1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | TrojanDownloader:Win32/Unruy.351a38fb | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20191025 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Clicker.Cycler.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20191025 | 2013.8.14.323 |
| McAfee | Artemis!D3F85C0C66DE | 20191025 | 6.0.6.653 |
| Tencent | None | 20191025 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(4 个事件)
| section | 1988202 |
| section | 0734900 |
| section | 9145017 |
| section | 5947579 |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(5 个事件)
| section | {'name': '1988202', 'virtual_address': '0x00001000', 'virtual_size': '0x00003000', 'size_of_data': '0x00001200', 'entropy': 7.963189341479896} | entropy | 7.963189341479896 | description | 发现高熵的节 | |||||||||
| section | {'name': '0734900', 'virtual_address': '0x00004000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000200', 'entropy': 7.597444948590449} | entropy | 7.597444948590449 | description | 发现高熵的节 | |||||||||
| section | {'name': '9145017', 'virtual_address': '0x00005000', 'virtual_size': '0x00016000', 'size_of_data': '0x00005600', 'entropy': 7.990936313877149} | entropy | 7.990936313877149 | description | 发现高熵的节 | |||||||||
| section | {'name': '5947579', 'virtual_address': '0x0001b000', 'virtual_size': '0x00003000', 'size_of_data': '0x00002200', 'entropy': 7.6227882290000775} | entropy | 7.6227882290000775 | description | 发现高熵的节 | |||||||||
| entropy | 1.0 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Gen:Variant.Graftor.649665 |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Graftor.649665 |
| AhnLab-V3 | Trojan/Win32.RL_Unruy.R278605 |
| Alibaba | TrojanDownloader:Win32/Unruy.351a38fb |
| Antiy-AVL | Trojan[Downloader]/Win32.Unruy |
| Arcabit | Trojan.Graftor.D9E9C1 |
| Avast | Win32:Malware-gen |
| Avira | TR/Click.Cycler.AE |
| Baidu | Win32.Trojan-Clicker.Cycler.a |
| BitDefender | Gen:Variant.Graftor.649665 |
| CAT-QuickHeal | TrojanDownloader.Unruy |
| Comodo | TrojWare.Win32.TrojanClicker.Cycler.A@1es5wl |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.c66de1 |
| Cylance | Unsafe |
| Cyren | W32/S-18e3407a!Eldorado |
| DrWeb | Trojan.Siggen.22001 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Unruy.AY |
| Emsisoft | Gen:Variant.Graftor.649665 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-18e3407a!Eldorado |
| F-Secure | Trojan.TR/Click.Cycler.AE |
| FireEye | Generic.mg.d3f85c0c66de1f88 |
| Fortinet | W32/Unruy.BK!tr.dldr |
| GData | Gen:Variant.Graftor.649665 |
| Ikarus | Trojan-Downloader.Win32.Unruy |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.czegc |
| K7AntiVirus | Trojan-Downloader ( 001156081 ) |
| K7GW | Trojan-Downloader ( 001156081 ) |
| Kaspersky | Trojan-Downloader.Win32.Unruy.b |
| Lionic | Trojan.Win32.Unruy.a!c |
| MAX | malware (ai score=88) |
| Malwarebytes | Trojan.Unruy |
| MaxSecure | Trojan.Malware.74181594.susgen |
| McAfee | Artemis!D3F85C0C66DE |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.tt |
| MicroWorld-eScan | Gen:Variant.Graftor.649665 |
| Microsoft | TrojanDownloader:Win32/Unruy.C |
| NANO-Antivirus | Trojan.Win32.Unruy.gatjii |
| Paloalto | generic.ml |
| Panda | Generic Malware |
| Qihoo-360 | Win32/Trojan.Downloader.7bd |
| Rising | Downloader.Unruy!8.D8 (TFE:1:ao5vm6eje9M) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Unruy-Gen |
| Symantec | Trojan.Gen.MBT |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2009-11-14 06:31:06
PE Imphash
3c0e70bfa5f73f1f1cef484e2bcb5bf8
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| 1988202 | 0x00001000 | 0x00003000 | 0x00001200 | 7.963189341479896 |
| 0734900 | 0x00004000 | 0x00001000 | 0x00000200 | 7.597444948590449 |
| 9145017 | 0x00005000 | 0x00016000 | 0x00005600 | 7.990936313877149 |
| 5947579 | 0x0001b000 | 0x00003000 | 0x00002200 | 7.6227882290000775 |
Imports
Library kernel32.dll:
• 0x41cc2e GetModuleHandleA
Library user32.dll:
• 0x41cc36 MessageBoxA
L!This program cannot be run in DOS mode.
