1.3
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.67
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Sytro-AD [Wrm] | 20191121 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Agent.aaw | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_60% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191121 | 2013.8.14.323 |
| McAfee | W32/Sytro.worm.gen!p2p | 20191121 | 6.0.6.653 |
| Tencent | None | 20191121 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00012000', 'virtual_size': '0x00008000', 'size_of_data': '0x00007800', 'entropy': 7.898074659634051} | entropy | 7.898074659634051 | description | 发现高熵的节 | |||||||||
| entropy | 0.967741935483871 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 56 个反病毒引擎识别为恶意
(50 out of 56 个事件)
| ALYac | Generic.Malware.SN!.F1C645B9 |
| APEX | Malicious |
| AVG | Win32:Sytro-AD [Wrm] |
| Acronis | suspicious |
| Ad-Aware | Generic.Malware.SN!.F1C645B9 |
| AhnLab-V3 | Worm/Win32.Sytro.C314843 |
| Antiy-AVL | Worm[P2P]/Win32.Sytro |
| Arcabit | Generic.Malware.SN!.F1C645B9 |
| Avast | Win32:Sytro-AD [Wrm] |
| Avira | WORM/Systro.I |
| Baidu | Win32.Trojan.Agent.aaw |
| BitDefender | Generic.Malware.SN!.F1C645B9 |
| BitDefenderTheta | AI:Packer.0036B3E021 |
| CAT-QuickHeal | W32.Desfiro.MUE.A8 |
| CMC | P2P-Worm.Win32.Sytro!O |
| ClamAV | Win.Worm.Sytro-6840421-0 |
| Comodo | Worm.Win32.Soltern.N@3uzl |
| CrowdStrike | win/malicious_confidence_60% (D) |
| Cybereason | malicious.23bba3 |
| Cylance | Unsafe |
| Cyren | W32/Sytro.KUUM-5074 |
| DrWeb | Win32.HLLW.Sytro.31 |
| ESET-NOD32 | Win32/Soltern.N |
| Emsisoft | Generic.Malware.SN!.F1C645B9 (B) |
| Endgame | malicious (moderate confidence) |
| F-Prot | W32/Sytro.L@p2p |
| F-Secure | Worm.WORM/Systro.I |
| FireEye | Generic.mg.efd684b23bba3173 |
| GData | Generic.Malware.SN!.F1C645B9 |
| Ikarus | Virus.Win32.Sytro |
| Invincea | heuristic |
| Jiangmin | Worm/P2P.Sytro.l |
| K7AntiVirus | Trojan ( 00540e8a1 ) |
| K7GW | Trojan ( 00540e8a1 ) |
| Kaspersky | P2P-Worm.Win32.Sytro.l |
| MAX | malware (ai score=80) |
| Malwarebytes | Worm.Sytro |
| McAfee | W32/Sytro.worm.gen!p2p |
| McAfee-GW-Edition | BehavesLike.Win32.Sytro.nc |
| MicroWorld-eScan | Generic.Malware.SN!.F1C645B9 |
| Microsoft | Worm:Win32/Soltern.N |
| NANO-Antivirus | Trojan.Win32.Sytro.fybz |
| Qihoo-360 | HEUR/QVM11.1.5E4D.Malware.Gen |
| Rising | Worm.P2p.Sytro.l (CLASSIC) |
| SentinelOne | DFI - Suspicious PE |
| Sophos | W32/Systro-L |
| Symantec | W32.HLLW.Electron |
| TotalDefense | Win32/Detox.C |
| TrendMicro | WORM_SYTRO.L |
| TrendMicro-HouseCall | WORM_SYTRO.L |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
d7b2934b89bc50c5c343ad84032de88e
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00011000 | 0x00000000 | 0.0 |
| UPX1 | 0x00012000 | 0x00008000 | 0x00007800 | 7.898074659634051 |
| .rsrc | 0x0001a000 | 0x00001000 | 0x00000400 | 2.6866361080342207 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_STRING | 0x00016d14 | 0x000002a0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00016d14 | 0x000002a0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00016d14 | 0x000002a0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00016d14 | 0x000002a0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00016d14 | 0x000002a0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00016d14 | 0x000002a0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x00016fc4 | 0x00000094 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x00016fc4 | 0x00000094 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library advapi32.dll:
• 0x41a25c RegCloseKey
Library oleaut32.dll:
• 0x41a264 VariantClear
Library user32.dll:
• 0x41a26c CharNextA
L!This program must be run under Win32
StringX
TObjectd
System
IUnknownn'9;
2 D@<2 840
zTpD$,
\$0`|o
2?2 SVL
$i-G;CO
s^o2O;rl
w;;t4san
s]kJyH+
+=vE5<^
6J O+I
?n]Ay]i3;
,vKITR
FHF>5]M
>G3m+U]|
fJHkW8
^<H 8S(&Ex @N
Jd2d"h0CT=
.}-]S%
A&l[S;
ha-J<x/Idc]8
4pM&Km7~Kc
KPZ,><|
Gi' k~{
g5L=]Rk
%L!1!J
S!l6**]EhxQ|,
V@;=zP6pu,U`
l4;vc0
](.U!$
RsSA!?
