1.0
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.67
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:DropperX-gen [Drp] | 20191021 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191021 | 2013.8.14.323 |
| McAfee | GenericRXIQ-VS!DDCAAD94DAFC | 20191021 | 6.0.6.653 |
| Tencent | None | 20191021 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00002000', 'virtual_size': '0x0001cb54', 'size_of_data': '0x0001cc00', 'entropy': 7.271134226705969} | entropy | 7.271134226705969 | description | 发现高熵的节 | |||||||||
| entropy | 0.9956709956709957 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 37 个反病毒引擎识别为恶意
(37 个事件)
| ALYac | Gen:Variant.Razy.531330 |
| APEX | Malicious |
| AVG | Win32:DropperX-gen [Drp] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Razy.531330 |
| AhnLab-V3 | Malware/Win32.RL_Generic.C3480943 |
| Arcabit | Trojan.Razy.D81B82 |
| Avast | Win32:DropperX-gen [Drp] |
| Avira | TR/Dropper.MSIL.Gen |
| BitDefender | Gen:Variant.Razy.531330 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.145d59 |
| Cylance | Unsafe |
| DrWeb | Trojan.MulDrop11.15850 |
| ESET-NOD32 | a variant of MSIL/Kryptik.SVQ |
| Emsisoft | Gen:Variant.Razy.531330 (B) |
| Endgame | malicious (high confidence) |
| F-Secure | Trojan.TR/Dropper.MSIL.Gen |
| FireEye | Generic.mg.ddcaad94dafce632 |
| Fortinet | MSIL/Kryptik.SVQ!tr |
| GData | Gen:Variant.Razy.531330 |
| Invincea | heuristic |
| Kaspersky | HEUR:Trojan.MSIL.Crypt.gen |
| MAX | malware (ai score=86) |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXIQ-VS!DDCAAD94DAFC |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.cc |
| MicroWorld-eScan | Gen:Variant.Razy.531330 |
| Microsoft | Trojan:Win32/Phoetel.ST!MTB |
| Panda | Trj/GdSda.A |
| Qihoo-360 | HEUR/QVM03.0.B2BF.Malware.Gen |
| SentinelOne | DFI - Malicious PE |
| Symantec | ML.Attribute.HighConfidence |
| TrendMicro | Trojan.MSIL.PHOETEL.SMTH |
| TrendMicro-HouseCall | Trojan.MSIL.PHOETEL.SMTH |
| ZoneAlarm | HEUR:Trojan.MSIL.Crypt.gen |
| eGambit | Unsafe.AI_Score_99% |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2019-10-21 16:16:57
PE Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00002000 | 0x0001cb54 | 0x0001cc00 | 7.271134226705969 |
| .reloc | 0x00020000 | 0x0000000c | 0x00000200 | 0.10191042566270775 |
Imports
Library mscoree.dll:
• 0x402000 _CorExeMain
L!This program cannot be run in DOS mode.
`.reloc
L!This program cannot be run
in DOS mode.
.text D
\`.rsrc0
@.relo
(Tp()(*6~
oUH&*sT
s G,X Y
X jpY
0A[#MbP?Z
Q@X _J Npz
oOs#RFl'
oRFC(D
Y\VZ(P
PX (=>
c>dr@y
IZdFd6oFF
5$.VP8
ha(\iS
(,|3KZ
):N 4e
(%u0ty
U16/i.
sc@z/N
[y: }K
.kJ/UZ
s1.:y6
?SeFp9
=j>X = H
AOAX aS@
OcPFi#
}%M}!T
Y,((#d
2}9f4}9-(
SFeG6YF
d $""~
3~[1e`
+Cd&@r`
1?`9}2
qv4.0.3031q
#String
CP9)8-
iE8O8q
pw7W8_
NU0UUU
P:=<!B>>@)
`yb)d)fhI:
tI2ryPtOv
>0Q E0^ N
E"]`U"
;$0D$DA@
$?H$D%1
6%`D%%
p)X`x)_
Ha*+Hi*4
/+tH=+
@R DkE
y.#0UUU
<Module>
mscorlib
soft.VisualBasic
MyApplicati
Coter,Project(WebServices
eadSafeOb
vider`1
FirefoxPassRQ
FFDecrypt
KeyLoggerEventArgsJ
tN*mptFlaCRYPTPROTECT_ MPTSTR
DATA_BL1re
d_h&_field
sqlite_mas
T@ @SECIte
e2LLFuncZDelegateK
=6Dboa
__Instanc
Dispos
Z.Windows.Form
b_FHSJ
NUEHEP
WuOGWOI
gagasVqDiagnos
_curru
_hook T
Builkey
yEYURX
ETVALWE
%Cons0
chkiaw
@Bensnwe`o
FE_<DownZ
IFC BXSV
egroundWP
Length"
Layout
wszBuff
5scrsht
cipher
SVCWNY
UMFy$KillmeC>k$z
eNameqwq
dwdvsd
fdbdtyd
WRBCAIW
Return
Rwinmm
WSHWHEAAH
Pa(e-!s4Di)7
howCmd
Exec!A
IWSIKAsWQWS5IpJ
LALSKWKDKAK
smtpppp
nalIPP
ggggttt
WBuWYUX
coe%-c
XPPJWW
SSrwXF:
orbewa
Slimaa
KDRWAPCVC
athsTO;VVQ}
F=MHEH
alEU3opmi
aDFfuVY
a#GDVGXQ
GVHJMY
OffY)m
row_pnum
wU;)eaMonq'
s.Gener@L
PK11SDR_g
_ShutI
n$adLibraM
API"thU
nfigdi
accKWr8mmm
M IAsyncY
Callback
Bec?Invo1
ZH_new
FId\ifySk
itial}%Ca
_ON_UN
SVa>na
_http
SubmitURL
)Chang
nz.qeG
UOfG>d
sl(l C
8B$At=C
MyGI<p#%
Ina&opZ%
VB$Anonymousg
_Lambda$_
OSFu)$
OSPlat
Total2
Graph|
Bitmap
V4IOM(@
WipdA4
HeigRImagI
EnvironY
E+EPNH>
N<nCli
CRequeEn6
KeepAli
N-9yhM
Rfc2898DANveA
)el<NASCII
MMOAlg5
Mis-Ou
)!|J)b|R
DllI9/rt#?