nynynyLrnyqjnynxny)qonyRichny
1988202
0734900
9145017
5947579
jW5?U4$M
yC:&^VH9EvY\TG
0V*;EI
j)DA]WU%ZcR{
|^i.gW",
>'?uRe
F`+ ,_ <!
P19;n6
(?E$lxZ
w58[!V}D
5f/&Hdk
/c3cQZQ9y
YZ&nbt
W0x]Q<
=|I]d8
CmE`u[
w6Aq9&
KWR fxe!V7?e
x] !kV
iOOJ5<(
/Z1bt+Y
xv8-o;w)e7
uC@lJd;B\&Y
%T|EDz
5Q:I.i
MEWNZ<
YK(op!(AcUbK"'I
ECDHfDCX
#6]X{z?
pytvd.wD5
D{F]kd
BU!OWs@
15~ |e8E
\l]~wr
kmopmfK
y\Os5d+gs1uR pf
=VnN'\>;b
VeGc:?sZ9^
lzx/{9n
zp 'Vv
C,@x9n7A
|od'i<
n`#}3t)E,
hw]rRO
|-ala)
T;HC 'W
V%DX#5[FTuT
bbA^Ul
$IK6`v
h& Tz`L
Lp_9+!ItUS<AnI)
<E_F`%
$XL4G0BICkR
VT@8 /hd
e,-*qf
9} q:UX
lIxE>JDQh:&B^TlcBo
NI!Oq)c
{'I,}Z
M#94x$
o3%1D$l
~@&Q(]oNY
I:$pWM;E""X
9Qf!mq
7k0b$Z
Y$F/ 2
~08c0!wq
OL.%x17N`+9<(T(
eMH^Tw
<"^yP
{JlkKU[:G
bacV'=U9P+H
5'xpZiW +C
y7yX\9D (!'a
@k6nn|gw
pa0QQGRvx
6*V&|EA"
J&cTkW`]?8
0FM8jy\u_k
Lq.Yt =`#EtNTF
.hlHQRj<%
b`,OAY
Kp1I5|=F
A&I84 C
A &Ef#H-
5Jfjh/qx
zPiPKHf+Q0
wPpc`'IIFb
2t~t/6x5x
o0* hXwiQ
,t_Kl7oe
dM=!x~
g_)6:Pc
}CstN1
xQ^c_/f%+wa
1g&[pR%esKT
)pB,X$U=
GJ3\"}S-
0*RHt%f
|%lCu$;SH
jns6DQa,`+ff?#
x=/Pb1
9jT`F`7h&-i
%7%Qa6
b]_.g:?|7G
#l 2c&(rl Vy&
1u~NoN
%@;\1Z#s7RAv_G*
/3#'o @xB
WP#NW+
De'6:s)JK
,nELmFm(
a{L:Bd
%S@}%]%
IQy]+@L!s&K.A?-S,4F+
k&s/kG\\0Z.|^V
*6:1VSp#
@%ls:?hZ5,664bo
cKmT^#
g{":P2"UiF%n
^v1W5W
XsR 2K{
t=Tk,5F
fpv0K=8zd4|*
E6+i$g
R>Ar+WQ%<<
v)]Qf4>
Uk_?&P
S -_Hf :$/
,'1"i:\
99| Es*
&{'R=\Iiy*:
'U}6Up:P
7G&@B[B
e#U:<\Xw*^m
_ popu%
dM6C@8mu*tl1.Y"|
2CyH7oL3
#kbe?gqTB
Hj=YRjCCuP
meffFe X
!R,hv31x
o<UcUr
5^lH>F
$cn*1V6W
FZmC,<>Z
.7,Z'tsO
uJJmV[#5
3AFC%!%
].H*Go
|+)403 &B
=1ZHCQ8nuK>VY
lE=O F
U|9F49aQS@R
ljKj!yN
s`+e2vOWp
8[Fze`)a\`\jUHh
3+{Kc"S=
&_4.#n
J{y9vX|"
vI&<e>Yh@oE
d[?x`P
a=W'CyO
CT{]KR`
---axjT
f}JAeX
WuG!St2T
`'SY,aM
Pec%$w{DOS&6ZCT9|?
