分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp01-1 | 2020-04-08 19:09:40 | 2020-04-08 19:11:44 | 124 秒 |
魔盾分数
10.0
危险的
文件详细信息
| 文件名 | 网截辅助工具.exe |
|---|---|
| 文件大小 | 1504539 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | feb38106542fcabfd84f3c90bc4d6c47 |
| SHA1 | eed69ac9224940fa5386e9176ad06064198a8bbd |
| SHA256 | 1e57039ec8d4e21ec078c89d7fe843aa51fca7c6a4a9505d47fe2738a7711a84 |
| SHA512 | bf7fea6af32fcc3ca884f51e3b42e94703cadbcef4e63fddb36a258a8ac5cea0d7738ff47c9b18b5b7fadcda96af8bbde4a82685c15ba37f048f2244584d11f6 |
| CRC32 | 347D994D |
| Ssdeep | 24576:ih1bkkzkPVmYR1vY/IpH8QRdqxaYy6nVTGZYLECSnMKIAp5WgI+LyE/k5saIP:ih1jkbD78CdqxaCVT0zCSSHoyE/daIP |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00403861 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00178a8c |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1972-12-25 13:33:23 |
| 载入哈希 | 9165ea3e914e03bda3346f13edbd6ccd |
| 图标 |  |
| 图标精确哈希值 | f85c99d72116227242b7e64756ffed40 |
| 图标相似性哈希值 | 5c218606f7f0b6673743b9a8909d42b2 |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00004dcc | 0x00005000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.52 |
| .rdata | 0x00006000 | 0x00000a4a | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.56 |
| .data | 0x00007000 | 0x00001f58 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.86 |
| .data | 0x00009000 | 0x00049000 | 0x00049000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.49 |
| .rsrc | 0x00052000 | 0x0000161c | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.38 |
覆盖
| 偏移量 | 0x00054000 |
| 大小 | 0x0011b51b |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00052130 | 0x000010a8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.22 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 |
| RT_GROUP_ICON | 0x000531d8 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 1.78 | MS Windows icon resource - 1 icon, 32x32 |
| RT_VERSION | 0x000531ec | 0x00000260 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.71 | data |
| RT_MANIFEST | 0x0005344c | 0x000001cd | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库: KERNEL32.dll:
• 0x406000 GetProcAddress
• 0x406004 LoadLibraryA
• 0x406008 CloseHandle
• 0x40600c WriteFile
• 0x406010 CreateDirectoryA
• 0x406014 GetTempPathA
• 0x406018 ReadFile
• 0x40601c SetFilePointer
• 0x406020 CreateFileA
• 0x406024 GetModuleFileNameA
• 0x406028 GetStringTypeA
• 0x40602c LCMapStringW
• 0x406030 LCMapStringA
• 0x406034 HeapAlloc
• 0x406038 HeapFree
• 0x40603c GetModuleHandleA
• 0x406040 GetStartupInfoA
• 0x406044 GetCommandLineA
• 0x406048 GetVersion
• 0x40604c ExitProcess
• 0x406050 HeapDestroy
• 0x406054 HeapCreate
• 0x406058 VirtualFree
• 0x40605c VirtualAlloc
• 0x406060 HeapReAlloc
• 0x406064 TerminateProcess
• 0x406068 GetCurrentProcess
• 0x40606c UnhandledExceptionFilter
• 0x406070 FreeEnvironmentStringsA
• 0x406074 FreeEnvironmentStringsW
• 0x406078 WideCharToMultiByte
• 0x40607c GetEnvironmentStrings
• 0x406080 GetEnvironmentStringsW
• 0x406084 SetHandleCount
• 0x406088 GetStdHandle
• 0x40608c GetFileType
• 0x406090 RtlUnwind
• 0x406094 GetCPInfo
• 0x406098 GetACP
• 0x40609c GetOEMCP
• 0x4060a0 MultiByteToWideChar
• 0x4060a4 GetStringTypeW
.text
`.rdata
@.data
.data
.rsrc
u hxb@
YYh p@
DSUVWh
SVWUj
[Sh,f@
"WWSh(f@
^Vh,f@
PVh(f@
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetProcAddress
LoadLibraryA
CloseHandle
WriteFile
CreateDirectoryA
GetTempPathA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
KERNEL32.dll
MessageBoxA
wsprintfA
USER32.dll
HeapAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Error
Failed to read data from the file!
Failed to read file or invalid data in file!
Invalid data in the file!
The interface of kernel library is invalid!
The kernel library is invalid!
GetNewSock
Failed to load kernel library!
Not found the kernel library!
krnln.fne
krnln.fnr
Failed to decompress data!
Insufficient memory!
E_N%X
Can't retrieve the temporary directory!
