3.8
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.74
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200404 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Urelas.b | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_80% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200405 | 2013.8.14.323 |
| McAfee | GenericRXAA-AA!E2BEBAFB833C | 20200405 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0c58e | 20200405 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545336.765625 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545339.406875 IsDebuggerPresent |
failed | 0 | 0 |
观察到命令行控制台输出
(11 个事件)
动态指标
在 PE 资源中识别到外语
(4 个事件)
| name | RT_MENU | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00024c38 | size | 0x0000003e | ||||||||||||||||||
| name | RT_DIALOG | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00024e68 | size | 0x00000246 | ||||||||||||||||||
| name | RT_DIALOG | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00024e68 | size | 0x00000246 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00031158 | size | 0x000002b0 | ||||||||||||||||||
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
投放一个二进制文件并执行它
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
检查适配器地址以检测虚拟网络接口
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545341.437875 GetAdaptersAddresses |
family:
2
flags: 16 |
success | 0 | 0 |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x0001f000', 'virtual_size': '0x0000c000', 'size_of_data': '0x0000b200', 'entropy': 7.87451667840455} | entropy | 7.87451667840455 | description | 发现高熵的节 | |||||||||
| entropy | 0.6312056737588653 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(4 个事件)
| host | 114.114.114.114 | |||
| host | 218.54.47.76 | |||
| host | 218.54.47.74 | |||
| host | 194.54.47.77 | |||
从磁盘删除已执行的文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | Gen:Variant.Zusy.299256 |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Zusy.299256 |
| AhnLab-V3 | Trojan/Win32.Urelas.R145797 |
| Antiy-AVL | Trojan[Backdoor]/Win32.AGeneric |
| Arcabit | Trojan.Zusy.D490F8 |
| Avast | Win32:Trojan-gen |
| Avira | BDS/Backdoor.Gen7 |
| Baidu | Win32.Trojan.Urelas.b |
| BitDefender | Gen:Variant.Zusy.299256 |
| BitDefenderTheta | AI:Packer.3E287B791F |
| CAT-QuickHeal | Trojan.GenericRI.S8512941 |
| ClamAV | Win.Trojan.Urelas-149 |
| Comodo | TrojWare.Win32.Urelas.SH@5674sp |
| CrowdStrike | win/malicious_confidence_80% (D) |
| Cybereason | malicious.b833c2 |
| Cylance | Unsafe |
| Cyren | W32/Urelas.T.gen!Eldorado |
| DrWeb | Trojan.DownLoader13.4595 |
| ESET-NOD32 | Win32/Urelas.AE |
| Emsisoft | Gen:Variant.Zusy.299256 (B) |
| Endgame | malicious (moderate confidence) |
| F-Prot | W32/Urelas.T.gen!Eldorado |
| F-Secure | Backdoor.BDS/Backdoor.Gen7 |
| FireEye | Generic.mg.e2bebafb833c2c23 |
| Fortinet | W32/Urelas.U!tr |
| GData | Gen:Variant.Zusy.299256 |
| Ikarus | Trojan.Win32.Urelas |
| Invincea | heuristic |
| Jiangmin | Backdoor.Generic.ably |
| K7AntiVirus | Trojan ( 004952aa1 ) |
| K7GW | Trojan ( 004952aa1 ) |
| Kaspersky | Backdoor.Win32.Plite.bhuv |
| MAX | malware (ai score=83) |
| Malwarebytes | Trojan.Urelas |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXAA-AA!E2BEBAFB833C |
