恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-2	2020-01-05 17:16:24	2020-01-05 17:18:47	143 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	LOL清风换肤盒子v9.24.4.exe
文件大小	2761900 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	94187e59e481f95ab687b7b7a815e4d9
SHA1	3ec6ffd3f77b5d128d7effd07e36ae1c52073604
SHA256	2d0067adad90cfcc437fe98063fba96b807dbb56223df0f52ebf6ae4333e419c
SHA512	b7ecae3bd008f39bc585c927795b84a9291fdca48bbef9d07cfcf61e815245af7c3c83982928cb214bc38f95d595caa60a477c96e2f65be0cce0e74e79155c34
CRC32	51DEC53B
Ssdeep	49152:h7TyuADFWciuthZCUsPcGlcimllL4u85+2UqYNT0fWLY:klWsthEb/MValUqYNo1
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
box.cclolcc.com	A 103.121.95.145

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00771682
声明校验值	0x002a8b68
实际校验值	0x002a8b68
最低操作系统版本要求	4.0
编译时间	2020-01-05 15:59:28
载入哈希	4312d67f7f59f5497da701a19cd42c14

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PEiD 规则

[u'NsPack 2.9 -> North Star']

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.nsp0	0x00001000	0x0036e000	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.nsp1	0x0036f000	0x002a3000	0x002a20ac	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.nsp2	0x00612000	0x00001124	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00

导入

库: KERNEL32.DLL:

• 0x771364 LoadLibraryA

• 0x771368 GetProcAddress

• 0x77136c VirtualProtect

• 0x771370 VirtualAlloc

• 0x771374 VirtualFree

• 0x771378 ExitProcess

库: USER32.DLL:

• 0x771380 RegisterClassA

库: GDI32.DLL:

• 0x771388 CreateDIBitmap

库: WINMM.DLL:

• 0x771390 midiStreamRestart

库: WINSPOOL.DRV:

• 0x771398 ClosePrinter

库: ADVAPI32.DLL:

• 0x7713a0 RegCloseKey

库: SHELL32.DLL:

• 0x7713a8 ShellExecuteA

库: OLE32.DLL:

• 0x7713b0 CLSIDFromProgID

库: OLEAUT32.DLL:

• 0x7713b8 VariantClear

库: COMCTL32.DLL:

• 0x7713c0 ImageList_Destroy

库: WS2_32.DLL:

• 0x7713c8 recvfrom

库: COMDLG32.DLL:

• 0x7713d0 GetFileTitleA

=Rich/
.nsp0
.nsp1
.nsp2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
KERNEL32.DLL
USER32.DLL
GDI32.DLL
WINMM.DLL
WINSPOOL.DRV
ADVAPI32.DLL
SHELL32.DLL
OLE32.DLL
OLEAUT32.DLL
COMCTL32.DLL
WS2_32.DLL
COMDLG32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegisterClassA
CreateDIBitmap
midiStreamRestart
ClosePrinter
RegCloseKey
ShellExecuteA
CLSIDFromProgID
ImageList_Destroy
GetFileTitleA
U.X-.]_
9a@8O3
DEFAULT_ICON
VS_VERSION_INFO
StringFileInfo
080404B0
FileVersion
1.0.0.0
FileDescription
ProductName
ProductVersion
1.0.0.0
CompanyName
LegalCopyright
Comments
VarFileInfo
Translation

没有防病毒引擎扫描信息!

