分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64 | 2016-11-20 16:35:44 | 2016-11-20 16:38:00 | 136 秒 |
魔盾分数
4.6
可疑的
文件详细信息
| 文件名 | ShellLocker.vir |
|---|---|
| 文件大小 | 1028608 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 2be6385e5159210716681f59b64aef1e |
| SHA1 | 8eb8b6e773a7954b7091e241dafebf0a74573b60 |
| SHA256 | 5e27ab7ef30ea964c8c2c72c3af1de46899c83cb8756a5be12dc6a3d6d34d913 |
| SHA512 | 8a699dce5b845774f036c979e8230bca09cd1a9c1d4b68558fde5e8f4a4d826562e7606cac1c9c15ff2ee5967a43c81802a4d3bcc05de5f9e07170bb81acf497 |
| CRC32 | 08A3E3AD |
| Ssdeep | 24576:srKVlPNj0JbApI0qcVGAro+uQQ9kbowhC:KslF6bj0qcVps+M9kbdhC |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x004ecbde |
| 声明校验值 | 0x9585e283 |
| 实际校验值 | 0x00105fd9 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2016-11-08 02:54:43 |
| 图标 |  |
| 图标精确哈希值 | 3e02527e67af010d267e693e882cb3da |
| 图标相似性哈希值 | a0355d3e8cef586bb6e00314ed096af5 |
版本信息
| Translation | |
|---|---|
| LegalCopyright | |
| Assembly Version | |
| InternalName | |
| FileVersion | |
| CompanyName | |
| LegalTrademarks | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00002000 | 0x000eabe4 | 0x000eac00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.43 |
| .rsrc | 0x000ee000 | 0x00002600 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.46 |
| .reloc | 0x000f2000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.10 |
| wrdedgHL | 0x000f4000 | 0x0000d9a8 | 0x0000da00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.63 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x000eeb08 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.69 | data |
| RT_ICON | 0x000eeb08 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.69 | data |
| RT_ICON | 0x000eeb08 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.69 | data |
| RT_ICON | 0x000eeb08 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.69 | data |
| RT_GROUP_ICON | 0x000ef3c0 | 0x0000003e | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.65 | MS Windows icon resource - 4 icons, 16x16, 16-colors |
| RT_VERSION | 0x000ef410 | 0x00000360 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.30 | data |
| RT_MANIFEST | 0x000ef780 | 0x00000d22 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.07 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
导入
库: mscoree.dll:
• 0x402000 _CorExeMain
.text
`.rsrc
@.reloc
!iRhV[
Db;z(
lbVzH$
RRC*r
`6Ks"b
RZ:QK
J%pD<
D2JB;(2B62
ObJf:p
r@"tQ
?V(2n2
j"ZB+
sb\bJ
$RVB>
H2SB0z
jDQZM
db?Wk
zRh*Z
*4K"@RZSDB*R
BdRJR9
R2Nf;
Xrhb8Q
v4.0.30319
#Strings
#GUID
#Blob
Thread
System.Threading
.ctor
ThreadStart
ArgumentException
System
Timer
System.Windows.Forms
IContainer
System.ComponentModel
RSACryptoServiceProvider
System.Security.Cryptography
Point
System.Drawing
WebClient
System.Net
RijndaelManaged
Hashtable
System.Collections
FontStyle
Label
PictureBox
Container
DirectoryInfo
System.IO
FileInfo
SizeF
GroupBox
ComponentResourceManager
InvalidOperationException
Exception
Random
Object
ResourceManager
System.Resources
Assembly
System.Reflection
RichTextBox
SettingsBase
System.Configuration
Synchronized
ProjectData
Microsoft.VisualBasic.CompilerServices
ClearProjectError
Control
set_Name
ContainerControl
set_AutoScaleDimensions
get_Name
GetTypeFromHandle
RuntimeTypeHandle
Sleep
set_Text
get_Controls
ControlCollection
remove_Tick
EventHandler
String
get_Chars
set_Size
CreateParams
set_ClassStyle
Process
System.Diagnostics
GetProcessesByName
SuspendLayout
op_Explicit
set_Font
set_ForeColor
Color
SetProjectError
WriteAllBytes
Conversions