| McAfee-GW-Edition | Trojan-FFDV!7477695B31AB |
| MicroWorld-eScan | Gen:Variant.Zusy.299256 |
| Microsoft | Trojan:Win32/Wacatac.D!ml |
| NANO-Antivirus | Trojan.Win32.Dwn.drcuqv |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM11.1.5B47.Malware.Gen |
| Rising | Backdoor.Plite!8.2D6 (RDMK:cmRtazpi+AdaV6isVA0Hf7H3bxG2) |
| Sangfor | Malware |
| Sophos | Troj/Urelas-Q |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Malware.Win32.Gencirc.10b0c58e |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(4 个事件)
| dead_host | 218.54.47.76:11120 |
| dead_host | 218.54.47.74:11150 |
| dead_host | 218.54.47.76:11170 |
| dead_host | 194.54.47.77:11150 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2015-04-24 14:44:03
PE Imphash
305cec34f2f99597792558ebd2184530
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x0001e000 | 0x00000000 | 0.0 |
| UPX1 | 0x0001f000 | 0x0000c000 | 0x0000b200 | 7.87451667840455 |
| .rsrc | 0x0002b000 | 0x00007000 | 0x00006800 | 4.387964525103116 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000247d0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MENU | 0x00024c38 | 0x0000003e | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_DIALOG | 0x00024e68 | 0x00000246 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_DIALOG | 0x00024e68 | 0x00000246 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_STRING | 0x000250b0 | 0x00000096 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x000251c0 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x000251c0 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_VERSION | 0x00031158 | 0x000002b0 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_MANIFEST | 0x0003140c | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.DLL:
• 0x4315f4 LoadLibraryA
• 0x4315f8 GetProcAddress
• 0x4315fc VirtualProtect
• 0x431600 VirtualAlloc
• 0x431604 VirtualFree
• 0x431608 ExitProcess
Library ADVAPI32.dll:
• 0x431610 RegCloseKey
Library IPHLPAPI.DLL:
• 0x431618 GetAdaptersAddresses
Library SHELL32.dll:
• 0x431620 ShellExecuteA
Library USER32.dll:
• 0x431628 EndPaint
Library WS2_32.dll:
• 0x431630 WSAGetLastError
L!This program cannot be run in DOS mode.
4.pOpOpOkUWOk``OkT
Oy7m}OpO
OkQuOkdqOkcqORichpO
9~(;c~
!PSPmcoO
$L_^[33
$gHw;v!f9
h<#DV5h
VTpDBsW&j>
/paj(?j@/l6
'i&jQXi
W|;*`a?E
rkl'Sl
&#<f8'
y}*W+j
uIWl&O
j^r$}f
_%PaB9
ItB3$xo
\yP]w9
x(YY=u IN
A;dh|?
F_GahB
6+[Z8c}AX:R
P]E-uE
RvQgNDl
?t _wV
D=gxqn%[g
@;rMSMP9=uJ
]W%&,O
\8^c!t)
FVvcS ;F
PP!@XjS*lU
&U RW=Ha!L>
F1n`?_Pp,&e
f|luZ$
Ap%L; WHpx
f=6CAby
0=h3%P}
.;plu:
)dWSKu
Bh6"0=O:!0
">p:^7`
;^~b[H83
6{5NVAB
48MWl[`"#
xxt#}Sl
uSq!$l
oYX A<m*#v.
2 V~la-h?1^
CP"[x2
5l^n 8
6}Dy,aWW'8Su
8BomtIWV]3M10+V(
_^KZ@,
BzVvlp
~K _9U<
fB!ebD1
[nmQR=Y
QnRW]'
P EJ_F
D\Rs@w,
X_ d^t
(f_"!x
iS.[LL
!'l j(vF
|GnWy#
? !1CZ0
6J#xAFG[{z
dHF87[
WlSKZlnJ
B<X{pF
uz(!ES_F
HVOV8Q
M_cB$6?UV
+gu VjV[VT.
k_r[J~
vH|/zEEEh .E
qApuB{b1r
n_"FB>bb
0nRRO{
Co'[fjm
@Q~^6_?.
sHi"'Cj
+y'ZrS,@-"eVsevVC
4?~=+w
$' b?W;
=>Ev}8i0\/|
hx' \-
^-!E(M'dA
9hqlPKh6q`Z1
^>P:lK
6{%P\l
]#uptg;
2x+9*c
05Wz%.Gy
};Br^%Y:g
3jtx!<
me(zX+8
a/}"YtE(WK
;0&\BuW
,BMx{
P5YY""
PRvNw@Y
UacO_))
k!ts9>
9-"b]I
W%;u Nj
&>_9Y8{$hq
/"V>&!
