恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-1	2020-06-06 16:48:39	2020-06-06 16:51:07	148 秒

魔盾分数

8.7125

危险的

文件详细信息

文件名	zombie.exe
文件大小	1285120 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	484fbe7079c2a215dd7a0efe77a0d1d4
SHA1	e0eeb51b336f29527e9af9aa9930dd76a21852d7
SHA256	dc1b34834edc438ae9139a103696b49c12eaf6903128f2b8910f07315f9ead91
SHA512	ffc195b6a89295177a3ca4c889135783bd49b0e7fdea0573c0b08239836f088aeac9311e851192ebfb15960c5188ddebb839a608afda3bcfed84d96535c0f79e
CRC32	17D6B857
Ssdeep	24576:C+0dE0nEGEeRink5J/LvW/4qT86MfzzLp2NJWEUWALbtt0:CHNn1Een5Nvq8TfX+uWALbtC
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00401000
声明校验值	0x00000000
实际校验值	0x00147f2b
最低操作系统版本要求	4.0
编译时间	2020-06-06 16:46:45
载入哈希	d16f20d5224b729ea5f67da7132210a9

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000165f2	0x00016600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.35
.rdata	0x00018000	0x000018da	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.06
.data	0x0001a000	0x00137a2c	0x00121400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.99
.rsrc	0x00152000	0x00000278	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.80

导入

库: WINMM.dll:

• 0x4181c4 timeGetTime

库: KERNEL32.dll:

• 0x418040 GetModuleFileNameA

• 0x418044 LCMapStringA

• 0x418048 WriteFile

• 0x41804c CreateFileA

• 0x418050 DeleteFileA

• 0x418054 GetCommandLineA

• 0x418058 GetTickCount

• 0x41805c GetProcAddress

• 0x418060 LoadLibraryA

• 0x418064 IsBadReadPtr

• 0x418068 HeapFree

• 0x41806c HeapReAlloc

• 0x418070 HeapAlloc

• 0x418074 ExitProcess

• 0x418078 GetModuleHandleA

• 0x41807c GetProcessHeap

• 0x418080 MultiByteToWideChar

• 0x418084 Wow64RevertWow64FsRedirection

• 0x418088 Wow64DisableWow64FsRedirection

• 0x41808c RtlMoveMemory

• 0x418090 MapViewOfFile

• 0x418094 OpenFileMappingA

• 0x418098 Sleep

• 0x41809c Module32First

• 0x4180a0 CloseHandle

• 0x4180a4 Process32Next

• 0x4180a8 Process32First

• 0x4180ac CreateToolhelp32Snapshot

• 0x4180b0 FreeLibrary

• 0x4180b4 lstrcpyA

• 0x4180b8 lstrcatA

• 0x4180bc MulDiv

• 0x4180c0 GetTempPathA

• 0x4180c4 GetSystemDirectoryA

• 0x4180c8 GetWindowsDirectoryA

库: USER32.dll:

• 0x418138 LoadBitmapA

• 0x41813c RegisterHotKey

• 0x418140 ReleaseCapture

• 0x418144 ScreenToClient

• 0x418148 SendMessageA

• 0x41814c SetCapture

• 0x418150 SetWindowLongA

• 0x418154 GetCursorPos

• 0x418158 GetSysColor

• 0x41815c CreateWindowExA

• 0x418160 IsWindowVisible

• 0x418164 CallWindowProcA

• 0x418168 TranslateMessage

• 0x41816c GetMessageA

• 0x418170 PeekMessageA

• 0x418174 GetDC

• 0x418178 GetWindow

• 0x41817c UnregisterHotKey

• 0x418180 DispatchMessageA

• 0x418184 wsprintfA

• 0x418188 MessageBoxA

• 0x41818c GetAsyncKeyState

• 0x418190 BringWindowToTop

• 0x418194 UpdateWindow

• 0x418198 MoveWindow

• 0x41819c GetWindowTextLengthA

• 0x4181a0 FindWindowExA

• 0x4181a4 GetClientRect

• 0x4181a8 ClientToScreen

• 0x4181ac FindWindowA

• 0x4181b0 GetWindowThreadProcessId

• 0x4181b4 GetClassNameA

• 0x4181b8 GetWindowTextA

• 0x4181bc GetDesktopWindow

库: GDI32.dll:

