恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp01-1	2020-04-08 22:23:38	2020-04-08 22:25:40	122 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	connectserver.exe
文件大小	635310 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	d571052f435b97807420ef1202937ee8
SHA1	199bc13fac55c87f6a3a7edfc63fd66cbd32b027
SHA256	6110980f8402bc61492f85f36ea7c89e0654edddea056a6a0f4d47bb4f629cc6
SHA512	e600346abc46601945a7c75d69df1d99d4cd8fd4389e676dad61a0ba7915706dc1ca1cb65d01e2985c26c955beac2b2bbec8972cd3233ae1fb4f187f522396a3
CRC32	CA9B0592
Ssdeep	12288:Lh36QViiGuaoWQf87PA8BHilFj8MdekMzP1OxgxM/v7:Lh36QVivoWQezHuh85T1nxUv7
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00403861
声明校验值	0x00000000
实际校验值	0x0009eba6
最低操作系统版本要求	4.0
编译时间	1972-12-25 13:33:23
载入哈希	9165ea3e914e03bda3346f13edbd6ccd
图标
图标精确哈希值	dcb5da4e8990385a5f441e244ee22029
图标相似性哈希值	52637d52802dda31a94378f5b65fc606

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00004dcc	0x00005000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.52
.rdata	0x00006000	0x00000a4a	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.56
.data	0x00007000	0x00001f58	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.86
.data	0x00009000	0x00006000	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.26
.rsrc	0x0000f000	0x00001308	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.08

覆盖

偏移量	0x00011000
大小	0x0008a1ae

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x0000f638	0x00000ca8	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.71	data
RT_ICON	0x0000f638	0x00000ca8	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.71	data
RT_GROUP_ICON	0x000102e0	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.41	MS Windows icon resource - 2 icons, 16x16

导入

库: KERNEL32.dll:

• 0x406000 GetProcAddress

• 0x406004 LoadLibraryA

• 0x406008 CloseHandle

• 0x40600c WriteFile

• 0x406010 CreateDirectoryA

• 0x406014 GetTempPathA

• 0x406018 ReadFile

• 0x40601c SetFilePointer

• 0x406020 CreateFileA

• 0x406024 GetModuleFileNameA

• 0x406028 GetStringTypeA

• 0x40602c LCMapStringW

• 0x406030 LCMapStringA

• 0x406034 HeapAlloc

• 0x406038 HeapFree

• 0x40603c GetModuleHandleA

• 0x406040 GetStartupInfoA

• 0x406044 GetCommandLineA

• 0x406048 GetVersion

• 0x40604c ExitProcess

• 0x406050 HeapDestroy

• 0x406054 HeapCreate

• 0x406058 VirtualFree

• 0x40605c VirtualAlloc

• 0x406060 HeapReAlloc

• 0x406064 TerminateProcess

• 0x406068 GetCurrentProcess

• 0x40606c UnhandledExceptionFilter

• 0x406070 FreeEnvironmentStringsA

• 0x406074 FreeEnvironmentStringsW

• 0x406078 WideCharToMultiByte

• 0x40607c GetEnvironmentStrings

• 0x406080 GetEnvironmentStringsW

• 0x406084 SetHandleCount

• 0x406088 GetStdHandle

• 0x40608c GetFileType

• 0x406090 RtlUnwind

• 0x406094 GetCPInfo

• 0x406098 GetACP

• 0x40609c GetOEMCP

• 0x4060a0 MultiByteToWideChar

• 0x4060a4 GetStringTypeW

库: USER32.dll:

• 0x4060ac MessageBoxA

• 0x4060b0 wsprintfA

.text
`.rdata
@.data
.data
.rsrc
u hxb@
YYh p@
DSUVWh
SVWUj
[Sh,f@
"WWSh(f@
^Vh,f@
PVh(f@
runtime error 
Microsoft Visual C++ Runtime Library
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetProcAddress
LoadLibraryA
CloseHandle
WriteFile
CreateDirectoryA
GetTempPathA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
KERNEL32.dll
MessageBoxA
wsprintfA
USER32.dll
HeapAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Error
Failed to read data from the file!
Failed to read file or invalid data in file!
Invalid data in the file!
The interface of kernel library is invalid!
The kernel library is invalid!
GetNewSock
Failed to load kernel library!
Not found the kernel library!
krnln.fne
krnln.fnr
Failed to decompress data!
Insufficient memory!
E_N%X
Can't retrieve the temporary directory!
Can't open file!
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
invalid distance code
invalid literal/length code
1.1.3
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
const
\KGCsConfig.ini
KGLISTenPort
KGSETTING
KGUdpLISTen
     : 
Mu Connect Server - [King fo GameServer CS]
Reload connfig file[&R]
Server listen in port           : 
Customer information port  : 
Number of servers loaded  : 
Version of MU                   : 
Error
] port is bind the service failure...
Error: The [
] port is wiretap the service failure...
KGRanOnline
Online1
Online2
Online3
Online4
Online5
Online6
Online7
Online8
Online9
Online10
?KGSERVER
KGLIST
Mu Connect Server - [King fo GameServer CS]
eWinSock
"MS Sans Serif
"MS Sans Serif
[&R]8
@reloc1
89?2z*
/$pFn
gw"rj
O%]>pxv
IM[ `r

