分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
---|---|---|---|---|
文件 (Windows) | win7-sp1-x64-hpdapp01-1 | 2020-03-12 10:38:37 | 2020-03-12 10:41:45 | 188 秒 |
文件名 | trixware.zip ==> DLL\xd7\xa2\xc8\xeb\xc6\xf7.exe |
---|---|
文件大小 | 13251444 字节 |
文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 5d663b8c910c7a4fd574151c51273861 |
SHA1 | d43fae27369ea6aed82d72dd54a9fcef81b437f6 |
SHA256 | f70177275d9728fb51c3a64866e95215d0445d85b19436c91992f48733e69596 |
SHA512 | 348067984f865accfa08c0b5565d95c4ad39e09ee718a5fb0f514663716fa1c5cce6c13c150bde60f0014c4aefdb4a434b19b4461a0446855edd09a19c683114 |
CRC32 | 4D522B53 |
Ssdeep | 393216:Vzuzpvn+N9PHLjCcAbI35N3pdED6HLNuGFhO:VWAn1AbIn3vED6rNuGrO |
Yara | 登录查看Yara规则 |
样本下载 提交误报 |
无主机纪录.
域名 | 安全评级 | 响应 |
---|---|---|
www.securityxploded.com |
A 69.64.94.55 CNAME securityxploded.com |
|
note.youdao.com |
A 59.111.179.138 A 59.111.179.137 A 59.111.179.136 A 123.58.182.252 A 59.111.179.135 A 123.58.182.251 |
无主机纪录.
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49166 | 39.100.119.17 | 80 |
192.168.122.201 | 49172 | 39.100.119.17 | 8000 |
192.168.122.201 | 49167 | 59.111.179.136 note.youdao.com | 80 |
192.168.122.201 | 49164 | 69.64.94.55 www.securityxploded.com | 80 |
192.168.122.201 | 49165 | 69.64.94.55 www.securityxploded.com | 443 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49608 | 192.168.122.1 | 53 |
192.168.122.201 | 64912 | 192.168.122.1 | 53 |
域名 | 安全评级 | 响应 |
---|---|---|
www.securityxploded.com |
A 69.64.94.55 CNAME securityxploded.com |
|
note.youdao.com |
A 59.111.179.138 A 59.111.179.137 A 59.111.179.136 A 123.58.182.252 A 59.111.179.135 A 123.58.182.251 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49166 | 39.100.119.17 | 80 |
192.168.122.201 | 49172 | 39.100.119.17 | 8000 |
192.168.122.201 | 49167 | 59.111.179.136 note.youdao.com | 80 |
192.168.122.201 | 49164 | 69.64.94.55 www.securityxploded.com | 80 |
192.168.122.201 | 49165 | 69.64.94.55 www.securityxploded.com | 443 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49608 | 192.168.122.1 | 53 |
192.168.122.201 | 64912 | 192.168.122.1 | 53 |
URI | HTTP数据 |
---|---|
URL专业沙箱检测 -> http://www.securityxploded.com/product_versions.xml | GET /product_versions.xml HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Software Verion Checker Host: www.securityxploded.com |
URL专业沙箱检测 -> http://39.100.119.17/rj.txt | GET /rj.txt HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: */* Host: 39.100.119.17 Cache-Control: no-cache |
URL专业沙箱检测 -> http://note.youdao.com/yws/public/resource/aef3dea83bd0d0f7c1d1b0aaa18bffc7/xmlnote/9E782B06A29E4A5C80F8305FEEE92DAF/549 | GET /yws/public/resource/aef3dea83bd0d0f7c1d1b0aaa18bffc7/xmlnote/9E782B06A29E4A5C80F8305FEEE92DAF/549 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: note.youdao.com Connection: Keep-Alive |
无SMTP流量.
无IRC请求.
无ICMP流量.
无 CIF 结果
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Protocol | SID | Signature | Category |
---|---|---|---|---|---|---|---|---|
2020-03-12 10:40:04.570216+0800 | 192.168.122.201 | 49166 | 39.100.119.17 | 80 | TCP | 2016879 | ET POLICY Unsupported/Fake Windows NT Version 5.0 | Potential Corporate Privacy Violation |
2020-03-12 10:40:04.490379+0800 | 59.111.179.136 | 80 | 192.168.122.201 | 49167 | TCP | 2020201 | ET TROJAN Filename server.exe Download - Common Hostile Filename | A Network Trojan was detected |
2020-03-12 10:40:14.486950+0800 | 59.111.179.136 | 80 | 192.168.122.201 | 49167 | TCP | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Version | Issuer | Subject | Fingerprint |
---|---|---|---|---|---|---|---|---|
2020-03-12 10:40:02.944328+0800 | 192.168.122.201 | 49165 | 69.64.94.55 | 443 | TLSv1 | C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=securityxploded.com | f6:f2:7e:0b:3d:d8:bc:39:ec:bd:19:b7:6d:0f:c8:e9:88:41:6c:98 |
No Suricata HTTP
文件名 | DLL\xd7\xa2\xc8\xeb\xc6\xf7.exe |
---|---|
相关文件 |
C:\Users\test\AppData\Local\Temp\zip-tmp\DLL\xe6\xb3\xa8\xe5\x85\xa5\xe5\x99\xa8.exe
|
文件大小 | 13251444 字节 |
文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 5d663b8c910c7a4fd574151c51273861 |
SHA1 | d43fae27369ea6aed82d72dd54a9fcef81b437f6 |
SHA256 | f70177275d9728fb51c3a64866e95215d0445d85b19436c91992f48733e69596 |
CRC32 | 4D522B53 |
Ssdeep | 393216:Vzuzpvn+N9PHLjCcAbI35N3pdED6HLNuGFhO:VWAn1AbIn3vED6rNuGrO |
下载 提交魔盾安全分析 |
HTML 总结报告 (需15-60分钟同步) |
下载 |
---|
Task ID | 527364 |
---|---|
Mongo ID | 5e69a1da2f8f2e54c2dcb5bf |
Cuckoo release | 1.4-Maldun |