比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-11-18 23:19:25 2019-11-18 23:21:40 135 秒

魔盾分数

10.0

Androm病毒

文件详细信息

文件名 a4e806cfc72c4388c0a9d109546ff7c8.txt
文件大小 149637 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 a4e806cfc72c4388c0a9d109546ff7c8
SHA1 1f9f47b91b155e3b945ead6781e6dd274626d0e6
SHA256 56ed8ac2e96bd5af86174f02cc5d011f2595898b66f69728cafbd56ff9fe71a3
SHA512 8a26c787ecd4fbdc754a930fa9fd99d63f7580f6a9709fdb5f1ce4963bf5587875f6fab9186b48e7e864315b22ad35c43a746361dc3cf0469df07f4308fce459
CRC32 428F9735
Ssdeep 3072:UO8K7OIHKMDsk0EtgboHVZPk7VwOZyVGXOxGNQcfmWo68UF:SK7OIqAtg0HrPEqGGAD/F
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
api.wipmania.net 未知 A 84.38.129.47
api.wipmania.com A 212.83.168.196
a.baerr666.ru A 109.236.89.60

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00409ad0
声明校验值 0x00000000
实际校验值 0x00030208
最低操作系统版本要求 4.0
编译时间 2013-07-08 08:01:06
载入哈希 2fd1a822e9e7315260ab4b1446e9ff9f

版本信息

ProductName
CompanyName

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
UPX0 0x00001000 0x00007000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
UPX1 0x00008000 0x00002000 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.64
.rsrc 0x0000a000 0x00001000 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.89

覆盖

偏移量 0x0000ac3c
大小 0x00019c49

导入

库: KERNEL32.DLL:
0x40ab7c LoadLibraryA
0x40ab80 GetProcAddress
0x40ab84 VirtualProtect
0x40ab88 VirtualAlloc
0x40ab8c VirtualFree
0x40ab90 ExitProcess
库: MSVCRT.dll:
0x40ab98 memset
库: WSOCK32.DLL:
0x40aba0 WSACleanup
.rsrc
ytttttttttttt
KERNEL32.DLL
MSVCRT.dll
WSOCK32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
memset
WSACleanup
47XC8
zFl+[
~XjPQ
EsSl[9
VS_VERSION_INFO
StringFileInfo
3c0104b0
CompanyName
ioilyujyjrffzzegrtghuyjyj
ProductName
zrfhyukliopmomlyhrrgh
VarFileInfo
Translation
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav W32.AppdataOfomoaM.Trojan 20180706
MicroWorld-eScan Trojan.Encpk.Gen.4 20180709
CMC 未发现病毒 20180709
CAT-QuickHeal 未发现病毒 20180709
McAfee Artemis!A4E806CFC72C 20180709
Cylance Unsafe 20180709
Zillya 未发现病毒 20180709
SUPERAntiSpyware 未发现病毒 20180709
TheHacker Trojan/Injector.ajdl 20180709
K7GW Trojan ( 00403a7a1 ) 20180709
K7AntiVirus Trojan ( 00403a7a1 ) 20180709
TrendMicro WORM_DORKBOT.TJ 20180709
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20180709
Babable 未发现病毒 20180406
F-Prot W32/Androm.G 20180709
Symantec ML.Attribute.HighConfidence 20180709
TotalDefense 未发现病毒 20180709
TrendMicro-HouseCall TROJ_SPNR.03GT13 20180709
Avast Win32:Fareit-HS [Trj] 20180709
ClamAV Win.Trojan.Androm-210 20180709
GData Trojan.Encpk.Gen.4 20180709
Kaspersky Backdoor.Win32.Androm.abkx 20180709
BitDefender Trojan.Encpk.Gen.4 20180709
NANO-Antivirus Trojan.Win32.Androm.cqmxrh 20180709
Paloalto generic.ml 20180709
AegisLab Backdoor.W32.Androm.abkx!c 20180709
Rising 未发现病毒 20180709
Ad-Aware Trojan.Encpk.Gen.4 20180709
Sophos Troj/Zbot-FTB 20180709
Comodo 未发现病毒 20180709
F-Secure Trojan.Encpk.Gen.4 20180709
DrWeb Trojan.DownLoad3.8872 20180709
VIPRE TrojanPWS.Win32.Fareit.aa (v) 20180709
Invincea heuristic 20180601
McAfee-GW-Edition BehavesLike.Win32.Generic.cc 20180709
Emsisoft Trojan.Encpk.Gen.4 (B) 20180709
SentinelOne static engine - malicious 20180701
Cyren W32/Androm.HNVO-8431 20180709
Jiangmin Backdoor/Androm.wp 20180709
Webroot Trojan.Dropper.Gen 20180709
Avira TR/Crypt.ULPM.Gen2 20180709
Antiy-AVL Trojan[Backdoor]/Win32.Androm 20180709
Kingsoft 未发现病毒 20180709
Endgame malicious (moderate confidence) 20180612
Arcabit Trojan.Encpk.Gen.4 20180709
ViRobot 未发现病毒 20180709
ZoneAlarm HEUR:Trojan.Win32.Generic 20180709
Avast-Mobile 未发现病毒 20180709
Microsoft Worm:Win32/Dorkbot 20180709
TACHYON Backdoor/W32.Androm.149637 20180709
AhnLab-V3 Trojan/Win32.Tepfer.R73632 20180709
ALYac Trojan.Encpk.Gen.4 20180709
AVware TrojanPWS.Win32.Fareit.aa (v) 20180709
MAX malware (ai score=100) 20180709
VBA32 BScope.Malware-Cryptor.Dubdabud 20180709
Malwarebytes Spyware.ZeuS 20180709
Zoner 未发现病毒 20180709
ESET-NOD32 a variant of Win32/Injector.AJDL 20180709
Tencent Win32.Trojan.Inject.Auto 20180709
Yandex Backdoor.Androm!mO38siR6t9Y 20180709
Ikarus Trojan.Win32.Bamital 20180709
eGambit 未发现病毒 20180709
Fortinet 未发现病毒 20180709
AVG Win32:Fareit-HS [Trj] 20180709
Cybereason malicious.fc72c4 20180225
Panda Trj/Dtcontx.F 20180709
CrowdStrike malicious_confidence_100% (D) 20180530
Qihoo-360 Win32/Trojan.e6d 20180709