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	W32.Cloddba.Trojan.7e71	20140327
MicroWorld-eScan	Trojan.Generic.5952228	20140328
nProtect	Trojan.Generic.5952228	20140327
CMC	Trojan-Dropper.Win32.Flystud!O	20140326
CAT-QuickHeal	Win32.Trojan-Dropper.VBS.p.5	20140327
McAfee	BackDoor-DRV.gen.c	20140328
Malwarebytes	Trojan.Autorun	20140328
K7AntiVirus	Riskware ( 2c53ce810 )	20140327
K7GW	Riskware ( 0040eff71 )	20140326
TheHacker	Trojan/Downloader.Flystudio.gen	20140327
Agnitum	Worm.Homet!DLZhnbJenxE	20140327
F-Prot	W32/Nuj.A.gen!Eldorado	20140328
Symantec	未发现病毒	20140328
Norman	FlyAgent.CX	20140327
TotalDefense	Win32/SillyAutorun.ALB	20140327
TrendMicro-HouseCall	TROJ_GEN.R4AE2D5	20140328
Avast	未发现病毒	20140328
ClamAV	Trojan.Agent-64034	20140327
Kaspersky	未发现病毒	20140328
BitDefender	Trojan.Generic.5952228	20140328
NANO-Antivirus	Trojan.Win32.Siggen.cqkxqc	20140328
ViRobot	未发现病毒	20140327
SUPERAntiSpyware	未发现病毒	20140328
ByteHero	未发现病毒	20140328
Ad-Aware	Trojan.Generic.5952228	20140328
Sophos	未发现病毒	20140327
Comodo	TrojWare.Win32.Agent.pkd	20140328
F-Secure	Trojan:W32/Agent.DQOD	20140328
DrWeb	未发现病毒	20140328
VIPRE	Backdoor.Win32.FlyAgent.h (v)	20140328
AntiVir	TR/Dropper.Gen	20140327
TrendMicro	TROJ_GEN.R4AE2D5	20140328
McAfee-GW-Edition	BackDoor-DRV.gen.c	20140327
Emsisoft	Trojan.Generic.5952228 (B)	20140328
Jiangmin	未发现病毒	20140327
Antiy-AVL	未发现病毒	20140327
Kingsoft	未发现病毒	20140328
Microsoft	Trojan:Win32/Bumat!rts	20140328
AegisLab	未发现病毒	20140328
GData	Trojan.Generic.5952228	20140328
Commtouch	W32/Nuj.A.gen!Eldorado	20140328
AhnLab-V3	Win32/Flystudio.worm.Gen	20140327
VBA32	未发现病毒	20140327
Panda	Trj/CI.A	20140327
ESET-NOD32	a variant of Win32/Packed.FlyStudio	20140328
Rising	PE:Trojan.Win32.Generic.125834A4!307770532	20140327
Ikarus	Trojan.Win32.FlyAgent	20140328
Fortinet	W32/BDoor.DRV!tr	20140328
AVG	BackDoor.FlyAgent.D	20140328
Baidu-International	Trojan.Win32.Bumat.gen	20140327
Qihoo-360	未发现病毒	20140328

进程树

connectserver.exe id: 2684

搜索
connectserver.exe (2684)

connectserver.exe, PID: 2684, 上一级进程 PID: 2320

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 7.818 seconds )

4.25 VirusTotal
2.033 BehaviorAnalysis
0.622 Static
0.339 peid
0.306 TargetInfo
0.22 NetworkAnalysis
0.033 AnalysisInfo
0.012 Strings
0.002 Memory
0.001 config_decoder

Signatures ( 0.765 seconds )

0.1 api_spamming
0.091 reads_self
0.081 stealth_timeout
0.071 mimics_filetime
0.07 stealth_decoy_document
0.064 virus
0.063 antivm_generic_disk
0.058 stealth_file
0.054 bootkit
0.024 hancitor_behavior
0.018 antiav_detectreg
0.008 infostealer_ftp
0.008 md_url_bl
0.005 antiav_detectfile
0.005 md_domain_bl
0.004 anomaly_persistence_autorun
0.004 antianalysis_detectreg
0.004 infostealer_im
0.003 infostealer_bitcoin
0.003 infostealer_mail
0.003 ransomware_extensions
0.003 ransomware_files
0.002 antivm_vbox_files
0.002 geodo_banking_trojan
0.002 disables_browser_warn
0.001 tinba_behavior
0.001 hawkeye_behavior
0.001 rat_nanocore
0.001 betabot_behavior
0.001 kibex_behavior
0.001 antidbg_windows
0.001 cerber_behavior
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop

Reporting ( 0.681 seconds )

0.669 ReportHTMLSummary
0.012 Malheur


Task ID	535199
Mongo ID	5e8ddef5bb7d5727df78ba57
Cuckoo release	1.4-Maldun