0.9
低危
57 个模型检测该样本为恶意!
重新分析
更多

1d440de272b203f233c52cb096d3381e1ec90554c8c5d4fb43caf1c3f9ad7a8d

1d440de272b203f233c52cb096d3381e1ec90554c8c5d4fb43caf1c3f9ad7a8d.exe

分析耗时

194s

最近分析

361天前

文件大小

7.4KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER PPATRE
鹰眼引擎
DACN 0.12
FACILE 1.00
IMCLNet 0.52
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Waski-A [Trj] 20191214 18.4.3895.0
Baidu None 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20191214 2013.8.14.323
McAfee Downloader-FML!DF6DF5D64486 20191214 6.0.6.653
Tencent Malware.Win32.Gencirc.10b0cc86 20191214 1.0.0.1
静态指标
行为判定
动态指标
网络通信
与未执行 DNS 查询的主机进行通信 (1 个事件)
host 114.114.114.114
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意 (50 out of 57 个事件)
ALYac Trojan.Ppatre.Gen.1
APEX Malicious
AVG Win32:Waski-A [Trj]
Acronis suspicious
Ad-Aware Trojan.Ppatre.Gen.1
AhnLab-V3 Trojan/Win32.Upatre.R258184
Antiy-AVL Trojan[Dropper]/Win32.Injector
Arcabit Trojan.Ppatre.Gen.1
Avast Win32:Waski-A [Trj]
Avira HEUR/AGEN.1025965
BitDefender Trojan.Ppatre.Gen.1
BitDefenderTheta Gen:NN.ZexaF.33550.auX@aq1Kjmmi
CAT-QuickHeal Trojan.Mauvaise.SL1
ClamAV Win.Packed.Upatre-7168611-0
Comodo TrojWare.Win32.TrojanDownloader.Waski.AQ@7t0jau
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.64486e
Cylance Unsafe
Cyren W32/S-73c6c324!Eldorado
DrWeb Trojan.DownLoad3.28161
ESET-NOD32 a variant of Win32/TrojanDownloader.Waski.A
Emsisoft Trojan.Ppatre.Gen.1 (B)
Endgame malicious (high confidence)
F-Prot W32/S-73c6c324!Eldorado
F-Secure Heuristic.HEUR/AGEN.1025965
FireEye Generic.mg.df6df5d64486e3ee
Fortinet W32/Waski.A!tr
GData Trojan.Ppatre.Gen.1
Ikarus Trojan-Downloader.Win32.Upatre
Invincea heuristic
Jiangmin Trojan.Generic.dayyf
K7AntiVirus Trojan-Downloader ( 004b972f1 )
K7GW Trojan-Downloader ( 004b972f1 )
Kaspersky Trojan-Downloader.Win32.Small.fbbs
MAX malware (ai score=83)
MaxSecure Trojan.Upatre.Gen
McAfee Downloader-FML!DF6DF5D64486
McAfee-GW-Edition BehavesLike.Win32.Downloader.zt
MicroWorld-eScan Trojan.Ppatre.Gen.1
Microsoft TrojanDownloader:Win32/Upatre.A
NANO-Antivirus Trojan.Win32.DownLoad3.ctgctx
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM20.1.DFA9.Malware.Gen
Rising Downloader.Waski!8.184 (TFE:1:karNHTPd89N)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Mal/EncPk-ACO
Symantec ML.Attribute.HighConfidence
Tencent Malware.Win32.Gencirc.10b0cc86
Trapmine malicious.moderate.ml.score
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2014-01-22 17:46:55

PE Imphash

3bd1cf97537104404441a903e61f0f5f

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000004bf 0x00000600 5.151939272827407
.bss 0x00002000 0x00000008 0x00000000 0.0
.rdata 0x00003000 0x0000051c 0x00000600 3.922707419533366
.rsrc 0x00004000 0x000001c0 0x00000200 5.067991416548164
.reloc 0x00005000 0x000000ce 0x00000200 1.96839116308387