进程树

a4e806cfc72c4388c0a9d109546ff7c8.txt, PID: 2480, 上一级进程 PID: 2332
a4e806cfc72c4388c0a9d109546ff7c8.txt, PID: 2536, 上一级进程 PID: 2480
svchost.exe, PID: 2776, 上一级进程 PID: 2536
mspaint.exe, PID: 2960, 上一级进程 PID: 2776
a4e806cfc72c4388c0a9d109546ff7c8.txt, PID: 2912, 上一级进程 PID: 2536
iexplore.exe, PID: 2624, 上一级进程 PID: 2912
iexplore.exe, PID: 2720, 上一级进程 PID: 2624
iexplore.exe, PID: 2040, 上一级进程 PID: 2028
WINWORD.EXE, PID: 988, 上一级进程 PID: 1032
AcroRd32.exe, PID: 816, 上一级进程 PID: 1120
EXCEL.EXE, PID: 1160, 上一级进程 PID: 1128
POWERPNT.EXE, PID: 968, 上一级进程 PID: 1200
iexplore.exe, PID: 1848, 上一级进程 PID: 2040
Reader_sl.exe, PID: 1120, 上一级进程 PID: 1904
IMECMNT.EXE, PID: 2232, 上一级进程 PID: 540
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49203 212.83.168.196 api.wipmania.com 80
192.168.122.201 49204 212.83.168.196 api.wipmania.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 49310 192.168.122.1 53
192.168.122.201 49608 192.168.122.1 53
192.168.122.201 51856 192.168.122.1 53
192.168.122.201 58897 192.168.122.1 53
192.168.122.201 64912 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
api.wipmania.net 未知 A 84.38.129.47
api.wipmania.com A 212.83.168.196
a.baerr666.ru A 109.236.89.60

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49203 212.83.168.196 api.wipmania.com 80
192.168.122.201 49204 212.83.168.196 api.wipmania.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 49310 192.168.122.1 53
192.168.122.201 49608 192.168.122.1 53
192.168.122.201 51856 192.168.122.1 53
192.168.122.201 58897 192.168.122.1 53
192.168.122.201 64912 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://api.wipmania.com/ 
GET / HTTP/1.1
User-Agent: Mozilla/4.0
Host: api.wipmania.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

源地址 目标地址 ICMP类型 数据
109.236.95.227 192.168.122.201 3
109.236.95.227 192.168.122.201 3
109.236.95.227 192.168.122.201 3
194.85.16.129 192.168.122.201 3

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2019-11-18 23:20:16.196186+0800 192.168.122.201 49203 212.83.168.196 80 TCP 2014304 ET POLICY External IP Lookup Attempt To Wipmania Potential Corporate Privacy Violation
2019-11-18 23:20:16.196186+0800 192.168.122.201 49203 212.83.168.196 80 TCP 2015800 ET TROJAN Dorkbot GeoIP Lookup to wipmania A Network Trojan was detected
2019-11-18 23:20:17.303811+0800 192.168.122.201 49204 212.83.168.196 80 TCP 2014304 ET POLICY External IP Lookup Attempt To Wipmania Potential Corporate Privacy Violation
2019-11-18 23:20:17.303811+0800 192.168.122.201 49204 212.83.168.196 80 TCP 2015800 ET TROJAN Dorkbot GeoIP Lookup to wipmania A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 52.476 seconds )

  • 20.238 BehaviorAnalysis
  • 16.484 Suricata
  • 10.67 NetworkAnalysis
  • 3.095 VirusTotal
  • 0.985 Static
  • 0.567 peid
  • 0.367 TargetInfo
  • 0.052 AnalysisInfo
  • 0.015 Strings
  • 0.003 Memory

Signatures ( 14.114 seconds )

