分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-11-18 23:50:19 2019-11-18 23:52:30 131 秒

魔盾分数

10.0

Ramnit病毒

文件详细信息

文件名 BaoPo.exe
文件大小 81920 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5 2f2d67ed91f08ebe2245b30dbfeaa4a7
SHA1 e62965dc5f843e79cc3fc53a0d0dafa40e7f93b8
SHA256 7c7c424d0db834d741e37a6057b41909f5df51a3a6fbd4c68caf2d71f088c14c
SHA512 e703d83a578ea448d5fbcbb2ea58eb2649b4d76ed489feb48b6735e636428cb6beedcecba3a521fd7fe0c30bc101141c67ac76fc9dacc2becbef238cf6bb2593
CRC32 DFB941E8
Ssdeep 1536:CEjjsbesQtgF3OPnfdBfD30m8/jaobbZFsO+ZPYjeUh:C4jfsQc3OPn/D30ljVtsZPYj
Yara 登录查看Yara规则
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
fget-career.com A 72.26.218.76
google.com A 216.58.220.206
bing.com A 204.79.197.200
A 13.107.21.200

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00421000
声明校验值 0x0001a59c
实际校验值 0x0001a59c
最低操作系统版本要求 4.0
编译时间 2014-01-04 18:15:59
载入哈希 3766ef1a6dcce38c47f1055128537389

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
UPX0 0x00001000 0x00019000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
UPX1 0x0001a000 0x00006000 0x00005800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.86
UPX2 0x00020000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.36
.rmnet 0x00021000 0x0000f000 0x0000e200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.97

导入

库: KERNEL32.DLL:
0x42008c LoadLibraryA
0x420090 GetProcAddress
0x420094 VirtualProtect
0x420098 VirtualAlloc
0x42009c VirtualFree
0x4200a0 ExitProcess
库: MSVCRT.dll:
0x4200a8 modf
库: ole32.dll:
0x4200b0 OleRun
库: OLEAUT32.dll:
0x4200b8 SafeArrayGetDim
库: SHLWAPI.dll:
0x4200c0 PathFileExistsA
库: USER32.dll:
0x4200c8 wsprintfA

.rmnet
tiveIP:8q@
""9@%
Trojans
'%datadir%';
5x2DROP0
ce("\
F0123456789.$[?*?]$
mGL-ve
PfNCommKL
KERNEL32.DLL
MSVCRT.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
OleRun
PathFileExistsA
wsprintfA
KyUffThOkYwRRtgPP
Srv.exe
FreeLibrary
CreateMutexA
CloseHandle
ReleaseMutex
GetLastError
CreateFileA
WriteFile
GetModuleFileNameA
CreateProcessA
kernel32.dll
YvH}c{x
$xptJ
没有防病毒引擎扫描信息!

进程树


BaoPo.exe, PID: 2480, 上一级进程 PID: 2336
BaoPoSrv.exe, PID: 2556, 上一级进程 PID: 2480
DesktopLayer.exe, PID: 2632, 上一级进程 PID: 2556
chrome.exe, PID: 2708, 上一级进程 PID: 2632

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49166 72.26.218.76 fget-career.com 443
192.168.122.201 49167 72.26.218.76 fget-career.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 49310 192.168.122.1 53
192.168.122.201 49608 192.168.122.1 53
192.168.122.201 64912 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
fget-career.com A 72.26.218.76
google.com A 216.58.220.206
bing.com A 204.79.197.200
A 13.107.21.200

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49166 72.26.218.76 fget-career.com 443
192.168.122.201 49167 72.26.218.76 fget-career.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 49310 192.168.122.1 53
192.168.122.201 49608 192.168.122.1 53
192.168.122.201 64912 192.168.122.1 53

