1.0
低危
63 个模型检测该样本为恶意!
重新分析
更多

17e38c0210ad14e856996730bbd22717d9a8e84cdd797d418babb730cbffba06

17e38c0210ad14e856996730bbd22717d9a8e84cdd797d418babb730cbffba06.exe

分析耗时

194s

最近分析

374天前

文件大小

84.9KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE
鹰眼引擎
DACN 0.12
FACILE 1.00
IMCLNet 0.69
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanDownloader:Win32/Upatre.f5c61c5b 20190527 0.3.0.5
Avast Win32:Kryptik-OZW [Trj] 20200514 18.4.3895.0
Baidu Win32.Trojan-Downloader.Waski.b 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Kingsoft None 20200514 2013.8.14.323
McAfee Downloader-FSH!F3DD6C214B76 20200514 6.0.6.653
Tencent Malware.Win32.Gencirc.10b079ea 20200514 1.0.0.1
行为判定
动态指标
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意 (50 out of 63 个事件)
ALYac Trojan.GenericKD.1838094
APEX Malicious
AVG Win32:Kryptik-OZW [Trj]
Acronis suspicious
Ad-Aware Trojan.GenericKD.1838094
AhnLab-V3 Trojan/Win32.Zbot.R118957
Alibaba TrojanDownloader:Win32/Upatre.f5c61c5b
Antiy-AVL Trojan/Win32.Fsysna
Arcabit Trojan.Generic.D1C0C0E
Avast Win32:Kryptik-OZW [Trj]
Avira TR/Yarwi.A.475
Baidu Win32.Trojan-Downloader.Waski.b
BitDefender Trojan.GenericKD.1838094
BitDefenderTheta Gen:NN.ZexaF.34108.fqZ@aGEvYRc
CMC Trojan.Win32.Cutwail!O
ClamAV Win.Trojan.Upatre-6140
Comodo TrojWare.Win32.Crypt.C@7vajd0
CrowdStrike win/malicious_confidence_100% (W)
Cybereason malicious.14b76a
Cylance Unsafe
Cyren W32/Trojan.RZDO-5377
DrWeb Trojan.DownLoad3.33795
ESET-NOD32 Win32/TrojanDownloader.Waski.F
Emsisoft Trojan.GenericKD.1838094 (B)
Endgame malicious (high confidence)
F-Prot W32/Trojan3.KNO
FireEye Generic.mg.f3dd6c214b76ac7a
Fortinet W32/Upatre.FT!tr
GData Trojan.GenericKD.1838094
Ikarus Trojan-Downloader.Win32.Upatre
Invincea heuristic
Jiangmin TrojanDownloader.Upatre.aw
K7AntiVirus Trojan ( 0001140e1 )
K7GW Trojan-Downloader ( 0049d22b1 )
Kaspersky Trojan-Downloader.Win32.Upatre.dfv
Lionic Trojan.Win32.Cutwail.tn30
MAX malware (ai score=86)
Malwarebytes Trojan.Upatre
McAfee Downloader-FSH!F3DD6C214B76
McAfee-GW-Edition BehavesLike.Win32.Downloader.mt
MicroWorld-eScan Trojan.GenericKD.1838094
Microsoft TrojanDownloader:Win32/Upatre
NANO-Antivirus Trojan.Win32.Cutwail.denqqa
Panda Trj/Genetic.gen
Qihoo-360 Win32/Trojan.Downloader.Upatre.A
Rising Trojan.Waski!1.A489 (CLOUD)
SUPERAntiSpyware Trojan.Agent/Gen-Cutwail
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Troj/Agent-AIRG
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2014-04-23 15:37:18

PE Imphash

ec37f725b2689e4932373eab7c062bfb

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00007200 0x00001400 1.734577852755738
DATA 0x00009000 0x00004200 0x00001c00 4.560203405470213
rsrc 0x0000e000 0x00006000 0x00005c00 4.078976975346756
uinC 0x00014000 0x000001f0 0x00000200 0.0