oWSmr! _du^c<)9
tg<Hbj
T;f#tH+
N~Yz}>B
zd6]L[
'B?!6v:;
F5UAt)
(Hds;H
y;d)?!
eW2A!J
J]R+dg7
f<&8K7&0k8#w^
NpGI9@wp
v*:;DW
Gw*}ie
2}bDZRufW
G]oUA
Vh T6CL
x2T: 7G2bd!|l
y_jK"^G~Q
3YYS*[^qQP9Tn&VqR
R[UMe~
-3R:gy5-."_
Nd)w9PK!bqBe
(XFFN8
97<CjHBP
~C``/w/DD<}:
6au_q0~-k3g
.P:GQ<
4#F'=KhFGVZ4BW
eC>I(j
PWxt}P
jj$yb|\yz
l7`sN7t^L
I nyH0`Z
R<tB! (w
"jO_~QS
QYTJU7)M
YA}N[~](A{hA
w{<adhr
AQcoXW
X%5cH~
?LUm9gp>9Vr
*!SB%n
wnuy@``0Z
h{"7nq;)Ip
ijd+~.
nC6d#T
PG1V7~kso
eYl1qz3~
?x@C5J@ehO@nN]C)a/
8<~i-a
Br,,1v
L7p;
"M7,v)iWwJ
jd9gVv2
tdB> <D
R !CTK3G
cga13.c6
F)<BRS9<JoDPo
QbessF
78h4cHmZgfo
W5qKI_*uHG^;g>
0l/o6q|eSe
ab%nZ^
+<ysicQ
PPU&K2
K_r7:If
t; ( @pD
8;[d6Tg9NI>
P*:=Ah
$F!3&!Z
i{$_7dMEw
9jVm6\<,\q!
U*sJ$w>otZY'JgHRn2ss>
iFI0j{&oBP"U
[UxJ%<T;
1A<^]~G.
1c>wjTW0U
}Od`Y^J
=e|7-4
V!@8!Cy;5
TOF=b"C}/e
Ws$-9cP~=
o4O?wNmjvs
<74k8D]m"VCsa(
?V?2fGm>`h
AAu;~LHvL
qCABe_
(O6D|].E
oo-d/Jq
XW`+R2?
G>BsZC
!7j<de
6LIlu-
E%_PG,O$TC
Lb &vJ5
MQ h;S
&VJg2:H=s
+&i%RC
cgd\b6D
/,}|Jy}
,n6f& 6
958@1Z$
2XgI-.mr
"&O}8&
IZ*xQUeGEVNi1"|
+GhV[H
GZKdB\g
4rSEGq
*s9|/)\s
ER|cqRQk`
8K y5CE
gb!$-w,
@~@RB<][
&o'1f+ W1-
7UqFs+
*xT5SD{Q
V,1G7e9
KA@Pcu-z
-;Y~8m8
8Zq"%(
kiY0agj
`gy?zc"i
(wfc50F
~$Dyg4
]J=p[)Hr
u\Vob>x
HW]4qH
]I+uB&
rEGuvU
`%J WfJ!