v!%001N Q
}+F)#o
:&]r\t;]
YPqm{d
Ei)&HBp"f
&^84*96-
+A'g|
t*4Pu-]
66j@Ik:ZW]
D>t8Gp+
UxecY
u<<VV1py98t
">$uPu/
0<Dc%>
hI~(@mX
YQuh\o
l*B>DB.\]ft;]E]B
9{8A/vt
4[]_Kw
U5Y.T&K~^
<-?dPu
EBesf- Y6Y'qn#
kP:'yF
u;Y6JAe#
!D-ZUK9_
CB;r3/u
u0M@4y&^;UG
n_S/ri
}@1"`4?8pwO
5%s2j4h
/%&y8 .H6
IzEMj@}y+E(AV
MUX OL=u,
wGKL;I4 G
Fs{ZRtf
:u)jAXfewZ 6v
XI/5S{s;FMr
mNw;RrDT9B
03$xQ6
u'buTn~
>ue79z-\
GQ]'A]<t {a
j-Yf+CN
['x=;r
$k@vH;`}(P 7UX*
\5X=Tf
7K4L%H-Dg
To=RtPI
90-8[7
@va(UE7hctYH5t
<d/3GWn9}h
L'k%A*@.
rME{C/
M~5e?j
4+t$+tb
L1nqaK+
Qvi`tQ
,[xdF{
i=2o4u+,#x"X
lgI'"af
nK>_QP
xT7tB0Vv
g[Gkqwtn
3*q=guW[|rK~
p@7~7]
'lcUlY"W
8S/atQC
$`6es{(1sc
W^M8;It
FtQ4`K
WS0@By9O
H|FFlub^o"
l**F+w?0t
dl~ h^;
^[]o4kZF
H2]Dkc
.MC}1u
D@|j^!B
WL)ld=p
kQ1>B<B0|`
n]urqR
;r;"3D w
p$x ^#b
Tw =p
H >;mC
3.CTPY]\IPJ
8at0rt#t}m
V`tRHtC
*'DeutW nuT-o(
/G8;eGl
&lz/,+}jOT _9>tj
1XV2+m#Q
Kxg{YY&
X@HvuAF
E;/cj[
:M{<a_l
g9[h-
{~1M3Pe \4d7J
4WmmV=
M[b@_~L+v
}$g\V:0
H}n;`9csmu)oJ h
"+6XVTd
;v.4v\
VL.xLV
#'v@z3
RF-itg[8
mcuQm/)0
_ie$<Ib
n`X)tN
<h\@UwNZ;B
9t5D0j$
rnj?ln
ML6%;u
!86L5c/
1%CT1Q
u:X>&C+-
hhpgQT<4%Z'uP
[U(f3V
,, c:D
60#lmWZe
FShp.
n1$8VYs
i7j8PnNn!b
;D[5*`3
'$!TY{
LI-0TChQX1
.4{@B9_n
>+~,WP-*$Eh
,q/CcXhl !ZP
,YYYP=^
Eu)r9F3<}v_
z8<$2S?
V^[W8B
-m6W$-`;"8bf
{$,$n2
PO4UM`
`zYZ(s+
lX+DS)]vh}6
E#@WQo=
E;0]iu<*@[
<O!a)Bi
y(;#vR
Yf;$qsIT
54{,\9ocx
ih:[Mt+-
;s&\gCS
g&i2+/
GwIm),u*2`
Vj+WQSEmlREP5<[
?90J9!V8
D;_M8ulVDj
J+( "z:
9rzzCQjc)Ge@
*^!ba{;v
$^BTw#oag
zl`oG[
+t1g|9
w}\CpGi}
ii (08@iS
}J8*6(q$S
FfO(J Wcw
[4j^5Z
-p`YLs
YbR"N@.`
=T7;YT
pVST:GG
QcY71kvwH
wnEO|+
Su,`@.S
@=r&F}`P
O`2YN\
X^`N`[O
$x~\d91
N=>=s!.=y~
MJ3tO"l w
P-PW\(
gK57W;nV`cx""20KV
I4~.x#
,#WcR%
2>ti;~Jt
N,P1aY+1%
B\t8P |
|XV*-Z1&;
[.ir]fL
l ~;6<k"po
XSl)lD;(p
|j@^VOjMM^
Ps6xHf@
-:{@!