Can't open file!
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
invalid distance code
invalid literal/length code
1.1.3
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
const
crossfire.exe
F1362
F1361
F1222
F1221
Super-EC
\ESPI.dll
.rsrc
~?\,$
Zk_'2=
3;a~l(I
p_d2d
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ImageList_Draw
BitBlt
TransparentBlt
DrawDibOpen
GetDC
SkinH_EL.dll
SkinH_AdjustAero
SkinH_AdjustHSV
SkinH_Attach
SkinH_AttachEx
SkinH_AttachExt
SkinH_AttachRes
SkinH_AttachResEx
SkinH_Detach
SkinH_DetachEx
SkinH_GetColor
SkinH_LockUpdate
SkinH_Map
SkinH_NineBlt
SkinH_SetAero
SkinH_SetBackColor
SkinH_SetFont
SkinH_SetFontEx
SkinH_SetForeColor
SkinH_SetMenuAlpha
SkinH_SetTitleMenuBar
SkinH_SetWindowAlpha
SkinH_SetWindowMovable
SkinH_VerifySign
120.131.10.132
1.0.0
F199797852
SkinH_AttachRes
SkinH_SetWindowAlpha
Comet.WndShadow
Comet.WndShadow.Color
Comet.WndShadow.Size
Comet.WndShadow.Proc
Comet.Shadow
tEXtSoftware
tEXtCreation Time
tEXtCreation Time
tEXtSoftware
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
SkinSharp GUI Toolkit
CompanyName
SkinSharp Inc.
FileDescription
FileVersion
1, 0, 6, 6
InternalName
SkinSharp For EL
LegalCopyright
- Skin.dll
LegalTrademarks
SkinSharp
OriginalFilename
SkinH_EL.dll
PrivateBuild
ProductName
SkinSharp GUI Toolkit
ProductVersion
1, 0, 6, 6
SpecialBuild
VarFileInfo
Translation
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 120.131.10.132 | 33389 |
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 120.131.10.132 | 33389 |
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 17.23 seconds )
- 9.486 Suricata
- 4.771 VirusTotal
- 0.973 Static
- 0.712 BehaviorAnalysis
- 0.52 TargetInfo
- 0.397 NetworkAnalysis
- 0.341 peid
- 0.018 AnalysisInfo
- 0.009 Strings
- 0.002 config_decoder
- 0.001 Memory
Signatures ( 0.301 seconds )
- 0.035 api_spamming
- 0.03 stealth_timeout
- 0.026 stealth_decoy_document
- 0.022 antiav_detectreg
- 0.012 stealth_file
- 0.009 antidbg_windows
- 0.009 infostealer_ftp
- 0.008 antivm_vbox_libs
- 0.008 md_url_bl
- 0.006 kovter_behavior
- 0.006 antiav_detectfile
- 0.006 infostealer_im
- 0.006 md_domain_bl
- 0.005 antiemu_wine_func
- 0.005 mimics_filetime
- 0.005 reads_self
- 0.005 anomaly_persistence_autorun
- 0.005 infostealer_browser_password
- 0.004 bootkit
- 0.004 exec_crash
- 0.004 antivm_generic_disk
- 0.004 virus
- 0.004 antianalysis_detectreg
- 0.004 infostealer_bitcoin
- 0.004 ransomware_files
- 0.003 dridex_behavior
- 0.003 injection_createremotethread
- 0.003 antivm_generic_scsi
- 0.003 hancitor_behavior
- 0.003 antivm_vbox_files
- 0.003 infostealer_mail
- 0.003 ransomware_extensions
- 0.002 tinba_behavior
- 0.002 hawkeye_behavior
- 0.002 antiav_avast_libs
- 0.002 antivm_vmware_libs
- 0.002 antivm_generic_services
- 0.002 antivm_vbox_window
- 0.002 kazybot_behavior
- 0.002 antisandbox_sunbelt_libs
- 0.002 antisandbox_sboxie_libs
- 0.002 antiav_bitdefender_libs
- 0.002 kibex_behavior
- 0.002 injection_runpe
- 0.002 geodo_banking_trojan
- 0.002 disables_browser_warn
- 0.001 rat_nanocore
- 0.001 maldun_anomaly_massive_file_ops
- 0.001 sets_autoconfig_url
- 0.001 betabot_behavior
- 0.001 anormaly_invoke_kills
- 0.001 cerber_behavior
- 0.001 antisandbox_script_timer
- 0.001 antidbg_devices
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 md_bad_drop
Reporting ( 0.73 seconds )
- 0.684 ReportHTMLSummary
- 0.046 Malheur
| Task ID | 535169 |
|---|---|
| Mongo ID | 5e8db189bb7d5727e078b798 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号