• 0x41802c GetDeviceCaps

• 0x418030 TranslateCharsetInfo

• 0x418034 DeleteObject

• 0x418038 CreateFontA

库: MSVCRT.dll:

• 0x4180d0 atoi

• 0x4180d4 free

• 0x4180d8 malloc

• 0x4180dc __CxxFrameHandler

• 0x4180e0 ??3@YAXPAX@Z

• 0x4180e4 strrchr

• 0x4180e8 strchr

• 0x4180ec realloc

• 0x4180f0 memmove

• 0x4180f4 strncmp

• 0x4180f8 calloc

• 0x4180fc _ftol

• 0x418100 floor

• 0x418104 modf

• 0x418108 _CIfmod

• 0x41810c rand

• 0x418110 srand

• 0x418114 sprintf

库: SHLWAPI.dll:

• 0x418130 PathFileExistsA

库: SHELL32.dll:

• 0x41811c DragFinish

• 0x418120 SHGetSpecialFolderPathA

• 0x418124 DragQueryFileA

• 0x418128 DragAcceptFiles

库: COMCTL32.dll:

• 0x418000 ImageList_Add

• 0x418004 ImageList_Create

• 0x418008 ImageList_Destroy

• 0x41800c ImageList_DragEnter

• 0x418010 ImageList_DragLeave

• 0x418014 ImageList_DragMove

• 0x418018 ImageList_DragShowNolock

• 0x41801c ImageList_EndDrag

• 0x418020 None

• 0x418024 ImageList_BeginDrag

.text
`.rdata
@.data
.rsrc
L$$PQh
8`}<j
L$$PQh
F `8A
L$ RUPj
timeGetTime
WINMM.dll
CreateToolhelp32Snapshot
Process32First
Process32Next
CloseHandle
Module32First
Sleep
OpenFileMappingA
MapViewOfFile
RtlMoveMemory
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
MultiByteToWideChar
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
GetModuleFileNameA
LCMapStringA
WriteFile
CreateFileA
DeleteFileA
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
KERNEL32.dll
GetDesktopWindow
GetWindow
IsWindowVisible
GetWindowTextA
GetClassNameA
GetWindowThreadProcessId
FindWindowA
ClientToScreen
GetClientRect
FindWindowExA
GetWindowTextLengthA
MoveWindow
UpdateWindow
BringWindowToTop
GetAsyncKeyState
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA
USER32.dll
GDI32.dll
sprintf
srand
_CIfmod
floor
_ftol
malloc
__CxxFrameHandler
??3@YAXPAX@Z
strrchr
strchr
realloc
memmove
strncmp
calloc
MSVCRT.dll
PathFileExistsA
SHLWAPI.dll
MulDiv
lstrcatA
lstrcpyA
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
CallWindowProcA
CreateWindowExA
GetCursorPos
GetDC
GetSysColor
LoadBitmapA
RegisterHotKey
ReleaseCapture
ScreenToClient
SendMessageA
SetCapture
SetWindowLongA
UnregisterHotKey
DragAcceptFiles
DragFinish
DragQueryFileA
SHGetSpecialFolderPathA
SHELL32.dll
ImageList_Add
ImageList_BeginDrag
ImageList_Create
ImageList_Destroy
ImageList_DragEnter
ImageList_DragLeave
ImageList_DragMove
ImageList_DragShowNolock
ImageList_EndDrag
COMCTL32.dll
CreateFontA
DeleteObject
GetDeviceCaps
TranslateCharsetInfo
ADVAPI32.dll
ole32.dll
UnityWndClass
hallclient.exe
?Home  Menu  on/off      FPS: 

没有防病毒引擎扫描信息!