6Le2y?
fp6no ^ou
Cd&+\4c2
qHWQLzKZg$
Ff*Ksuk^B
J2~UUzK:
p^NI$Ec-Kw_x
:)bG5.
-N9j ;o${qY
EbnOHo_
E&{+-r
":h%XUUq
;AN5[L:SKxh1^*
[M>P)|`Bm
rC\y{Y]%
[UfVl`/Rb%
46BN1B[|9gkV1SSVJ
/[v.f[m
XsjOcjX
~Gt~x2
yLxbzL
P_i''yMD;
:U"AB-~;@z
~T.Sn{rh
<bo=EXOK
=LR*l"
5fh(xs0
@[2[1fX
m|#]2qji+
gy|[X63
U^=l<(ur
Y.J>k<#7
|)j]1h
bXv`mC
L=|Im9
1f2/2oKo
Wc}bghH?~{p?iPt}4,
I]B"l7
%zF 5%z.+m
s9NXQ2]oE
;7Ul@shqLY
m9M?e5,B&M
X5'XzdV
Yo'fc#
[._WDsCa
[m0 RZ1Ob
!{@G,N6UOwH0&de
j7dA=j
mDSWnJ
e7A_g"ic
j.\_$C
EE6f5-
^kjAFmX
A:sWMg58
X1#3UT(e
8=|wKi
5q}28+|/!5
- J<)2n)
h{YD*%?
-!~>|/
P}`XLX
o~nhAx,DC.mf
VBznGY
9i]6n2}JO4Y
Q RKdz
X&c:,U
(B0|;v
Vt4~di=}V
V9^ DF#A
i%},7a0i
Q "cF/BoJ98
yP2R]Jlo$*
GuXdDW
bY3fnzKTs
4P6@Jp
eXICAx]s2
sVT,"8P~{
%k y o
gz"u{XKy
ZWq(Mn/GB9k|(tFk
;?}r8dtT
y= WM'7~
/vB6N*
wBcy"h
Gll:R]EE
;WK~X|e
eJL)=:
Q~G>D<
PWRXL1f
R~<8K%"/K#9
4bO3H_{kM
F>a+oIc
V[/.$"h<
J,!d|\t neX8
:;>1:SKY
p|Km>
aAn\aSt;NV
,C|@hfF)B_D
$Jd#@gc
EWM/cxnV\wqh
xwO]G:
ze#c);@j
_{]Dl~r'G
MH X!<
>@sBgN
&7rnoh>V(im
]xs]jzy
YyX*)MT)u_
4~WJw;
L)eg=1
[GuLx9f
oP:qI$G
~sC&~^
CA[$<[e|c
g!B>S9@&H.p4
x= tBu^C_f^
'S_.#4>
z|k&%@CT
rhDtW @
dV;x9
A5!A_/~
*\+UjJb
qpH(}s
n;KoZz
hQQC5mTP
,[=&I&
\+<OcZ#rgX
|3;gOF{
[5xW&]
x{*uloB
,"`[,P6
0;?z}4
h+A7`i
CqS]^~
TRL1.$
]GjF[uxBH"?
@7Cuv;*
5=#R|`
-A[%r3.2MZD4/(E\)=T
_()l,^
?1ex,#F\.Jb?
L,[<[HS
Tb(m}~|>d
^Ppi v9n%j
J!|D zFj
wrKqD)
F8Cf@i
&. bk
~ia(wq}`#Dj{N
JMY(*6
x% =w`Vs\IMb
v~#Ww=
y3PjTwlR
@A]T"B
ju}Mu|
RDN7KF
Ss7e)&
$;tn>m
Yq^r<zl
zbgMpf
caC._
M2,XpoXkDL
]\}Q_;$Tz
;[u-Nw
5(;UfOAk<jOP:
Z/rDImKg
++E}??{[
EB=<OY
N"nsrz
HUL^=C
SCGnW"
}"^hGc*j
^8D)9j
8A 4QZ
pCtn1]hI3|
N:#]Q`
?EHC,9h
!9kczC[
Y;BkN1&
';s"4=bhu?Q_"\yc
*84+LK
r(I!qN+=q
OP]p3}]<y
&1 8"4
P >tFFEi
KAg$FY
4LoOgZ{
QD!f/V@n
"Pm(cGv~
@l'&$m
8d:].w
t`a0dR%
k?dA@b,sE
oNcqCLu7_
N0g9+<
qYWGtM-
[ulp5H\,}6
!a/]0:
.Bp"XBq<kV
@HF l'
w`p#5E
hN; 6qD-`Je!
