCu^
% $$r88<<\r@@DD.\.HHLL
$(,0''''4
DHLP\prTX
\`dhlptx|K
L2$2$$L&`2e
dIdI&I&I&d
$dI&(,0I&48<@`@eDH$L2LPTL2X\`
|$9E8RNJX8
~KYAr?
&&QSc($
-,*SYE
t, H)U@
u`sop1z~B
0xu|!h
s=~AQiw9]=3
+]#LYD)
NjA[jZZ+U
t"ff5n
8x$;ag
<#6ic}Ou[Y/
!a0O`pY
r!}9%R
5C;0SGYD G
A$A$]6
5=fZg0
UQPX^Y[
^}SD\v
AuAApKu:7
@X fV+rZ/J<xifcZ
x?F}5$
ttW(J=N?<8(
nA_e!M5* ]+6ae
8cV7v_x
}?)LV DpY
d3FVv@D
<,!3~9U
.> !8K
RRP>m3TY
;Cg!$
Pe~,8n=?
vZh]@9H4W&
!]SZej%tVDxmQ
$QPcIM
j\B~<]
T@y=RtU$<
*B%H@1%
(S#_#!C
j<Cf>%;
vtL>T1%abWwu
/=+Hs;\.>$
Y^0k48|*
VVhU.12(
rbRlXq
i?18Q.$
L<.YCwP
5*o lRB$e
t7; t57
^^DVQpzA)qT
';_t|%
V(n1ci
8lh1'q
<0} U_!xV
lLY/7N2
Z2-(FS
'=aOV "x|?[ ev
o?qCNw
;QqOHpDc
djR'L&Bv
/?_U[mP?
X\<`dhlpx<<<
y ,4@LPyT`t
4<D<LT\dlyt|^<y
0DyLTh~
v{giv_
_j2r1~#
??cU1<
/!5 ACPgRvn/S
WYl/ymV p
?\pr )
XzxrTyp.-eW
1YkiiFile
<-{{+B
S;P[:;of
]Yv&dNexAW5Fm
xpaREnvinmeAfvC*sonm
roVaabg;[F[
dH6l}o
Mod CP
mmfK;{VLIsw;[<
I^kedkKk
cFm+De
FliiwF10I{h
E+7Addr/
M<tiBy oWivCha>"xq-
XuZ`tER`
ZYUn}9,
|V+1Unh
S9+*km$T.m-""P
,ASveV
CCUagA`
NbugNrG
Rtl`wi
g1Key9+S
tnRJX9/o_:W=Acqu
N+/tWI {
8afQq6
Wwspdtf
,&1/$-7(
,!*2v w
\K.reJf!;-N"Bw
XPTPSWXaD$j
ADVAPI32.dll
KERNEL32.DLL
ntdll.dll
USER32.dll
RegCloseKey
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
NtClose
wsprintfW
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.