3H/KV[
P@=SWM>
p);|o9
e1nf7}`
u!S$QmtB
vf<q7'F~xE@nu
DFTE9}
WFl~`wk
BY13f4}v^#&Y 3
.Nhw/W84:V)a
FT=$G$!E
,EWhK3|6
#hhzAR_
<a ([@FN@
4=Ln3u3
kL>M^[
DA"vz W 9
<aW<r@<h
-NHF>!D
6Z(Vs5
@G.MGUV|DOhG
B[]T6c
3@5e%R
Td7{{-%
$T^}sH
>t/NR4
!'!@hH
D8=f3uq,
QA;r8 q!xGpcUG
"nT"R;5l
s(:8\1Dap<"u
y&0=FEt
Au?3}RBu
!%F1Fk0n
G;vo@e-&#
Vv^~90#;
@IuB.C
:qYYW TKS
h,wE^hS
gLs+1nE
0n%2 5S
*"Z5)A
WYk0MP
%:Wo[K
O85'A]D@
t4X0;t(W&b
-<^ud@],8
A_o/R3f0
PSPCN6=@
sT@E$N
%~U)L$!
u/l!Dw
"vg^Ay
8 ON^!@u^
`#E %W[@$q
.Kl\QcC;
<3!2`&s!e#b"E<
o5u-<x%
,P>\>YN
)+Vg9H
+zbnrUhD
tcG%iH
' gCAt j
,D$<5-!{-
nHxB4*
&<ktl`
8i`~bJ@gpM'
<&#b2D
Qb2id2
YG1 "1;
8*Dl* -t [
@&gXGG
RgG1,Hc
0@hC@I
z3mmu#iVF0`e-&
!?"^-*a
XIbN`D,
.(2"E/@
ext]+j
}~0uPp
U"G;/|o
~P](r%h"
O'Y@0v V
Kd!I3Es,9yM-d
D`A:ja!QGN
tR92F@)
WZ(#eI&+w
>| ns!
pT/-c;i
;2r 8^
l`VT0e
3ZiPZj
UWq%\/)X
|('8|dE
N|)_\P_)u x[2hB,p
<U!{C,
Fu-nmT
>5;876 -
HE6:YF
@d9:=V
8%=zAn
5X\H5u
I$L~xK^
6J:%aVD
Y]A$@WA
_@z]bmF
@+;_9z{Ar
J}f?f8V/D
@X^Y]T=&
^f7F[j"
H1VmwA
NOj`,>
UV'x]#?
^aUP(#+C3c
WYsQ`+b
r<u5ja
,o[][Sj
m;|[;
m60t0uW
@H`jm%1p
;4TV]#z
E ,8W',
A T[XM
AJ,WX3
KZuG(|)qx
OW_of@
nPv`y:6~p;gow
#WEhK$}
w.++Q~
BHU|~A
-`w@xP
cmbC~~%D
v2dt!H
wea>y~
~oD\G9
+t? !4
u{ 3~X;t)H "m|@;
d;-E*n
Xjht;7U&
n9( >~
uGtGrX%
t{xG$FFF6vHHHH@NFFHH
Q[?W>}
S#I+_d
$X+2\0UrC8t=
d:Jk8{F
@Wj$\/
UH}%-*
vX#r7?