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2019-11-18 23:50:45.260683+0800 192.168.122.201 49166 72.26.218.76 443 TCP 2018558 ET TROJAN Win32/Ramnit Checkin A Network Trojan was detected
2019-11-18 23:50:45.928550+0800 192.168.122.201 49167 72.26.218.76 443 TCP 2018558 ET TROJAN Win32/Ramnit Checkin A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 25.568 seconds )

  • 17.224 Suricata
  • 2.909 VirusTotal
  • 2.242 BehaviorAnalysis
  • 1.599 NetworkAnalysis
  • 0.73 Static
  • 0.432 peid
  • 0.351 TargetInfo
  • 0.068 AnalysisInfo
  • 0.01 Strings
  • 0.003 Memory

Signatures ( 1.888 seconds )

  • 0.185 antiav_detectfile
  • 0.128 infostealer_bitcoin
  • 0.124 api_spamming
  • 0.12 ransomware_extensions
  • 0.1 stealth_timeout
  • 0.092 stealth_decoy_document
  • 0.073 antivm_vbox_files
  • 0.071 ransomware_files
  • 0.07 infostealer_ftp
  • 0.062 mimics_filetime
  • 0.05 infostealer_im
  • 0.047 reads_self
  • 0.046 virus
  • 0.043 stealth_file
  • 0.043 antivm_generic_disk
  • 0.038 bootkit
  • 0.034 antidbg_devices
  • 0.031 infostealer_mail
  • 0.027 md_domain_bl
  • 0.026 network_tor
  • 0.025 hancitor_behavior
  • 0.023 maldun_anomaly_massive_file_ops
  • 0.022 rat_pcclient
  • 0.02 md_url_bl
  • 0.017 anomaly_persistence_autorun
  • 0.017 antiav_detectreg
  • 0.016 hawkeye_behavior
  • 0.016 betabot_behavior
  • 0.016 kovter_behavior
  • 0.015 kazybot_behavior
  • 0.014 antivm_vmware_files
  • 0.014 codelux_behavior
  • 0.013 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.012 rat_nanocore
  • 0.012 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.012 kibex_behavior
  • 0.011 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.01 antiemu_wine_func
  • 0.01 injection_createremotethread
  • 0.01 sniffer_winpcap
  • 0.009 rat_luminosity
  • 0.009 infostealer_browser_password
  • 0.009 geodo_banking_trojan
  • 0.009 network_tor_service
  • 0.008 injection_explorer
  • 0.008 h1n1_behavior
  • 0.007 tinba_behavior
  • 0.007 antivm_vpc_files
  • 0.007 malicous_targeted_flame
  • 0.006 antisandbox_sleep
  • 0.006 injection_runpe
  • 0.006 antianalysis_detectfile
  • 0.006 banker_cridex
  • 0.005 shifu_behavior
  • 0.005 network_torgateway
  • 0.004 dridex_behavior
  • 0.004 cerber_behavior
  • 0.004 antianalysis_detectreg
  • 0.004 antisandbox_sunbelt_files
  • 0.003 spreading_autoruninf
  • 0.003 bitcoin_opencl
  • 0.003 disables_browser_warn
  • 0.003 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.002 antivm_generic_scsi
  • 0.002 modifies_hostfile
  • 0.002 antisandbox_fortinet_files
  • 0.002 antisandbox_threattrack_files
  • 0.002 antivm_vbox_devices
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 md_bad_drop
  • 0.002 ransomware_radamant
  • 0.001 antivm_vbox_libs
  • 0.001 sets_autoconfig_url
  • 0.001 ursnif_behavior
  • 0.001 exec_crash
  • 0.001 anomaly_persistence_ads
  • 0.001 antisandbox_cuckoo_files
  • 0.001 antisandbox_joe_anubis_files
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_devices
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_network_blacklist
  • 0.001 office_security
  • 0.001 rat_spynet
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.334 seconds )

  • 1.065 ReportHTMLSummary
  • 0.269 Malheur
Task ID 460756
Mongo ID 5dd2be682f8f2e08f960a93d
Cuckoo release 1.4-Maldun