Resources

Name Offset Size Language Sub-language File type
RT_MENU 0x0000e1d2 0x00000137 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_MENU 0x0000e1d2 0x00000137 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_BITMAP 0x0000e309 0x00003244 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0001154d 0x000025a8 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_GROUP_ICON 0x00013af5 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library dbghelp.dll:
Library GLU32.dll:
0x409008 gluBeginCurve
0x40900c gluBeginPolygon
0x409010 gluBeginSurface
0x409014 gluBeginTrim
0x409018 gluBuild1DMipmaps
0x40901c gluBuild2DMipmaps
0x409020 gluCylinder
0x409028 gluDeleteQuadric
0x40902c gluDeleteTess
0x409030 gluDisk
0x409034 gluEndCurve
0x409038 gluEndPolygon
0x40903c gluEndSurface
0x409040 gluEndTrim
0x409044 gluErrorString
0x40904c gluGetNurbsProperty
0x409050 gluGetString
0x409054 gluGetTessProperty
0x40905c gluLookAt
0x409060 gluNewNurbsRenderer
0x409064 gluNewQuadric
0x409068 gluNewTess
0x40906c gluNextContour
0x409070 gluNurbsCallback
0x409074 gluNurbsCurve
0x409078 gluNurbsProperty
0x40907c gluNurbsSurface
0x409080 gluOrtho2D
Library kernel32.dll:
0x409088 MapViewOfFileEx
0x40908c GetACP
0x409090 GetSystemDirectoryA
0x409094 LocalFree
0x409098 SetConsoleTitleW
0x40909c EnumCalendarInfoW
0x4090a0 GetFileSize
0x4090a4 ReadFile
0x4090a8 CreateFileA
Library adsldpc.dll:
0x4090b0 ADSIGetColumn
0x4090b4 ADSIFreeColumn
0x4090b8 ADSIModifyRdn
Library adsldpc.dll:
0x4090c0 ADSIFreeColumn
0x4090c4 ADSIGetColumn
0x4090c8 ADSIGetFirstRow
0x4090d0 ADSIGetNextRow
0x4090d8 ADSIGetPreviousRow
0x4090dc ADSIModifyRdn
Library msrating.dll:
0x4090e4 RatingCustomInit
Library MTXCLU.DLL:
Library SAMLIB.dll:
0x4090f4 SamAddMemberToAlias
L!This program cannot be run in DOS mode.
vsRich
Rhr.dlhduse\
uX[YZa`
YD94D9
DbgHelpCreateUserDump
dbghelp.dll
gluBeginCurve
gluBeginPolygon
gluBeginSurface
gluBeginTrim
gluBuild1DMipmaps
gluBuild2DMipmaps
gluCylinder
gluDeleteNurbsRenderer
gluDeleteQuadric
gluDeleteTess
gluDisk
gluEndCurve
gluEndPolygon
gluEndSurface
gluEndTrim
gluErrorString
gluErrorUnicodeStringEXT
gluGetNurbsProperty
gluGetString
gluGetTessProperty
gluLoadSamplingMatrices
gluLookAt
gluNewNurbsRenderer
gluNewQuadric
gluNewTess
gluNextContour
gluNurbsCallback
gluNurbsCurve
gluNurbsProperty
gluNurbsSurface
gluOrtho2D
GLU32.dll
MapViewOfFileEx
GetACP
GetSystemDirectoryA
LocalFree
SetConsoleTitleW
EnumCalendarInfoW
GetFileSize
ReadFile
CreateFileA
kernel32.dll
ADSIGetColumn
ADSIFreeColumn