*R0Y`9Wt;m
\L1k X5
NDs&S
k(IWP|$,
BQQ+91b(
mtX?Pxa
S,dy%$&
\r%r%\K.\vd
r%%\%\rK&y
\r%$(,r%048e\<@De
rHLDP%\rTX\@z`
0AKFv4;5J
22 $826 #<2 #
]sI uthX)
GUR:QuMP
<u7,&u!
u4A[V+r
Wr'@D5;*
1$lg9to5&w u" g5
kJV_`Dh
&22"NU
cf:MW0V
#jfv j
q|vsHHkSF\K7D
A)j(~O)0!`^+
KgYt,
'v>Jdt
9Qv!7*
YA.A8+E3RP
0E]E`vD~3
\l?QMGsT#n
I?U'RQT
AZ ew&
NLvOM(
$r( }|Bk
/bad allocationO`
CorExitPrQes@m~sEIo
60uqL[S
+teukp
t/ sciKSLd
fuccSm+hs
nsXsEby
n!v}K i
lz/Y' nT_'Fd cesebX=_ wou
ay'-Ku
c7p Oa)nx95+
9&DM;.$S2n1e
= ap;c
n6]Ooe,,
mQWP21e
d?m8?B
wg@ro6d#do5]EpWv/rCu[J:9;
/!CcW8,qxI
G7s_mhCU&d
/idoeoaGW=8wS7(
)s)a8a
uQspdKW2f
+RYLt9bme
g%m{=Ke
>6aac4E
L+FlsFree
SetV.u
GAB+cc
S_UTF-/
.{UNICODE
_UnknoRKown ex+p~ .
t3JcwJ=z&{/
gy{wsO
gGyd`1#
{og[4l
DF:mm:
d[57, M
mbeNov
Augus|
nApri>#arcebru
g_WS{{KGC7yC?;3#aturd
Wed|X`
"#$%&'()*+,-./0123456789:;<=>?@ABC
/FGHIJKLMNOPQRST/
XYZ[\]^_`abcdefghijklm
vpqvwxyz{|}~
Eg50, 8PX00WP
-[fQP-c'W#
Y` a_(
VWiStl7
UsIObj
tInform
W3La"A
QageBox1Ud
Xa, uQ
CoYmplPe ~ L
lz s Hiy
mtsc7p
Be[`$Ar#y'
. R eTypeD?tC
vDJncy
itH`#vb {
)+Omdy{m
eMVZ S%f
Go[e#!iize6
`eh +K
a+[&'OxZHaen
RTTI{sEH
udy$jX`nnd`
FBJo'l> ?X]{irdis"
-+*#|&Yvs
(),k)2<C
0Et oBK!=#
'__ung
xi.MpdX
@<i840$
M4M4M44MM4M4M4|dXD$i
M4M4M4xhL,
jz.+}6
doyF=T
t#QIt;wc\
gSrUV7Is+3
)3rkK)ya;f!li
%'Ew`_TKP+18.54.47.76
gmUOEUuN
hU*-GeOm
AC!M|a@E)gbE/d
AAzQL\3
aWEy=AEYW
aeUgUS
4j kU#
;CDyI/Ek
fdr.Ht5s
?Xvnd.
:\PMS\_ANUpdl
_2010\n
.Zt v.7
8;@E"<=>
ocH^a npfM
8GzD@N o
?sHxy"y_{o+
E?AV_%
AC6`P3R
4M7m p
@B4B B
)b&2V@
F~~@~/
844M0,($
|thi`THD@n4
iit`XPiH@80(i
L0>.4G3
g'0`BF
soe\_[
{ywva{
+ _~!/
@-x%/$
d[$".Ua](#/*+;d_+(/
&?F K/?<&/=9
;7A63[4]5mmk
5ed:{cOXY/P.Z0.
QR00/ZPP0
0ZR.BI@/DE0V
C?WkV21TSav^8{
}>qoog
1`_fhsnHK{JLp
Gl-Fjy>Nw~ytMUbbrx7
uzt*,Ua
xH0'LwG
IYk\TPuR;K
C'/pZS#hlA
zkBikV
r+b_]GgmF
loK[TO
qmU}}
l .WA #%3|Y-0
$>8"=7;
F]7u M
I3')+*
,6J!54 CB jYPQTV
lFIkll+TT
UiHceWda/i u`_<bmt^}zy|yx~
wsqpon
_bosf@
;7*n +
0w4o67]nI
POKMNOLO
O% FFB
O(@>=77A
9?<8;$O'
)O6530./21i
z-,4#4P
,U#V L"
l[DSy _
0FP`Q@
dh @`
<?_%jo[
zfnj'v
*V?g'-U5#7
*CkTcO5c
0(2Ir(
8f@9:Bi2
*l[kC6
f{OO&F#C!"