ToDouble
get_Text
Concat
ResumeLayout
WindowsFormsApplicationBase
Microsoft.VisualBasic.ApplicationServices
set_IsSingleInstance
Monitor
Start
ToString
set_Location
ReadAllBytes
Environment
GetFolderPath
SpecialFolder
ServerComputer
Microsoft.VisualBasic.Devices
get_FileSystem
FileSystemProxy
Microsoft.VisualBasic.MyServices
get_ClassStyle
set_MaximizeBox
ToBoolean
get_InnerException
add_Load
Focus
set_BackColor
set_FlatStyle
FlatStyle
Encoding
System.Text
GetString
Remove
set_FormBorderStyle
FormBorderStyle
Utils
GetResourceString
get_White
SpecialDirectoriesProxy
get_Temp
set_AutoScaleMode
AutoScaleMode
GenerateKey
Marshal
System.Runtime.InteropServices
PtrToStructure
IntPtr
set_ShowIcon
FileSystemInfo
get_Extension
set_ControlBox
set_StartPosition
FormStartPosition
get_Transparent
get_Red
set_BackgroundImage
Image
set_TextAlign
ContentAlignment
Enter
set_Opacity
GetHashCode
Dispose
set_TabIndex
CreateEncryptor
ICryptoTransform
op_Addition
get_UTF8
FromFile
Array
ConstrainedCopy
add_FormClosing
FormClosingEventHandler
get_DirectoryName
get_UserName
BringToFront
get_Length
set_Anchor
AnchorStyles
set_Interval
op_Equality
Contains
set_TabStop
RuntimeHelpers
System.Runtime.CompilerServices
GetObjectValue
set_EnableVisualStyles
GetHINSTANCE
Module
GetFiles
ContainsKey
GetExecutingAssembly
SymmetricAlgorithm
set_KeySize
add_Tick
ProcessModule
get_ModuleName
get_Assembly
set_ShowInTaskbar
get_Black
add_Shutdown
ShutdownEventHandler
set_Enabled
set_SaveMySettingsOnExit
Application
get_ExecutablePath
Delete
DownloadFile
GetBytes
GetCurrentProcess
GetModules
set_WindowState
FormWindowState
add_LostFocus
get_SaveMySettingsOnExit
CreateDecryptor
get_CreateParams
set_BackgroundImageLayout
ImageLayout
TrimEnd
set_ClientSize
Operators
CompareString
set_MinimizeBox
set_TopMost
SetCompatibleTextRenderingDefault
Interlocked
Decrement
ReferenceEquals
get_SpecialDirectories
CancelEventArgs
set_Cancel
FormClosingEventArgs
get_CloseReason
CloseReason
get_FullName
GetObject
GetDirectories
Equals
Component
get_Message
ApplicationSettingsBase
Split
ToLower
get_Key
get_MainModule
Screen
get_AllScreens
set_ShutdownStyle
ShutdownMode
get_UseCompatibleTextRendering
Interaction
Microsoft.VisualBasic
Shell
AppWinStyle
get_Bounds
Rectangle
ObjectFlowControl
CheckForSyncLockOnValueType
set_MainForm
Document.exe
Document
mscorlib
user32.dll
user32
User32
kernel32.dll
ntdll.dll
<Module>
Dictionary`2
System.Collections.Generic
MethodBase
Stream
MemoryStream
DeflateStream
System.IO.Compression
AppDomain
get_CurrentDomain
ResolveEventHandler
add_ResourceResolve
Write
ToArray
Create
HashAlgorithm
ComputeHash
CryptoStream
CryptoStreamMode
CompressionMode
BitConverter
GetManifestResourceStream
GetCurrentMethod
MemberInfo
get_Module
get_MetadataToken
ResolveSignature
ToUInt32
.cctor
ConstructorInfo
ParameterInfo
FieldInfo
DynamicMethod
System.Reflection.Emit
ILGenerator
GetFieldFromHandle
RuntimeFieldHandle
get_ParameterType
get_FieldType
CreateDelegate
Delegate
SetValue
GetParameters
get_DeclaringType
get_IsInterface
get_IsArray
GetILGenerator
OpCodes
Ldarg_S
OpCode
Newobj
ResolveMethod
MethodInfo
get_IsStatic
Castclass
get_ReturnType
Ldarg
Callvirt
BinaryReader
ReadInt32
ReadBytes
Buffer
BlockCopy
IDisposable
GetManifestResourceNames
ResolveEventArgs
IndexOf
sender
STAThreadAttribute
DebuggerHiddenAttribute
EditorBrowsableAttribute
EditorBrowsableState
AuthenticationMode
DebuggerStepThroughAttribute
OnCreateMainForm
GeneratedCodeAttribute
System.CodeDom.Compiler
Computer
StandardModuleAttribute
HideModuleNameAttribute