MaralA
AcJUdO+oug
apsLo%(My
hrW4Low4F
CSu=pU;ss%n
5rOfPi-
VRelax
tibiF;
mbly5"demark&
aWiZ5xM
XQJGWUE
CR}FZ)w9I5
F9{RVYO
dYWJBLURWHPH
NCNVZMEUP
KMU|TC
:gEPWOZ
QWT1QU
yXOWJP
GYHFSU~@
SBGHQEIom
REZWuHT}
PA(!VFFAnK
GWWCGP[
JXAJXYMS
?1SINW
ZLDqRX
yF,dZSFo
2W @ERX
KLyW!GW
StHWNF
%OTWHZ
!STKFTq
uVR~WWQFS
TVWfWU
YGLWTRV
TPGyVW
YUGZIW=}7JTDVO
GNICFa
;NLMDPXCIY
lyRPPU
uWLEYu
SOJFYX
RIWK)%K%
Wu=BIATGXLGDe
CUp5DQB
yFRWUDFi
QWU"W "
F}LUIOH
C; ERI
'YQ}1H
HZJBGG{
})SZED
ZGPFEFPTUNF
QSIGOG
QTIMONEPHI
W/NN$R
LHLXuQ
5QLZGy
BSYTF)
NFTFvLS
>F5 OYV
Iyui5}
QY=WTWy
W%SWSO
UWTNCN
%CSQFJ
Ga-I#D
uKZIOWFZD
<E5'L9
SS1?2Pi
FXSJOT
IW'e')h
BMAXPA!Ty
BSPZOFTM
E@ByWWLU,WU-1,
uZ8WWK
@ZUZOI
yXXSEAHC!
E%LPUMWM
XU+PSUWyQW
M BQYLVN
WUACWDMQ
Q%Fq9A
GF(KOd
DdSByXR
.SVKWU
QXyHQHS0
SIU>U
-%FWEH
YEEH%0_XI
uHi*N!U
OOPAK$L
?!MANH-PyB
ZWSQ(I6
(yVOQJk=U
\AQReJQ;$
QW?}EZRE%.
x`mLu1
BUP;_XSK
QgPPDm
-D&LF=
T-# uK
BuHByVgF
1VZ#JEN
!@WyUHN3
C!aSGPVSZ
&S)#E,
kHySZ!<(
WP|L,J
JRII6:
YAVGVm)
^R|D1E1
T_6m?e0H%
WALG#aV
]=H-xy
+"NKXE
-[KLSF
AURNKLLMWZFuJJxHYJc"
BWS HQ
QOA)HuZE
tSYDGSg`
WUHPT7
JCKQ]~C
OyRBSIB
WWOK%HWIVQPK
*%Zu0RB
ZA#AAi
IPY&yAq`uy
AaB1IYG
NTKBWKOKW
AFXC%i
kVLDWI
TUKUMO
XKMRGwPEW%
KZPDAWZM
GTNNCP
U9AX?MIUk
4)GeS!Zy
I]%aF^0
WRc5(N9
MF'$P}
P"%JJMM)N
WNOygP
qGAWIA59IcyLWQSGE
KUCSJJT
AJy[?XF
JHD(SJMHO
WU8NWKBJ
\XRWN4I=
!IT)#LM>
YAJMBEz8QJ) ECq
TOH9nZu
NEixSIOEXE!