7W;alA=}
WPRQ-d5X1cP]"cK
mH[j|x
< v;"u
7uaN0/
)~O hD
LkePvk4
+tf$xZtaXt\0
]OOJZ
\%\{F83
PvP4BhXh5
JtMbyn1*0 livT/P3
fpf%Vf?f
OFTWARE\Borland\Delphi\RTL
FPUMaskValue
-9_`Ap1
!+H[uL,'6
fYc>ukaX)'\G|v_{*
mMP:XX}{[
`c9,aA
R Z:7a
(Ph?.4R@$4(
/t JKO`MB
;ZTUWVS+
^RJS0O3/
?Zd$,?]"Q
b$v/O`
r6t0R=)
/'=t&*w-&"i
/?tp(1
.#l{/S|
<l_P0,
Zv0p!Rjh
r<DA8=w%
_&K0/<
7b[+e
=F1RD%-I 68k
RC8, <usS(
PUons Copyrigt (c) 19839 t
Nuk'$!fCA
"g>7)b},E
[RlJ+k
Z).#/-Rf]
BIW[](\
CaAXKl;
%ScqOEpk"PSRPRAj
jYPwDx
~X$SaJ
~h@kWW
9uXJt
="+8A@
8'.#`v
9} )@|
qXw0YN|*,}&`_2~")9~
:~w~R?)
]@;1wOWrJxQ
0C)_2[1LH
uV#x^u
v9|o?4u
s)LKBY[ BH
[<']PI
<O'/41
y1FXb{f2
+t4+HlV:B
,h"Z;|
5t7P?M
2<CRa}
.o; *Xz=
e;|bK0
;g<ua%C2&W_r$t/aWL
&>B].x
PpP!l6=(S
f8?*-f8
G [D/:
EA3L@fsA
Z'7Dv"
fI|'V`
_^eAXe
<_;Ybff Hd
DSDvib"
UM+~"iU
{[**BM3
,BXM)M
HO6|"G,
tIuY&TB7WA3"
zC^0(^j
xhG_wW
b+u\gXH|c]8J|
j0sgS (R
Akernel327.dllKGeVongPathNam
|j>EVo
nuA{c2
tmC<8gt
tware!
calesM
-H@{c!;$k"tm
/0X?e+
KU!Fd:0
m2 t={
t*3+l[P
8#pk}mt
fh?OHu
..=}xC<vF
'6#@!}6-
`R ZHoAlP66L>
!.t;:=0
wl,$YHU
uH(FW"|ocm
v"$ ^X
?_]PV3
HXYu Vss
["Xf2}
+j6=QA$t;xu
C!,%6b/9;
xwtAj+
=t,jawx
7F\(@aw~!@W@%&
K-vF+;QQy'k
ZK,~xXI
c%*V6|6E=
E4VG}9BC
4.7@v:k
&Dn2xH/W
@aQY_oR
b@"E@|oe@p+
BkU'9p|B0<R
B~QC/j\
Cv)/&D
dEJzEb
]Z T7aZ7
P%uYnb
"Ux2\$
#/+%,[
zLI3]Y
G3/RB
Qy!'{]gpZ-3
Vnl4u
3:|7Fquw.J
2 @<82 40,
r0 9`\@`
ExcepKdA
gL`~C~EHeapZ\[\
EOutOfPMemory
EIn]Err
cW_%O^ c|b
ED!CivByZeroxxl
RangeW
sInverflow,dc
idOpWf8
Ee4eW4e1k`kWW P
UzndXW
[Casto
C%i[x
EAcssVla
"+XgXg.xPrxle
hotjxllCkdW
and i_ 6+i
r|[|;5
f8[,^(9 dG
Win320jK@^0jSt
afecal
hreadArray
P5(TMul}Rylus
W~Sync(6Diz/oj
[!.MYCSDtDw
R9vb9t*^
Y;h.Jul[Tzo
L(?jQu
&[jv"BGM
fXZZ+(
__LQ,b"u<
)6DBt?
t+{[.Y
QmK[^_O3
eW )GT
!#V@G1
_?^SECE v
p!J?<
4BPy96
0(ZM(klbl
g@7#`.