Resources

Name Offset Size Language Sub-language File type
RT_MANIFEST 0x00004058 0x00000165 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library WININET.dll:
0x403060 HttpSendRequestW
0x403064 InternetSetOptionW
0x40306c HttpOpenRequestA
0x403070 HttpQueryInfoW
0x403074 InternetReadFile
0x403078 InternetConnectA
0x40307c InternetOpenW
Library KERNEL32.dll:
0x403000 lstrlenW
0x403004 WriteFile
0x40300c HeapFree
0x403010 FreeLibrary
0x403014 GetProcAddress
0x403018 LoadLibraryW
0x40301c DeleteFileW
0x403020 GetModuleHandleW
0x403024 HeapCreate
0x403028 HeapAlloc
0x40302c GetModuleFileNameW
0x403030 GetTempPathW
0x403034 CreateFileW
0x403038 GetFileSize
0x40303c lstrcmpW
0x403040 ExitProcess
0x403044 ReadFile
0x403048 CloseHandle
Library USER32.dll:
0x403058 wsprintfW
Library SHELL32.dll:
0x403050 ShellExecuteW
L!This program cannot be run in DOS mode.
MV,8,8,8T,8,9,8Z,8Z,8Rich,8
.rdata
@.rsrc
@.reloc
_3^@[SP
SMQuPu
SWSuh1@
SLMA<u
tSSSSh1@
]3ESSj
0EPESS4d1@
^EPEPjWu
VEPjW
3SSSSW
]3SEPEPh
]]EPuV
SMQuEVP
agileprepcourse.com
/scripts/pdf.exe
gbcno.com
/images/emb/pdf.exe
text/*
application/*
RtlDecompressBuffer
InternetOpenW
InternetConnectA
HttpOpenRequestA
InternetQueryOptionW
InternetSetOptionW
HttpSendRequestW
HttpQueryInfoW
InternetReadFile
WININET.dll
GetModuleHandleW
HeapCreate
HeapAlloc
GetModuleFileNameW
GetTempPathW
CreateFileW
GetFileSize
lstrlenW
ExitProcess
ReadFile
lstrcmpW
WriteFile
CloseHandle
DeleteFileW
LoadLibraryW
GetProcAddress
FreeLibrary
HeapFree
GetCurrentDirectoryW
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHELL32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
10?0L0Z0f0t0y000000000
1<1d1m11111111
2/282_2g22222
3H3333333
464N4U4h4q44444
\1`1d1h1
budha.exe
Updates downloader
ntdll.dll
rkilf.exe
C:\Users\admin\Downloads\sample.exe
C:\69216a4172412d0e8f83df8a891bdcea38443f3b3797ba723c5f67ac08e9630e
C:\rHcb7lgC.exe
C:\1f70aa93c9fb98241c0c7144d548215a18b8385f51279615455399a151e196c1
C:\Users\admin\Downloads\budha.exe
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\admin\Downloads\d669398397060fb2_budha.exe
C:\c9c5d91e4eca9801ead736ddf6de687bd22cfbc5da8a826d07f9a2f9e91dcee4
C:\Users\admin\Downloads\budha.exe
C:\2cecab32f407dd878242b9c998ead12c60de221b68f1642a3a4e7cac83769263
C:\Users\admin\Downloads\budha.exe
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\admin\Downloads\a3f03addc24538e4_budha.exe
C:\Users\Petra\AppData\Local\Temp\budha.pe32
C:\Users\admin\Downloads\52e13ae1f8092495_budha.exe
C:\25036c534a2c0f8801b51e895e5f17a0a54ae8a49a4bd4a78bb88138ff43555d
C:\16536a14fef0c211663da51f8416f1310ad41b83944e0499955534f2fd023d0e
C:\Users\admin\Downloads\budha.exe
C:\57d4715204e2ecb50e36fda3206c490e51a0b0692612469ebe85d5f367962a7a
C:\Users\admin\Downloads\budha.exe
C:\Users\Virtual\AppData\Local\Temp\9a338422b8e5a342560d3817b722ec177a7906d9194812007884ff29e36a149e.exe
C:\b7b4c5c55a55f3ccc5a62af4a0c61018bd7dd08a42eb98f2e6478c7d2ed8acff

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255 131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.