I+rE+?
!kM!?}
#Cwc1N+uME<O+f%L
S]tgP#
t!9+DA
CyokMY1K
a7Bot)
M5seW|{E
6K~C.l0vA
t'osms
\KHY=D
[]00#
$SystemsDir8yW
TickCountnA
Vers1Ex{
o[mCRaGTv2eIo6{k43rolDwpP"b
F^dMoo3tiBygTodeChar
s6mLoL
soFlush2Bu
IsEFxZYu^
oftdHa
Ev(VC2(Op
!`c?vge OEMCP
+(iEcPoPr
srIQu=
*,yB=k'om]X@qee"
$1E`o=)<d\
Unh${d
~5Pvgg
ZcSVhgL
{mASpPRtl
rwiYJC
M=IkAdds%
&SdOf&
XIpgRZ6
L=OYw5
29ZMBn
) ..11K
CJv_k{
,1[U n#
+)(![!W@`
kF@'8Ht
/3}/\7
2 c/#"
&@oh*G
`B#F/)
LOHT.x
!"II.,
@#//.textn*
2H78'v
w@.&s?'H6MP
Otcsrc
GPGWHU
XPTPSWXaD$j
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PA
KERNEL32.DLL
ADVAPI32.dll
IPHLPAPI.DLL
SHELL32.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
GetAdaptersAddresses
ShellExecuteA
EndPaint
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�1�2�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
T�O�D�O�:� �<�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
T�O�D�O�:� �<�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�
I�n�t�e�r�n�a�l�N�a�m�e�
G�U�P�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�1�5�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
G�U�P�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
T�O�D�O�:� �<�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Process Tree
-
0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe (1856)
"C:\Users\Administrator\AppData\Local\Temp\0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe"
- cmd.exe (1760) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat" "
- huter.exe (2060) "C:\Users\ADMINI~1\AppData\Local\Temp\huter.exe"
0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe, PID: 1856, Parent PID: 1784
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 7f274158f4bcf419_huter.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| Size | 77.8KB |
| Processes | 1856 (0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | ca02d5a0218c785f99d878402e4c899d |
| SHA1 | 5b4a22bbc272f06890059db6e7e2c074c2b0a002 |
| SHA256 | 7f274158f4bcf41956fe914b3673f83ea8ac5685c26574660bc62d95da946411 |
| CRC32 | D36FF3D5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 95b6230e77bb2fa9_sanfdr.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
| Size | 365.0B |
| Processes | 1856 (0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe) 1760 (cmd.exe) |
| Type | ASCII text, with CRLF, CR line terminators |
| MD5 | 75d266c62ada93ab7e25cbaf03468546 |
| SHA1 | 34c5eda033aba3a76ea9dcbf39969ae6c6202004 |
| SHA256 | 95b6230e77bb2fa90cc514c0de5fa40cebe1da5fce8147ffa350fc4bd742027e |
| CRC32 | 50B8E9CD |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0ca9dcb8c8b15e8b_0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe |
| Size | 77.7KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | e2bebafb833c2c23b3de6681c60e43bd |
| SHA1 | a17174efe821a00eb052f885fda14bb774f8ef23 |
| SHA256 | 0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146 |
| CRC32 | 2B858AAE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 40afdaa0bdbd385e_golfinfo.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini |
| Size | 512.0B |
| Processes | 1856 (0ca9dcb8c8b15e8b5dc3b7963ec1683f91adfc435977eafd2377153690972146.exe) |
| Type | data |
| MD5 | bd60c62717a862c75bbe8c97f365be39 |
| SHA1 | bf0957b47d8a44f51f9e9680c4e06710edc91b1b |
| SHA256 | 40afdaa0bdbd385e5c0f0c0899eb8dc107877ab9d815d7b8885bd4c3f1e34873 |
| CRC32 | EF3134AC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.