peH^R8\-
|9ZV*6m
GslN<x&(
f'>6W?
;K?G7/G
RWU!ly'fqyWolZcnJBA
y7V_nFdXa
@zZCj-.qwY\
s\;I=<YT
0mb&eEX3
+,, Y4igK'Qg2
C)#Pa]G
U%jv"|E54[
-)nd&h/y
:pv"F.
k~SAzTZ=J4
LjR]2?6
=Gq\?`z
LP.0{Of
UBEUcgvKDyR;gBxC(
7v<p$lz%K
k50R-BRr
%?z=L+
03l|"o
oL[x7~b&
km~cF*
tj"[9
Yjh6X-5
E[X;7"
kaa*F>p&2mF*15WM
~dDY+s
&|4uhF
}\RH"2e~)3/
s(:6Hp
>b@uhW1;a|^#IBfw"
+-hZ4w
"##=2{mB3F
1TPNN864N,Li
N'.OSgaBW.y
N52cSp!WXk
,.88N+
-lS=tf7
VFbG^g
-+v"erlj
c7'-9R
bj|Ze0~d\a=0
$<\0(9
9iAY-ej
D%Xm9F
HY[SNW#V
^2"-ST]8yZY0Zf%LfGk
E=l,~HE%
l`k:t #ccOgBdH$
{A1JP.R
OZ/h0is[
"maudh#
lC6}xz
j*B3onQcC E6VM
W.{z}$
l+4v#i9i<
2PH>]^4
ax,R`w
S}5RLpi
S+qkA{
y5hx; "G7&
RL,g*yr
7!q{y_eJH`Q
Fcuy=) I qB
3/EKn,uNM
fyU0^n yo.4
w;llB$*
vu [Wb<Y|}{{R
/ocV%=
SP ,sTdC*Rr b=^$+By
&m:`H))
q[),.1f.*RE
Va^*No$f{
b~:$&\\9
W&WA hUb)G
Hg|UIv5d
<mxT19T[
|)wX1y
R ZC036o}6
}%,ZO|:
GM21=NFruS
k1G6PRL/o`
qxU2~xW=
ZGmYDBOQc_
|DmE3t5q<-/N
"s+RchL=H8hF(
T6iSIB=Z
F9VeG"
pXQZX/
0tNbHNOOV
lB}",\\j
4^eolK O
=)>k.ntN6QAECbHA;
NkXv=Hn
"U%@;TA
&D!gx.tO+1;:
<$t54v
"v{}mECz2k
PMzt!@N
qJbfJjv7ci#
AmF(_q|?
_?j"nZ
)0Lslpg&
Ppo_q de2
\2VoX2<
4XmIxC^
GAm$<9O
X1QMv8wTEGNCF{ux/g4"
G+P7e2 3
,w04[&X
!mq ~01y
QV|J]E'
|e=@K}Z
hXa.P&E*{**j
-]k7kNQf
i) w4S_o$(`z
uOY62<
(v=_E-
yCpdLh
G'u.$$
6VcXux
sMhh\k!!Gs
C&~[;Xns1MU;;Wk
K2_)C*w:&a>
E""pwc*%0
Rk2dHze;y\
QKPK)EZ|rT
ot6cnH*j
:9vNj#+;)8
3d6d&y
H]J%"B
x<DV&I
kernel32.dll
user32.dll
GetModuleHandleA
MessageBoxA
q]K;`g>vq
cP#\\5y,
LxO7@}
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.