5=PRC,W
?XYYu$
uWEM<HuN
I5b: UJ)
WKMXZy
BH7A y11
DJJLWIH
W0IUOmP3X
KBU%&U
HWTJyL
j&RVDOC
RIy<HG
(yEuLL
U#YUKGLPymEm(M^;AK
IZ17PJ
-FSq5}
UYpDU&V
vaRl5IP&
(ZWTITVZ)m/
'ABC1?
WZuFTS}b@:
YJVSUA
4HFL2+A
yuDRL(
VGUyE<
FU5@I-vd5
#Y)CO$YHFQ
Sy\NCJH)))
KFOWIu
E&RD!6ZM=R
yqIy)I
Y}_FB,
JOMNq1
HLT7]=PJ
GOJMSxuuq
XXXMDYU)
uFyryJ=
O:W&F!
,!T.W5G
-3i 1FI%^IT
UUeU]J=Q
RGT}+ZK
9uPe4R
1&V)/m
G!ySMX6HWA
ON6JR1
QNMWm0
4iuRE%
XHTAY$]
E)ewq ]XCKBZV
I`]C@-
MQf+DI-
Q-3JIF
IA.AvTE!
uF5NZG'
YNP9]PO
INQ]*q
FESR6ZVE
@IAXZWp
FJNL%9T
MQLA)|
REHQYZO%2IZ
e6!jIK
S, ;IZ
Wyum]M
U][yY9
YUAHFU5Oux
%5OTAQCXX7eQ]iWNN
MAESPuR
4^CWVDSLS
9*QWDHu)
/-1+HDq
FDMDXQB\1.=-uW
WDFAO
ER-OTO
"E3-3%i
;Q}_BC
?qIX9%l
y4uyY1r
Zy&Vy N
HCL6Za AwQ%
XuWQJNKVU
fF;F!}
?Ae1a
VWutIF=
!KK)YD
DO)5XuO%
Q*SLAWM
YQ5}1M
JUYTL)$J~i4
ZZPQW|yy
ITNMX7%M
|BR=)NR
JRSQ6WRGuVXIu
BGCWB6
eQUKuy-7
a$%%TP
uSYRH9
GR8M?MLG>!Gp
Z#CXq-
]OKJJ7
EBt|XJ
MUOKZW
LSEOSL
2!B%I0H#
HoY B_
#&QSDKE
C}+DZV
WD&EE1u
zE<YWM
#SU-7Zu
!|%BJ<
F#FJUvB
oSATE|JI.
D~%XSL`-
=!uF%,u
]KIBYP1Y
i'OCEN
FuyG4}C
HE S1=[`
tICV|JTF>
9u!QPU3
_'UPQSEH
BKWTOOQF
&JZVBE
S!R"1F}
\FYE)O
0EyIys
KSa3PVI
E@GEVQDJ
~J*D,V}Du
<MQC3TO
=5v@FRT
YLX\MH
>&5%y O
yAXEXF
e'WCx?*E
GMq$I9
?_BRU)OB=M
#BBCyMJ%EWEW
IDSOQV
THSYAQJ
M MLL)i
lR6RVWBAHY9
PRG"-/0
J!RY{G"
USuWML
E#CO!*y
Q uUNS
QYD?55
iFk?5R:
Dnz @]
r8N{Cm0
WBXt{o
%H.HEA
Bho3M d
QG(}_4vJ5
dVLV&F
VDVZf*^81
8R22R0^t
N2F.r0F
5\N$f8
f,V0V<V@
Q2Q3Q_
IIFU)!
569sa+na
UMO)dR
9 b5<`+-
J1f 8(
X1[1E9
BMP0Ii
5Pjp@J8
NjPH4@
L 1Jmd
FxQ(bU
&bh!zI
Qxqw8t
p'Q%1FaC
W3P00T)
a_my&y;h
T-om_y
Mu01 q
1X%"h=
n qU#a
3/[)1#%
l4b4'Ib
FhFN)
Cx'F-)
z'<F+9
'd/[<$
b0#>O9
EP#<7E
JD"/7G
I"/) D
14.0.0.t
.ProtocolaoapHttp
WrapNon
. rXs re!'ve
O(OJng
81%ACPI Dr
acpi.s
<?xml m
N="1.0"
="UTF-8"
="yes"?>
ns="urn:schs-m
-com:asm.v1"L
="/.app""
Level l
dr" uiAcC
eR5-tJ
./*/</ZAFh/VU4{
v4.0.30319
#Strings
<Module>
mscorlib
Object
System
Decompress
STAThreadAttribute
compressed
Thread
System.Threading
Stream
System.IO
Assembly
System.Reflection
GetExecutingAssembly
GetManifestResourceStream
get_Length
IDisposable
Dispose
ParameterizedThreadStart
SetApartmentState
ApartmentState
ParameterInfo
get_EntryPoint
MethodInfo
MethodBase
GetParameters
Invoke
_CorExeMain
mscoree.dll
c�o�m�p�r�e�s�s�e�d�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.