  • 2.99 antiav_detectreg
  • 1.937 md_url_bl
  • 1.02 infostealer_ftp
  • 0.815 api_spamming
  • 0.739 stealth_decoy_document
  • 0.647 stealth_timeout
  • 0.619 antianalysis_detectreg
  • 0.567 infostealer_im
  • 0.363 infostealer_mail
  • 0.271 antivm_generic_scsi
  • 0.195 mimics_filetime
  • 0.168 kibex_behavior
  • 0.162 reads_self
  • 0.162 darkcomet_regkeys
  • 0.159 virus
  • 0.159 antivm_xen_keys
  • 0.158 stealth_file
  • 0.157 antivm_parallels_keys
  • 0.147 recon_fingerprint
  • 0.146 antivm_generic_disk
  • 0.13 bootkit
  • 0.122 betabot_behavior
  • 0.115 geodo_banking_trojan
  • 0.106 antivm_generic_diskreg
  • 0.099 antisandbox_productid
  • 0.097 antivm_generic_services
  • 0.097 hancitor_behavior
  • 0.091 anormaly_invoke_kills
  • 0.072 kovter_behavior
  • 0.062 maldun_anomaly_massive_file_ops
  • 0.056 antivm_vbox_keys
  • 0.055 infostealer_browser_password
  • 0.055 bypass_firewall
  • 0.055 antivm_vmware_keys
  • 0.054 antiemu_wine_func
  • 0.053 antivm_hyperv_keys
  • 0.053 antivm_vpc_keys
  • 0.053 packer_armadillo_regkey
  • 0.052 antivm_xen_keys
  • 0.052 antivm_vbox_acpi
  • 0.052 maldun_anormaly_invoke_vb_vba
  • 0.049 antivm_generic_system
  • 0.049 recon_programs
  • 0.048 antivm_generic_bios
  • 0.048 antivm_generic_cpu
  • 0.041 dyre_behavior
  • 0.037 injection_explorer
  • 0.033 encrypted_ioc
  • 0.033 antiav_detectfile
  • 0.029 antisandbox_sunbelt_libs
  • 0.027 antiav_avast_libs
  • 0.027 rat_luminosity
  • 0.027 md_domain_bl
  • 0.023 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.023 antisandbox_sboxie_libs
  • 0.023 h1n1_behavior
  • 0.023 infostealer_bitcoin
  • 0.022 antiav_bitdefender_libs
  • 0.021 antivm_vbox_libs
  • 0.021 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.02 shifu_behavior
  • 0.019 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.019 antidbg_windows
  • 0.018 Locky_behavior
  • 0.013 antivm_vbox_files
  • 0.012 hawkeye_behavior
  • 0.012 ispy_behavior
  • 0.012 cryptowall_behavior
  • 0.011 dridex_behavior
  • 0.011 anomaly_persistence_autorun
  • 0.01 chimera_behavior
  • 0.01 exec_crash
  • 0.009 infostealer_browser
  • 0.009 vawtrak_behavior
  • 0.008 andromeda_behavior
  • 0.008 antiemu_wine_reg
  • 0.007 tinba_behavior
  • 0.007 ransomware_extensions
  • 0.007 ransomware_files
  • 0.006 rat_nanocore
  • 0.006 ipc_namedpipe
  • 0.006 antivm_vmware_events
  • 0.006 network_http
  • 0.005 antisandbox_unhook
  • 0.005 antivm_vmware_libs
  • 0.005 antidbg_devices
  • 0.005 disables_browser_warn
  • 0.004 network_tor
  • 0.004 injection_createremotethread
  • 0.004 antivm_vbox_window
  • 0.003 sets_autoconfig_url
  • 0.003 browser_security
  • 0.003 modify_proxy
  • 0.003 network_torgateway
  • 0.003 rat_pcclient
  • 0.002 ransomware_message
  • 0.002 antisandbox_sleep
  • 0.002 spoofs_procname
  • 0.002 kazybot_behavior
  • 0.002 ransomeware_modifies_desktop_wallpaper
  • 0.002 cerber_behavior
  • 0.002 antisandbox_script_timer
  • 0.002 antisandbox_cuckoo
  • 0.002 securityxploded_modules
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vmware_files
  • 0.002 codelux_behavior
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.001 antisandbox_cuckoocrash
  • 0.001 disables_spdy
  • 0.001 office_dl_write_exe
  • 0.001 office_write_exe
  • 0.001 anomaly_persistence_bootexecute
  • 0.001 anomaly_reset_winsock
  • 0.001 ursnif_behavior
  • 0.001 disables_wfp
  • 0.001 process_needed
  • 0.001 sniffer_winpcap
  • 0.001 antivm_vpc_files
  • 0.001 banker_cridex
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 malicous_targeted_flame
  • 0.001 network_tor_service
  • 0.001 office_security
  • 0.001 rat_spynet
  • 0.001 stealth_hiddenreg
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_modify_security_center_warnings

Reporting ( 1.65 seconds )

  • 1.144 ReportHTMLSummary
  • 0.506 Malheur
Task ID 460750
Mongo ID 5dd2b7c72f8f2e08f660aed7
Cuckoo release 1.4-Maldun