进程树

LOL__________________v9.24.4.exe id: 2504

搜索
LOL__________________v9.24.4.exe (2504)

LOL__________________v9.24.4.exe, PID: 2504, 上一级进程 PID: 2352

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.202	49161	103.121.95.145 box.cclolcc.com	80
192.168.122.202	49162	103.121.95.145 box.cclolcc.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.202	55264	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
box.cclolcc.com	A 103.121.95.145

TCP

源地址	源端口	目标地址	目标端口
192.168.122.202	49161	103.121.95.145 box.cclolcc.com	80
192.168.122.202	49162	103.121.95.145 box.cclolcc.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.202	55264	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://box.cclolcc.com/config/config_box_qingfeng.ini	HEAD /config/config_box_qingfeng.ini HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: box.cclolcc.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://box.cclolcc.com/config/config_box_qingfeng.ini	GET /config/config_box_qingfeng.ini HTTP/1.1 Accept: / Referer: http://box.cclolcc.com/config/config_box_qingfeng.ini Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: box.cclolcc.com Cache-Control: no-cache

URI

HTTP数据

URL专业沙箱检测 -> http://box.cclolcc.com/config/config_box_qingfeng.ini

HEAD /config/config_box_qingfeng.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: box.cclolcc.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://box.cclolcc.com/config/config_box_qingfeng.ini

GET /config/config_box_qingfeng.ini HTTP/1.1
Accept: */*
Referer: http://box.cclolcc.com/config/config_box_qingfeng.ini
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: box.cclolcc.com
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 32.642 seconds )

15.551 Suricata
8.103 Static
4.733 NetworkAnalysis
2.071 VirusTotal
0.989 TargetInfo
0.604 BehaviorAnalysis
0.432 peid
0.13 AnalysisInfo
0.015 Strings
0.011 config_decoder
0.003 Memory

Signatures ( 2.347 seconds )

1.941 md_url_bl
0.058 antiav_detectreg
0.03 api_spamming
0.024 stealth_timeout
0.022 stealth_decoy_document
0.022 infostealer_ftp
0.021 md_domain_bl
0.013 infostealer_im
0.012 antianalysis_detectreg
0.009 kovter_behavior
0.009 antiav_detectfile
0.008 antiemu_wine_func
0.008 infostealer_mail
0.007 anomaly_persistence_autorun
0.007 infostealer_browser_password
0.007 geodo_banking_trojan
0.007 network_http
0.006 injection_createremotethread
0.006 process_interest
0.006 infostealer_bitcoin
0.006 ransomware_files
0.005 antivm_generic_scsi
0.005 ransomware_extensions
0.004 antivm_generic_services
0.004 vawtrak_behavior
0.004 injection_runpe
0.004 antivm_vbox_files
0.003 tinba_behavior
0.003 antivm_vbox_libs
0.003 betabot_behavior
0.003 kibex_behavior
0.003 antidbg_windows
0.003 anormaly_invoke_kills
0.003 antivm_parallels_keys
0.003 antivm_xen_keys
0.003 disables_browser_warn
0.003 network_torgateway
0.002 bootkit
0.002 rat_nanocore
0.002 mimics_filetime
0.002 stealth_file
0.002 reads_self
0.002 antivm_generic_disk
0.002 cerber_behavior
0.002 virus
0.002 process_needed
0.002 antivm_generic_diskreg
0.002 browser_security
0.002 modify_proxy
0.002 darkcomet_regkeys
0.002 md_bad_drop
0.002 network_cnc_http
0.001 network_tor
0.001 antiav_avast_libs
0.001 dridex_behavior
0.001 ursnif_behavior
0.001 kazybot_behavior
0.001 antisandbox_sunbelt_libs
0.001 dyre_behavior
0.001 shifu_behavior
0.001 exec_crash
0.001 hancitor_behavior
0.001 bypass_firewall
0.001 antianalysis_detectfile
0.001 antidbg_devices
0.001 antisandbox_productid
0.001 antivm_xen_keys
0.001 antivm_hyperv_keys
0.001 antivm_vbox_acpi
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 antivm_vpc_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 maldun_anormaly_invoke_vb_vba
0.001 maldun_network_blacklist
0.001 rat_spynet
0.001 recon_fingerprint
0.001 stealth_modify_uac_prompt

Reporting ( 1.378 seconds )

0.936 ReportHTMLSummary
0.442 Malheur


Task ID	484050
Mongo ID	5e11aa292f8f2e676e5f294a
Cuckoo release	1.4-Maldun