进程树

zombie.exe id: 2704
services.exe id: 428
- svchost.exe id: 2972
  - WerFault.exe id: 2212
- mscorsvw.exe id: 2396
- mscorsvw.exe id: 424

zombie.exe, PID: 2704, 上一级进程 PID: 2356

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

services.exe, PID: 428, 上一级进程 PID: 332

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

svchost.exe, PID: 2972, 上一级进程 PID: 428

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

WerFault.exe, PID: 2212, 上一级进程 PID: 2972

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

mscorsvw.exe, PID: 2396, 上一级进程 PID: 428

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

mscorsvw.exe, PID: 424, 上一级进程 PID: 428

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 26.028 seconds )

16.353 Suricata
4.301 Static
2.532 VirusTotal
1.246 BehaviorAnalysis
0.661 TargetInfo
0.511 peid
0.336 NetworkAnalysis
0.062 AnalysisInfo
0.018 Strings
0.005 config_decoder
0.003 Memory

Signatures ( 0.612 seconds )

0.073 antiav_detectreg
0.068 api_spamming
0.052 stealth_timeout
0.048 stealth_decoy_document
0.029 infostealer_ftp
0.017 injection_createremotethread
0.017 infostealer_im
0.015 antianalysis_detectreg
0.014 antiav_detectfile
0.014 md_url_bl
0.012 md_domain_bl
0.011 mimics_filetime
0.011 injection_runpe
0.01 reads_self
0.01 antivm_generic_disk
0.01 virus
0.01 infostealer_mail
0.009 stealth_file
0.009 shifu_behavior
0.009 infostealer_bitcoin
0.008 bootkit
0.008 anomaly_persistence_autorun
0.007 injection_explorer
0.006 antivm_generic_scsi
0.006 kovter_behavior
0.006 hancitor_behavior
0.006 antivm_vbox_files
0.006 ransomware_extensions
0.006 ransomware_files
0.005 antiemu_wine_func
0.005 infostealer_browser_password
0.005 geodo_banking_trojan
0.004 betabot_behavior
0.004 kibex_behavior
0.004 antivm_xen_keys
0.003 tinba_behavior
0.003 antivm_vbox_libs
0.003 antivm_generic_services
0.003 antidbg_windows
0.003 anormaly_invoke_kills
0.003 antivm_generic_diskreg
0.003 antivm_parallels_keys
0.003 disables_browser_warn
0.003 darkcomet_regkeys
0.003 recon_fingerprint
0.002 rat_nanocore
0.002 maldun_anomaly_massive_file_ops
0.002 antisandbox_sleep
0.002 cerber_behavior
0.002 antidbg_devices
0.002 antisandbox_productid
0.002 browser_security
0.002 modify_proxy
0.002 md_bad_drop
0.001 hawkeye_behavior
0.001 network_tor
0.001 antiav_avast_libs
0.001 ursnif_behavior
0.001 kazybot_behavior
0.001 antisandbox_sunbelt_libs
0.001 bypass_firewall
0.001 antianalysis_detectfile
0.001 antivm_generic_bios
0.001 antivm_generic_system
0.001 antivm_xen_keys
0.001 antivm_hyperv_keys
0.001 antivm_vbox_acpi
0.001 antivm_vbox_keys
0.001 antivm_vmware_files
0.001 antivm_vmware_keys
0.001 antivm_vpc_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 codelux_behavior
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 maldun_anomaly_invoke_vb_vba
0.001 packer_armadillo_regkey
0.001 rat_pcclient
0.001 recon_programs
0.001 stealth_modify_uac_prompt

Reporting ( 1.601 seconds )

1.023 ReportHTMLSummary
0.578 Malheur


Task ID	550926
Mongo ID	5edb59242f8f2e6b6107f46e
Cuckoo release	1.4-Maldun