分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-11-18 17:20:44 2019-11-18 17:23:01 137 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 dragon.exe
文件大小 4046654 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d556b343ffb45a8c1ac53da54303895d
SHA1 032821c210fcee7dcc7d7567a85b457eb4e840c3
SHA256 06aa1501aca895658d9a0d654af162a00b6b9df3488c82803145487c4aeb79bb
SHA512 9d8c64f7e7782833434d11fe3afc2fa0c6231f9499ad0c1c21adc4f5d7014861d766c644e945645409f6394cc33ab74a7bb1a52b9fb2f2dc0573727af4efa955
CRC32 E44663FA
Ssdeep 98304:p5YZt2C1zSKFpJl/Oy68MgcAGcZAGCJbch5o:p031TZlGyQKK1beK
Yara 登录查看Yara规则
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0041d759
声明校验值 0x00000000
实际校验值 0x003e656b
最低操作系统版本要求 5.1
PDB路径 D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
编译时间 2019-04-28 04:03:27
载入哈希 00be6e6c4f9e287672c8301b72bdabf3

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0002e854 0x0002ea00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.69
.rdata 0x00030000 0x00009a9c 0x00009c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.13
.data 0x0003a000 0x000213d0 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.25
.gfids 0x0005c000 0x000000e8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.11
.rsrc 0x0005d000 0x0000d478 0x0000d600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.85
.reloc 0x0006b000 0x00001fcc 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.65

覆盖

偏移量 0x0006cfcc
大小 0x0036ef72

导入

库: KERNEL32.dll:
0x430000 GetLastError
0x430004 SetLastError
0x430008 GetCurrentProcess
0x43000c DeviceIoControl
0x430010 SetFileTime
0x430014 CloseHandle
0x430018 CreateDirectoryW
0x43001c RemoveDirectoryW
0x430020 CreateFileW
0x430024 DeleteFileW
0x430028 CreateHardLinkW
0x43002c GetShortPathNameW
0x430030 GetLongPathNameW
0x430034 MoveFileW
0x430038 GetFileType
0x43003c GetStdHandle
0x430040 WriteFile
0x430044 ReadFile
0x430048 FlushFileBuffers
0x43004c SetEndOfFile
0x430050 SetFilePointer
0x430054 SetFileAttributesW
0x430058 GetFileAttributesW
0x43005c FindClose
0x430060 FindFirstFileW
0x430064 FindNextFileW
0x430068 GetVersionExW
0x430070 GetFullPathNameW
0x430074 FoldStringW
0x430078 GetModuleFileNameW
0x43007c GetModuleHandleW
0x430080 FindResourceW
0x430084 FreeLibrary
0x430088 GetProcAddress
0x43008c GetCurrentProcessId
0x430090 ExitProcess
0x430098 Sleep
0x43009c LoadLibraryW
0x4300a0 GetSystemDirectoryW
0x4300a4 CompareStringW
0x4300a8 AllocConsole
0x4300ac FreeConsole
0x4300b0 AttachConsole
0x4300b4 WriteConsoleW
0x4300bc CreateThread
0x4300c0 SetThreadPriority
0x4300d4 SetEvent
0x4300d8 ResetEvent
0x4300dc ReleaseSemaphore
0x4300e0 WaitForSingleObject
0x4300e4 CreateEventW
0x4300e8 CreateSemaphoreW
0x4300ec GetSystemTime
0x430108 GetCPInfo
0x43010c IsDBCSLeadByte
0x430110 MultiByteToWideChar
0x430114 WideCharToMultiByte
0x430118 GlobalAlloc
0x43011c GetTickCount
0x430120 LockResource
0x430124 GlobalLock
0x430128 GlobalUnlock
0x43012c GlobalFree
0x430130 LoadResource
0x430134 SizeofResource
0x43013c GetExitCodeProcess
0x430140 GetLocalTime
0x430144 MapViewOfFile
0x430148 UnmapViewOfFile
0x43014c CreateFileMappingW
0x430150 OpenFileMappingW
0x430154 GetCommandLineW
0x430160 GetTempPathW
0x430164 MoveFileExW
0x430168 GetLocaleInfoW
0x43016c GetTimeFormatW
0x430170 GetDateFormatW
0x430174 GetNumberFormatW
0x430178 SetFilePointerEx
0x43017c GetConsoleMode
0x430180 GetConsoleCP
0x430184 HeapSize
0x430188 SetStdHandle
0x43018c GetProcessHeap
0x430190 RaiseException
0x430194 GetSystemInfo
0x430198 VirtualProtect
0x43019c VirtualQuery
0x4301a0 LoadLibraryExA
0x4301a8 IsDebuggerPresent
0x4301b4 GetStartupInfoW
0x4301bc GetCurrentThreadId
0x4301c4 InitializeSListHead
0x4301c8 TerminateProcess
0x4301cc RtlUnwind
0x4301d0 EncodePointer
0x4301d8 TlsAlloc
0x4301dc TlsGetValue
0x4301e0 TlsSetValue
0x4301e4 TlsFree
0x4301e8 LoadLibraryExW
0x4301f0 GetModuleHandleExW
0x4301f4 GetModuleFileNameA
0x4301f8 GetACP
0x4301fc HeapFree
0x430200 HeapAlloc
0x430204 HeapReAlloc
0x430208 GetStringTypeW
0x43020c LCMapStringW
0x430210 FindFirstFileExA
0x430214 FindNextFileA
0x430218 IsValidCodePage
0x43021c GetOEMCP
0x430220 GetCommandLineA
0x43022c DecodePointer
库: gdiplus.dll:
0x430234 GdiplusShutdown
0x430238 GdiplusStartup
0x430248 GdipDisposeImage
0x43024c GdipCloneImage
0x430250 GdipFree
0x430254 GdipAlloc