ADSIModifyRdn
adsldpc.dll
ADSIFreeColumn
ADSIGetColumn
ADSIGetFirstRow
ADSIGetNextColumnName
ADSIGetNextRow
ADSIGetObjectAttributes
ADSIGetPreviousRow
ADSIModifyRdn
adsldpc.dll
RatingCustomInit
msrating.dll
MtxCluIsClusterPresent
MTXCLU.DLL
SamAddMemberToAlias
SAMLIB.dll
=h$F2w7
d.gzi
5`2?QB
fHee@62W7
V~V:%\
0Dq-${&*g
FFF2EFF02FFFFju&x*:
OFFt^FFFjf@f@jJ|DFzJ~Hr13&
rk)02EFF
BV02EFF
r9s{02EFF
r202FF(rL:B02FF.r[6b02FF$rb02FF&r~[02FF
T0fX02fn4sfrFNFF4sF
62FFFFj&r
EFF*n2zEFF*2bnsf40
sfrFNFFrDFFsF
*rDFF0(sFr
FFFssFsrFFF
sfrFNFFrd_FFsF
,sfrFNFFsfsF
sfrFNFFsfsF
sfrFNFFsfsF
sFsFrFF
$sF2bnsf
&sF2bnrd_FF,
2#GFFsFsf
2GFFnsf
,D,nrd_FF,
,fX,"fEu "l2bnsf0
0,2<FF"
f@0n62GFF
&@F"|z0sFsFn
20FFFn
F"|&G0FFF
fN04J4&D4
p"&FFF|Q0@
FFFdTD
FFsF|T&sFn
T~OFFdTDj
J|EF0&NnomhTV
FF/>FF*FF*%LFF*FFF
FFFlTH
ikj'BFom=
[9ueu9Fik'DFomu
FF`TT/&
$_4xTH:
F_4xTJ:
F_4xTJ:
ik'NFom=&`TTxTJ:G
9&T_4e|TVik'NFnol2bnsf|TT|TT
|TT|TH|TR2
FFFhkj'LFo
t^FFF@@
JkhTB&&_
F'DFomhTLXhTLzhTLVhTL=lTLo2DedTJ&2aThTL\HlTLDdTLik'BFno`THlTJhTL|C
7=kj'@Fv?}Xm\/
n$nonsDrFNFF2DnsDrFNFFDTFNFF
k""D&uuF^|B
FFL71dTDon^rFNFF2Dn^rFNFFDTFNFF
kjj`T@hTD
g70'@F
 !"#$%&'()*+,-./0123456789:;<=>?@Ah
B)a10pm>GYuy9\oys
1+Lmx4W
Wtwo.e"hsIF^
& 6'/Q{m65aHXm
<6+^tN1
PHKx93
152C!X'#
!gIe^tYd(>
O}Q[r$
E-d<)B0A->I3K6F1t\B
C<rOh]
]D<O;7\y{
f*!W|Vn
pB+NZrM9~
hM03kt
13\x54
.\HuxVkG{\Bi3
MT8s|#( Cy
:5D^[M8
&{C7}9=Nfz
rzB#vK
p+v*M``.
Vza?~q{<
5HBK@{<
'\.fEN^
6e7&(=
2Y0{v6HR
YtxmNi
&NvV~1"
m;22=j'od+cco
z2kxlc#x
wWeR-3@i
^dK Q|f9
FPOMqK:uZT
kbA3Zl
)aq7\4jpgt
j /1A^h
$i*:PG];+-
4EC**P
zl?WP!#
S&?B]kWYd
T^GME}_E
Lec zk
3fR@j?ylE
sX`wfA
g@:_Z?.q%Di
%o=/eyI)aRXc
{Xv iY
~ItQJUE
"{*;R,"
T.;zi}
8Z]&j@(f#9f
Dal|.%v
lrOPYf$y(
RY99cGqeHRW%=
14UH]FYlP
g]q\}a9xM
c\9\&&r=8+
/YRZ7`-z--D~
uL1Exyr
w#|ysdX
uu*.?4d
Ih4_wFjaV
Cc0wR%
$F)<:!=-bJ
*c9?S<|%T
6x$#XBu
|p/a!cwN?zJXtx
</,#S[D
sCI+u:R3K
V~bm||2pV.3
zuMEsZ
~Ya*%;<MGXd81MQ
eCf'nY B:h
P~Boxav`
}n8F~b }
vrt|v&B
ky=DripsJ
&xlv(gQ
n\kW'^
|H3Xa<5Y5
':]j%}^
Wk@N?["w
|l{{2#AzF<dM
AP^0#;hE$ja
D:K;Q^O7E)
6t0iX7f
+HD}H3$
*ur$$$
1]u$$$
0Tf$$$
!Nv$$$
BfhBf$$$
+!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5!5
1!3!3!3!3!3!3!3!3 4!3!3!3!3 4 4 4!5!3!3 4!3!3!3!3!3!3!3!3!3!3
3"7"7"7"7"7"7"7"7"7"7"7"7ny"7"7"7"7"7"7"7"7"7"7"7"73$$$
3#9#9#9#9#9#9#9#9"7"7#5#9s{#9#9#9#9#9#9#9#9#9#9#9#93$$$
3*>*>*>*>*>*>*>*>*>*>t}*>*>#5#5'<*>*>*>*>*>*>*>!3$$$
#8/@/@/@/@/@/@/@/@LW/@/@.B/@/@/@/@/@/@/@/@/@#8$$$
*>5I5I5I5I5I5I5I5I5Ift5I5Ix
5I5I5I5I5I5I5I5I5I5I5I5I*>$$$
1E:M:M:M:M:M:M:M:Mgw:Mgw:M:M1E1E:M:M:M:M:M:M:M:M1E$$$
:M?O?O?O?O?O?O?O?O?O~?O?O?O?O?O?O?O?O?O:M$$$
?OFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFUFU?O$$$
HZJYFUFUFUJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYFUFUFUFUFUFUJYJYJYHZ$$$
HZHZovovovovovovovovovovovovovovovovovovovovovovovovovovovovHZO`$$$
L!This program cannot be run in DOS mode.
`.reloc
B.rsrc
8g&%\r
S^ =Z(U
S^ +Z(U
8gjX_r
S^ /Z(U
S^ 'Z(U
S^ /Z(U
S^ 'Z(U
S^ !Z(U
S^ ?Z(U
S^ /Z(U
S^ 'Z(U
S^ /Z(U
S^ 'Z(U
S^ 'Z(U
S^ +Z(U
* Y73P
S^ #Z(U
fZ`Z[[
i\Z\X8
S^ +Z(U
S^ +Z(U
S^ /Z(U
S^ /Z(U
_&`iXX
S^ ?Z(U
8`&Z[\
8&&`[\%r
8hXjZfffghhrG
KZ&F
S^ %Z(U
S^ 'Z(U
8ZZ%&h
8hhg\jfgi
S^ aZ(U
88Z`hgf*
fZ&Z[8
88XZ&%_h
8[&\%`8%`_gjrG
`LR [
A r2(M
A r2(M
A r2(M
A r2(M
A r2(M
A r2(M
A r2(M
A r2(M
8&f`r-
&hih__
8hgY*A4
p[`%`8^*
8fi_Z~
8`h\j%8
h`\g`f
jj`j[X*
8_j`8*
8iZj%Y
8fXZX_g%
&Y_i[8
`Y8@&j
88iYrU
8[\Z\Zhj*
hgj&\r
j\&%g8
X%\j_&
\_[Y%g8iY
pij`iXh`
8%[`&*
p`8ej\`\r
8gf[j`Y8YZi*
pXZ[Zj
8&[Zj*
88`Y_*
8Yhj[*
s !C y
ML' gC y
pXXij%i
__iYY\8
p8gg[r
8%h[_ri
&_YYXiff[8~
`i\ Z.^[ 0
8 !~O x
iXZg%Yi
K B-(C
K B-(C
8YX[f8
i&X\r-
X_jggf
h&ZhX%[&%
'{Zt
K B-(C
K l-(C
K l-(C
8YiY&Y
8[8_[*
jjZh8Z\
[[[XZj
8\ffY\
pZf\Y`
&[f\jg
pj&%_rK
4, .(%
p\gi_`g
Zf`f\%
p`&jr#
8X`g&g`%
88[&%\
8%f&ZYYh
X&hgXg
8g%gfi
8P $L}] R4,
pXji&8
8_&[%\\8
hiXf&8j_h
#g uZ
a2"^ Z
f%fhf\Y8h
8f` p| Z
fj%\[%8
i&Y\[%
8_`[\Xf&
p[\&hj8
8j[`%\
8jf_j*
_b`}
Yj_i*8
8e\_\g
g[f8fjX
8Zii_rG
__d}
8_[`g`h
(h'D
V; {!. w
8Xjg\XYX`
Xi`&__[8`
8\_f8*
8[`Xjf
88Xgi*
Xgj\%g
YgXf8!
8Z%`g&*
pg_ZY%g
8fjh[hfri
(k[ S >=^(A
_I S P=^(A
g`Z_&frG
8&j%&_`*
%f`_%f
pf_j8h
8\\Xgr
8gh&&Z*
h`ihX[
8&%jhj
jf[f\X
8Yg8`X_*
8&j_Zgg&\r
8%X_Yh8
`jgji%gZ
[i[%Y`fY
8$`%iY*
\Yh[[8
8YYYYY
8_`g%Y*
Y_bX
Y_bX"
[g&h%g
8X__ZYiXg
C:\Users\administrator\AppData\Local\Temp\wzd2aa\Statement.scr
C:\jsbv6YZz.exe
C:\JS8Hfo2Z.exe
C:\dbUQk0jC.exe
C:\BtdIGfs0.exe
C:\ViESf_o3.exe
C:\qKfmfOC1.exe
C:\tts_iQ2t.exe
C:\YsC0Ffo1.exe
C:\ZuZSKO4m.exe
C:\8o8WwhCw.exe
C:\AohZbZbQ.exe
C:\6EwTnFvH.exe
C:\iVz1kcWA.exe
C:\6EeCP6Y3.exe
C:\ripQConG.exe
C:\MsEpTZ35.exe
C:\eFpVZYZa.exe
C:\iaXUo8W_.exe
C:\FOU3Xfzt.exe
C:\Pl8VWJ9T.exe
C:\tkrvxzya.exe
C:\9ez3dX__.exe
C:\94eKrbaf.exe
C:\xELeQE6n.exe
C:\EECpn6U8.exe
C:\UZIUYYXr.exe
C:\QE8a7nN3.exe
C:\3nBRDKlX.exe
C:\aUf1yFbb.exe
C:\qPbqSwM9.exe
C:\w0R4wbvI.exe
C:\KxIi5KXD.exe
C:\prXzX3_E.exe
C:\EpGu6Frg.exe
C:\bWyDMzH4.exe
C:\9u2CQ0Gl.exe
C:\xB6G5frA.exe
C:\GNkquDNd.exe
C:\e4c8ef82c1bc6099f9c7b2f0df12c03dd6ce5f0a4348e6f17d75afd78c53e483
C:\Users\Petra\AppData\Local\Temp\mpjnr.pe32

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 58485 8.8.8.8 53
192.168.56.101 57665 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.