MyForms
ThreadStaticAttribute
TargetInvocationException
get_IsDisposed
Activator
CreateInstance
Boolean
Int32
MyGroupCollectionAttribute
MyWebServices
CompilerGeneratedAttribute
ComVisibleAttribute
Resources
ShellLocker.My.Resources
CultureInfo
System.Globalization
DebuggerNonUserCodeAttribute
EventArgs
TransformFinalBlock
Resize
FindWindowA
ShowWindow
Form1
ShellLocker
List`1
WeakReference
AccessedThroughPropertyAttribute
FindWindow
SetWindowPos
keybd_event
SystemParametersInfoA
GetAsyncKeyState
get_Location
disposing
ISupportInitialize
EndInit
BeginInit
DesignerGeneratedAttribute
Form2
UnhookWindowsHookEx
SetWindowsHookExA
GetAsyncKeyState2
CallNextHookEx
ToInt32
ValueType
MulticastDelegate
TargetObject
TargetMethod
BeginInvoke
IAsyncResult
AsyncCallback
wParam
lParam
DelegateCallback
DelegateAsyncState
EndInvoke
DelegateAsyncResult
Invoke
SetWindowsHookEx
GetModuleHandle
KBDLLHOOKSTRUCT
nCode
TryGetValue
SizeOf
set_Item
ProcessHandle
ProcessInformationClass
ProcessInformation
ProcessInformationLength
ReturnLength
NtQueryInformationProcess
NtSetInformationProcess
hObject
CloseHandle
IsDebuggerPresent
OutputDebugString
GetEnvironmentVariable
ParameterizedThreadStart
set_IsBackground
FailFast
Debugger
IsLogging
get_IsAlive
get_IsAttached
get_CurrentThread
thread
lpAddress
dwSize
flNewProtect
lpflOldProtect
VirtualProtect
get_FullyQualifiedName
op_Inequality
ToPointer
UnmanagedMemoryStream
FileAccess
SeekOrigin
ReadUInt32
ReadUInt16
get_Position
ReadByte
set_Position
ReadUInt64
ToUInt64
SHA512
SHA256
UInt32
ConfusedByAttribute
Attribute
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
DebuggableAttribute
DebuggingModes
AssemblyTitleAttribute
AssemblyDescriptionAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
SuppressIldasmAttribute
11.0.0.0
My.MyProject.Forms
Dispose__Instance__
4.0.0.0
14.0.0.0
Timer1
PictureBox1
Timer2
Label8
Label10
Label11
Label13
Label12
GroupBox1
Document
2016 Microsoft
$d7ee7b43-59cb-4d32-8b00-fcc3bbfa8739
2.0.4.0
Confuser v1.9.0.0
_CorExeMain
mscoree.dll
ssssssss{7;;
rrrrrrr
rrrrrrr
rrrrrrr
rrrrrmm
rrrrr
rrrrrr
rrrrrrr
rrrrrrrr
gDt\s
Broken file
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
Document
CompanyName
Document
FileDescription
Document
FileVersion
2.0.4.0
InternalName
Document.exe
LegalCopyright
2016 Microsoft
LegalTrademarks
Document
OriginalFilename
Document.exe
ProductName
Document
ProductVersion
2.0.4.0
Assembly Version
2.0.4.0
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 4.235 seconds )
- 2.353 Static
- 1.05 static_dotnet
- 0.263 TargetInfo
- 0.25 peid
- 0.111 Strings
- 0.071 BehaviorAnalysis
- 0.052 config_decoder
- 0.045 NetworkAnalysis
- 0.025 AnalysisInfo
- 0.009 Debug
- 0.003 Dropped
- 0.002 Memory
- 0.001 ProcessMemory
Signatures ( 0.073 seconds )
- 0.013 antiav_detectreg
- 0.007 ransomware_files
- 0.006 infostealer_ftp
- 0.005 persistence_autorun
- 0.005 antiav_detectfile
- 0.004 infostealer_im
- 0.004 md_bad_drop
- 0.003 antianalysis_detectreg
- 0.003 infostealer_bitcoin
- 0.003 infostealer_mail
- 0.003 rat_pcclient
- 0.002 tinba_behavior
- 0.002 antivm_vbox_files
- 0.002 geodo_banking_trojan
- 0.002 disables_browser_warn
- 0.001 betabot_behavior
- 0.001 kibex_behavior
- 0.001 stealth_timeout
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 modify_proxy
- 0.001 browser_security
- 0.001 modify_uac_prompt
Reporting ( 1.331 seconds )
- 0.752 ReportPDF
- 0.569 ReportHTMLSummary
- 0.01 Malheur
| Task ID | 49781 |
|---|---|
| Mongo ID | 583161364d3bd06eed993362 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号