.text
`.rdata
@.data
.gfids
@.rsrc
@.reloc
t1h!0
ShG?@
SUVWj
t$$WSj
$SUVWj
ubh !D
SUVWh
D$4Pj
D$$Pj
Ph*QD
Ph*AD
f9=*AD
Wh"1D
,h*HE
D$(*QD
Ph*AD
没有防病毒引擎扫描信息!

进程树


dragon.exe, PID: 2476, 上一级进程 PID: 2336
dragon.exe, PID: 2736, 上一级进程 PID: 2476
dragonUpdate.exe, PID: 2840, 上一级进程 PID: 2736
dragon.exe, PID: 2932, 上一级进程 PID: 2840
xck.exe, PID: 2684, 上一级进程 PID: 2932
csrss.exe, PID: 2568, 上一级进程 PID: 2932
bar.exe, PID: 2728, 上一级进程 PID: 2932
svchost.exe, PID: 2712, 上一级进程 PID: 2728
cmd.exe, PID: 1964, 上一级进程 PID: 2568
timeout.exe, PID: 1872, 上一级进程 PID: 1964

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2019-11-18 17:21:20.450011+0800 47.244.180.173 80 192.168.122.201 49163 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:21:58.086507+0800 47.244.180.173 80 192.168.122.201 49174 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:21:58.398020+0800 47.244.180.173 80 192.168.122.201 49175 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:21:58.741520+0800 47.244.180.173 80 192.168.122.201 49176 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:21:59.179719+0800 47.244.180.173 80 192.168.122.201 49177 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:21:59.518509+0800 47.244.180.173 80 192.168.122.201 49178 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:22:03.356629+0800 192.168.122.201 49192 61.147.112.198 80 TCP 2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0 Potential Corporate Privacy Violation
2019-11-18 17:22:05.083398+0800 192.168.122.201 49194 103.39.210.144 808 TCP 2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0 Potential Corporate Privacy Violation
2019-11-18 17:22:05.083398+0800 192.168.122.201 49194 103.39.210.144 808 TCP 2018752 ET TROJAN Generic .bin download from Dotted Quad A Network Trojan was detected
2019-11-18 17:22:05.237977+0800 103.39.210.144 808 192.168.122.201 49194 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2019-11-18 17:22:36.551202+0800 192.168.122.201 65401 180.76.76.76 53 UDP 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2019-11-18 17:22:40.319674+0800 192.168.122.201 49235 180.101.49.12 443 TLS 1.2 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com d1:f6:32:3d:b6:f2:ec:81:e7:02:36:90:f4:9b:2d:91:e0:c3:99:3a