.%VuQR
N`\D*t"
0r<9w7k
*sM"^sr
)/(".]{
[b#-AN
%'v8wvp
d+fS\A4
k"gO`)
NtyM`l=
/f`8PLg
+I+;}$
vQGI1tu
BGSwZ*!l
|9 pCD
u`pqf.
$-`1p$
Zw NUlkq
t J<m@
xu{Yvwv(
jbm;gxoU
V/Phd%
`6^wT21
r%%5:D
s}z&\C;~jk
15\:(g
XIz6@gg
0-D3^X
Itb+9Y1`
}Xa}p;W
@H7sb|nS
?(olMY,D
2XYSU?<HtHU3t7Gfgd5(
=}H`x`F
VcdV~C
l$;GfZ>'#cg[,#'#
$s^Ivs
ef`)>,
T.lQ[ <L
ErmMFkmaJf<`
PLm@Ns
x=FAOJ`<
&jJ/TM8MF
@UjI3%
O'&'hI%uS
v\,r
m/d/7W m
d, c }am
jr#hh AMP
:<@hl+
DiskFreeSpaVAF60
X5,B37
-ECWX{4'2P#,
KbQ25CM
4M,4, $4]
H3H3d\`H3H3\dX
d3TPH fL
i84sl,0, ($x6g /
INFNANU
zSC=}:S
&>$@}7
5`7[r+a
!P`(90[
QS<$7bk
8"?[YCf
nw{$*@
<'t$<"t kv
O#t&<7
0t%<.t,<Z3_51<E}wt:<S6JtFD@Bo@-K
A+9]`$?Cbt[].
i$ S OO
:o/&+~
<MuEmXA(C
E.M,?i
@za-Ww-
T}8wm+ )+x4
CD5Gcsw
q{P7zI00x3$
dA@.9U
FalseTru&{
88@Stm/u
@vE/FCd(;reate[;e
OpenYHW>
"Hiler
`PGCW WS
zlW b@
Ti4C{lcl$
\qPsn>c
ClassW
IpsAdap
xuO^d`p
[c_\KlY
c*{,lcL
TH0+PikP2P;
7Dn;uu
DDL&wchV0XMa
9G<NBuCy{
J/Y@7W
O2MGuw
zUS$QVeQQ8&
&]+;A8{
'AWAVu
-j6f;5K
T&wIU#q
yQs-F3
C =(`%
eI>E[<
\ $st\/!`$
KEKX<E
(_& HL2S!1hH:+
6}E&Dc.
Vc7\|#C3'
_-r7['+wFKu)Zv`%
4\uhr2q;
DW>@rw5R_o7
G:>8`tr6
ug1 $i;
w+9Zw
CBK kaG
v_DK* m
p#(Q/P
i![$0s2e
gC%p[l
U,XuPrK@
qjHWbt
(JO;|4
KC*JMD
9tL1!%~#
eTYVV8
p~U6O}
Rnah'_
*X$^tko{%G)
x!7B@5
'!A,A(ul
u[{\Sk{8
P/!/lI|n
qWJ~?bB~
n'4bS>
)WGGOf
&6` /
si,@bj{[
O1 D@Bq
BN$ORe.`gistry_
!@04M"O9
@QDOp,ao
3g0eJm
683iEK*b
Lmq@efe
K$TmOS
8d@hV.C
u0\"5PlT
T!+scdk
IJ 1p8[DZc
dextor32
s Epo"
2 - At@ Of Th
Clpe Full DmU
a'r.Me
G.Jenna Jam(,`
kABuilt2n Speed7mL,[DiVX] L(#o
nRm%%g7?H6vk Po"nd@SL\sc
t=7ChiH}D-/!1-|o!}c+wo+nla
o+W;ebot#"
AIMccount5eav3
mdoc#
W dwpj/XP[(w(K`a'
oT25.0'8
/UncappS'
9#tmpup
&ZPA|rm FirLaewa"G 6 Kee&GcGNh+tk
Kj/AikaQusH
`[i.w[+z9ls
e-.OWJ"WP%\
(nu B-+4/
ETAokB
]s!i*'`K
Xx.+fo
{l (WORKS!
