恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-2	2020-01-19 00:15:29	2020-01-19 00:18:12	163 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	CF上号器1.2.exe
文件大小	633344 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	b0daf59310e165e3d7c6cb6c056c14f7
SHA1	2a640a78cdc758448332e8e01317e42b5ea588ca
SHA256	117f2c431392f64bd3b6842fb0efa2aad0efb1a845a6ab4e3d943be9aa61054f
SHA512	0d3c02e9d4bc5e5036b27abe5e25d7e28046f56207072aa6e78d1546126901103293f0f53e9cdf2ebe13be30b991a02175a2a129b5d3cdbf620e2a53a6d07e94
CRC32	E754BC22
Ssdeep	12288:Put56fMdwXlRtG9uAa+CzzBZhJ8nlCYIIhB9oSM:Pm56UwXlRo9hCzzD38rIg
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
fanyi.baidu.com	CNAME fanyi.baidu.com.cname1084.yjs-cdn.com A 117.27.149.202 CNAME fanyi-sflow.n.shifen.com

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0054f2e0
声明校验值	0x00000000
实际校验值	0x0009b1d5
最低操作系统版本要求	4.0
编译时间	2020-01-19 00:14:14
载入哈希	778d48b5ac969754728346a0c96431e7

版本信息

LegalCopyright
FileVersion
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
UPX0	0x00001000	0x000ec000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x000ed000	0x00063000	0x00063000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.rsrc	0x00150000	0x00038000	0x00037600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.68

导入

库: ADVAPI32.dll:

• 0x58725c RegCloseKey

库: COMCTL32.dll:

• 0x587264 None

库: comdlg32.dll:

• 0x58726c ChooseColorA

库: GDI32.dll:

• 0x587274 PatBlt

库: KERNEL32.DLL:

• 0x58727c LoadLibraryA

• 0x587280 ExitProcess

• 0x587284 GetProcAddress

• 0x587288 VirtualProtect

库: ole32.dll:

• 0x587290 OleInitialize

库: OLEAUT32.dll:

• 0x587298 LoadTypeLib

库: RASAPI32.dll:

• 0x5872a0 RasHangUpA

库: SHELL32.dll:

• 0x5872a8 ShellExecuteA

库: USER32.dll:

• 0x5872b0 GetDC

库: WININET.dll:

• 0x5872b8 InternetCloseHandle

库: WINMM.dll:

• 0x5872c0 waveOutOpen

库: WINSPOOL.DRV:

• 0x5872c8 OpenPrinterA

库: WS2_32.dll:

• 0x5872d0 getpeername

.rsrc
v[D8&p

没有防病毒引擎扫描信息!

进程树

CF_________1.2.exe id: 2604

搜索
CF_________1.2.exe (2604)

CF_________1.2.exe, PID: 2604, 上一级进程 PID: 2332

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.202	49161	117.27.149.202 fanyi.baidu.com	80
192.168.122.202	49162	117.27.149.202 fanyi.baidu.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.202	55264	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
fanyi.baidu.com	CNAME fanyi.baidu.com.cname1084.yjs-cdn.com A 117.27.149.202 CNAME fanyi-sflow.n.shifen.com

TCP

源地址	源端口	目标地址	目标端口
192.168.122.202	49161	117.27.149.202 fanyi.baidu.com	80
192.168.122.202	49162	117.27.149.202 fanyi.baidu.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.202	55264	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://fanyi.baidu.com/gettts?lan=zh&text=%E6%AC%A2%E8%BF%8E%E4%BD%BF%E7%94%A8%E6%9C%AC%E7%A8%8B%E5%BA%8F%EF%BC%81&spd=5&source=web.mp3	GET /gettts?lan=zh&text=%E6%AC%A2%E8%BF%8E%E4%BD%BF%E7%94%A8%E6%9C%AC%E7%A8%8B%E5%BA%8F%EF%BC%81&spd=5&source=web.mp3 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: fanyi.baidu.com Connection: Keep-Alive

URI

HTTP数据

URL专业沙箱检测 -> http://fanyi.baidu.com/gettts?lan=zh&text=%E6%AC%A2%E8%BF%8E%E4%BD%BF%E7%94%A8%E6%9C%AC%E7%A8%8B%E5%BA%8F%EF%BC%81&spd=5&source=web.mp3

GET /gettts?lan=zh&text=%E6%AC%A2%E8%BF%8E%E4%BD%BF%E7%94%A8%E6%9C%AC%E7%A8%8B%E5%BA%8F%EF%BC%81&spd=5&source=web.mp3 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: fanyi.baidu.com
Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2020-01-19 00:16:28.142226+0800	192.168.122.202	49162	117.27.149.202	443	TLS 1.2	C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA	CN=fanyi.baidu.com	96:37:aa:80:d1:ad:14:a8:d6:91:a8:01:f3:35:bd:fc:50:5f:fc:cd

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 23.621 seconds )

16.528 Suricata
2.508 NetworkAnalysis
2.423 Static
0.573 peid
0.572 TargetInfo
0.554 BehaviorAnalysis
0.343 VirusTotal
0.096 AnalysisInfo
0.017 Strings
0.005 Memory
0.002 config_decoder

Signatures ( 2.285 seconds )

1.888 md_url_bl
0.073 antiav_detectreg
0.028 infostealer_ftp
0.024 api_spamming
0.021 md_domain_bl
0.019 stealth_timeout
0.018 stealth_decoy_document
0.016 infostealer_im
0.015 antianalysis_detectreg
0.01 infostealer_mail
0.009 antiav_detectfile
0.008 anomaly_persistence_autorun
0.008 kovter_behavior
0.008 geodo_banking_trojan
0.007 antiemu_wine_func
0.007 antivm_generic_scsi
0.006 infostealer_browser_password
0.006 infostealer_bitcoin
0.006 network_http
0.006 ransomware_files
0.005 antivm_generic_services
0.005 ransomware_extensions
0.004 kibex_behavior
0.004 anormaly_invoke_kills
0.004 antivm_parallels_keys
0.004 antivm_vbox_files
0.004 antivm_xen_keys
0.003 tinba_behavior
0.003 betabot_behavior
0.003 disables_browser_warn
0.003 darkcomet_regkeys
0.003 network_torgateway
0.002 antivm_vbox_libs
0.002 rat_nanocore
0.002 dridex_behavior
0.002 cerber_behavior
0.002 antivm_generic_diskreg
0.002 browser_security
0.002 modify_proxy
0.002 md_bad_drop
0.002 network_cnc_http
0.002 recon_fingerprint
0.001 network_tor
0.001 bootkit
0.001 antiav_avast_libs
0.001 mimics_filetime
0.001 network_anomaly
0.001 stealth_file
0.001 reads_self
0.001 ursnif_behavior
0.001 kazybot_behavior
0.001 antisandbox_sunbelt_libs
0.001 shifu_behavior
0.001 exec_crash
0.001 antivm_generic_disk
0.001 antidbg_windows
0.001 virus
0.001 bypass_firewall
0.001 antianalysis_detectfile
0.001 antidbg_devices
0.001 antisandbox_productid
0.001 antivm_xen_keys
0.001 antivm_hyperv_keys
0.001 antivm_vbox_acpi
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 antivm_vpc_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 maldun_anormaly_invoke_vb_vba
0.001 packer_armadillo_regkey
0.001 rat_pcclient
0.001 rat_spynet
0.001 stealth_modify_uac_prompt

Reporting ( 1.215 seconds )

0.926 ReportHTMLSummary
0.289 Malheur


Task ID	488360
Mongo ID	5e232fe92f8f2e4be9637028
Cuckoo release	1.4-Maldun