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 33.332 seconds )

  • 15.755 Suricata
  • 10.972 Static
  • 4.418 BehaviorAnalysis
  • 1.097 TargetInfo
  • 0.537 peid
  • 0.39 VirusTotal
  • 0.136 AnalysisInfo
  • 0.015 Strings
  • 0.009 config_decoder
  • 0.003 Memory

Signatures ( 1.399 seconds )

  • 0.228 api_spamming
  • 0.166 stealth_decoy_document
  • 0.105 stealth_timeout
  • 0.068 process_interest
  • 0.054 vawtrak_behavior
  • 0.043 antiav_detectreg
  • 0.033 stealth_file
  • 0.031 process_needed
  • 0.03 dridex_behavior
  • 0.026 mimics_filetime
  • 0.026 stealth_network
  • 0.025 reads_self
  • 0.022 bootkit
  • 0.022 virus
  • 0.022 antiav_detectfile
  • 0.022 infostealer_ftp
  • 0.02 antisandbox_sleep
  • 0.017 antivm_generic_disk
  • 0.017 md_domain_bl
  • 0.016 dead_connect
  • 0.016 infostealer_bitcoin
  • 0.015 infostealer_browser_password
  • 0.015 kovter_behavior
  • 0.015 md_url_bl
  • 0.014 infostealer_im
  • 0.013 antiemu_wine_func
  • 0.013 dyre_behavior
  • 0.011 hancitor_behavior
  • 0.01 antivm_generic_scsi
  • 0.009 webmail_phish
  • 0.009 infostealer_browser
  • 0.009 antivm_generic_services
  • 0.009 antianalysis_detectreg
  • 0.009 antivm_vbox_files
  • 0.009 ransomware_extensions
  • 0.009 ransomware_files
  • 0.008 encrypted_ioc
  • 0.008 anormaly_invoke_kills
  • 0.008 securityxploded_modules
  • 0.008 infostealer_mail
  • 0.007 Locky_behavior
  • 0.007 ipc_namedpipe
  • 0.007 anomaly_persistence_autorun
  • 0.006 antivm_vbox_libs
  • 0.006 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.006 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.006 maldun_anomaly_massive_file_ops
  • 0.006 sets_autoconfig_url
  • 0.005 office_dl_write_exe
  • 0.005 ransomware_message
  • 0.005 secure_login_phish
  • 0.004 betabot_behavior
  • 0.004 network_execute_http
  • 0.004 generic_phish
  • 0.004 injection_runpe
  • 0.004 geodo_banking_trojan
  • 0.003 tinba_behavior
  • 0.003 hawkeye_behavior
  • 0.003 network_tor
  • 0.003 rat_nanocore
  • 0.003 disables_spdy
  • 0.003 wscript_downloader_http
  • 0.003 network_document_http
  • 0.003 injection_createremotethread
  • 0.003 antisandbox_sunbelt_libs
  • 0.003 kibex_behavior
  • 0.003 exec_crash
  • 0.003 antidbg_windows
  • 0.003 disables_wfp
  • 0.003 cerber_behavior
  • 0.003 antidbg_devices
  • 0.003 disables_browser_warn
  • 0.003 rat_pcclient
  • 0.002 antiav_avast_libs
  • 0.002 office_write_exe
  • 0.002 kazybot_behavior
  • 0.002 antisandbox_sboxie_libs
  • 0.002 antiav_bitdefender_libs
  • 0.002 shifu_behavior
  • 0.002 cryptowall_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 md_bad_drop
  • 0.001 network_anomaly
  • 0.001 rat_luminosity
  • 0.001 antivm_vmware_libs
  • 0.001 ursnif_behavior
  • 0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.001 bypass_firewall
  • 0.001 sniffer_winpcap
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vmware_files
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 codelux_behavior
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 malicous_targeted_flame
  • 0.001 maldun_anomaly_commands
  • 0.001 network_tor_service
  • 0.001 office_security
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_modify_security_center_warnings

Reporting ( 1.256 seconds )

  • 0.988 ReportHTMLSummary
  • 0.268 Malheur
Task ID 460638
Mongo ID 5dd263572f8f2e08f460aafc
Cuckoo release 1.4-Maldun