w!)/*Ef-$d
Mb:X6H
c"wedo
8l`M+~K
9rM+-K&f
wuv!P2EG
B#LINE
e*]$Gr
_CD1/$,+
Ts?'aZaA 4H7lsk.p29UNOFFICIAL`/?ci
-1LP&v
%z /|y cP
"j4& K
P8*b#dS3-
]Tcy;d{
Oj%<7|TAh<
a@0\PM
35^`QL
'~dj,?uh8
=8965Ypp 85\l
%!9/.\AC
=\R?Nv-+
* B>)3
H2HxW(
d0)d w
bG<gEZ*vXe
,N{?u}tH
G'figq%)i$G
S_cdqV]K=#
oxYVw[8
;15c@L
1 @2345:
HPba710CKL
8X5tI>a
xHmf`0X.;s
$!/Ptime ew
G6789ABCDEF
4M4$,4<D4MLT\dlM4Mt|4M4iM_
__=g__`
@fXg<y
<df4M
4i\(6M,T,3v'7cXl
_]/3g4n
k]#^53
t/{?@ W
iQmiid
ccyA`g
C+pa+i]'l
u-ls|c)
alispw'MYw6
-dNII+5fFG
k:5cMb
tm%g{V4uiC 5
x9nlu53c
FEsp5K
}k-iu?f
r)]pmKu.
2;WCfu/:
Ps)pc)
v{xoI+s
" A @"kYs!`R
a-TooH Ey1&
?1}/wz/
cgchskI
Utbk10
QTypInfo
eleC"i
iz0Virtu
Alloca
$h/?QueryWidT@
={A3{!PrX
P[!ze !
L{osomm@n.
s{iWes
UnhdYb
ER7Rtl:
aiAHkH
b9P@q6txA
2^&D(DM
0iumCM
#%F`w~Flush
LSsMeoXmY
sf\-boYH
:BoNexB>`
:]KVR"
#7 DATA4
IvBSSY
.Iwv_a
'sr& aZ%'
KERNEL32.DLL
advapi32.dll
oleaut32.dll
user32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
VariantClear
CharNextA
V5Ya:(
2"Aa4f\:/Y
?BBCiXV+Fj
r"XW 9m
ck'Y|\t>q
^$ktcc>G(yI~:Ey
7ZLn$
&U xX@%tG/R
(7P2_1:>Q
)$c'e(3
6;DB7[x2|{h\
>L&Z,U
( I_3%8
/* R:Gg_
PpT'PC13
|53/dUA1 P
/*H/k=
,GKFl(,
]k+({Ib
}`j%T*
X%5Ff
,D,SAHj
d"Txr4b/
) cK}Ve
zdZt8*
A("y7>+
Bz+4!5Vm
iV!>uHN5+4y}PT
)Z3+IfiA[`
y-Y~QzP
,Q#)pp|~
#CH14T
plh6UL;(n
70o!;5
%%-<|?c
Asg{ &
oh2X7=ECeRh
&C%*Q2p~RM
\C~tv)pP#
;y}*/$
v *c8O
i)aBe{
w13.-ca
WNT^<9X
77b9OpO
@sd[76J-
)q|=awqmu
Gz (B.[
Mw=N;%Hv
iO_.n*[Jy(lhsr
LJVHjEk=
J+KC>9n
_]2JEQ
GFzFM,d
{[I0s{M
~*Q!wN+W
HB4,j@V>v4KucZh.+<=\D\
{xxd|eh(?xExnIP
3`*tvu
}jIsIaC&
%o_qU"49
1)6V2yfZ83i\
ry58+EZ
V }oEIR
$}8c{zt"
qr]+rnUE
.9/>1}
CSf*>w}s55iYZN
`>--Jx<'G
Ewd);J0
5bn9b9 nW
Oj1i'#
Di/e7d81\
"T/HsUC
`:RJa_
yQRf5?0c
6G6lf*e
KSJ^9F0]K
X/^w`5hT
\:i8pdg+
+GZ]dvc$
}@: 1l
u*VxGm
#!R&+$
HLW.;UcxFTwKnD:*@
w_o/'J
!Bp"O(
3.pg7O
_uTFa4
"3%`t#j"-w
sYmrk8S
C:>Jyf]gZBk!s{Os4
bIej5E]T)$2
F#"Nej
&-_%`1-'a
x'&A<Erdg}
%#hq-b
N3"^5O6,_
r2"9l;h
j"s`oQO\tE2
0T0E0Zo)
q_N]5^G1
SXTmIG
rg}Z7$<00tT
Ju@ TJ
:oqhj@
@^0Gp',
SID2qTY-N
ZTCKGva?R
}xmXQk
s4k^QnJ]ZO?hb0J
5q61y>/
n/_lcX
K(y)@xtm\
I=/M8D#-<
8iS&PZ
Qf;Dn5
^1^vajI$
!9-7p_'liK5
acO@M3^
'Pt $li1
gK&72;qO]
Nk|{}P
j(@GyI(w0f
QuYmW"aR
fl1uS!/
A{fAIcMw'
G(E<nd}*aB&I#_N7
b9Ga@AN
k{Y!:&
]jstlPu$Z
=a)Pg*XF
MR^qe-
l5Y^}x
UW#a{V=j
`#V/\'t
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.