恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp01-1	2020-04-08 23:02:14	2020-04-08 23:04:16	122 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	data1.exe
文件大小	155802 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	2d4af9759defeca61bbe99df76c7df90
SHA1	bc664b8601cca9abd4e5675f1a60690930590f25
SHA256	f9f7721d055cd723da5bd20e8d291eccf4423959d03e79cfe12a7364d7067fcc
SHA512	74ad31d4283b2a2b8c6c61efab12b1b16f7023909bf436bdf4b1ecd9ec525f0be6f60564effaf9632684e45264e527097a25fceb40f2d5d1656bd7b1498df9b7
CRC32	6E870775
Ssdeep	1536:uc0yPmiHjdbxv7fjTHMB5RJGNoQ0u0M+xY7H56uDd4by+ik5P4BRChQM:ut4h3EpCH0u0MDN9xcBuRChQM
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
ref.tbfull.com	A 119.167.182.164

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00404658
声明校验值	0x00000000
实际校验值	0x00027c70
最低操作系统版本要求	4.0
PDB路径	C:\Documents and Settings\Administrator\\xd7\xc0\xc3\xe6\\xc4\xda\xb2\xbfVIP Ghost \xd1\xf8\xbc\xa6\xb3\xa1\xb8\xb4\xbb\xee\xb0\xe6\netplayer\P2P\xcd\xf8\xc2\xe7\xb2\xa5\xb7\xc5\xc6\xf7\down.liehuo.net\Release\P2P\xcd\xf8\xc2\xe7\xb2\xa5\xb7\xc5\xc6\xf7.pdb
编译时间	2020-03-08 09:56:37
载入哈希	a08949c638cb066958aa9e62c34fff71

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00005d51	0x00006000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	4.13
.rdata	0x00007000	0x00002266	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.05
.data	0x0000a000	0x00018e64	0x00019000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.94
.idata	0x00023000	0x0000127d	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.76
.reloc	0x00025000	0x00000cc1	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.86

覆盖

偏移量	0x00026000
大小	0x0000009a

导入

库: WINMM.dll:

• 0x423d6c mciGetErrorStringA

• 0x423d70 mciSendCommandA

库: MFC42.DLL:

• 0x4237c8 None

• 0x4237cc None

• 0x4237d0 None

• 0x4237d4 None

• 0x4237d8 None

• 0x4237dc None

• 0x4237e0 None

• 0x4237e4 None

• 0x4237e8 None

• 0x4237ec None

• 0x4237f0 None

• 0x4237f4 None

• 0x4237f8 None

• 0x4237fc None

• 0x423800 None

• 0x423804 None

• 0x423808 None

• 0x42380c None

• 0x423810 None

• 0x423814 None

• 0x423818 None

• 0x42381c None

• 0x423820 None

• 0x423824 None

• 0x423828 None

• 0x42382c None

• 0x423830 None

• 0x423834 None

• 0x423838 None

• 0x42383c None

• 0x423840 None

• 0x423844 None

• 0x423848 None

• 0x42384c None

• 0x423850 None

• 0x423854 None

• 0x423858 None

• 0x42385c None

• 0x423860 None

• 0x423864 None

• 0x423868 None

• 0x42386c None

• 0x423870 None

• 0x423874 None

• 0x423878 None

• 0x42387c None

• 0x423880 None

• 0x423884 None

• 0x423888 None

• 0x42388c None

• 0x423890 None

• 0x423894 None

• 0x423898 None

• 0x42389c None

• 0x4238a0 None

• 0x4238a4 None

• 0x4238a8 None

• 0x4238ac None

• 0x4238b0 None

• 0x4238b4 None

• 0x4238b8 None

• 0x4238bc None

• 0x4238c0 None

• 0x4238c4 None

• 0x4238c8 None

• 0x4238cc None

• 0x4238d0 None

• 0x4238d4 None

• 0x4238d8 None

• 0x4238dc None

• 0x4238e0 None

• 0x4238e4 None

• 0x4238e8 None

• 0x4238ec None

• 0x4238f0 None

• 0x4238f4 None

• 0x4238f8 None

• 0x4238fc None

• 0x423900 None

• 0x423904 None

• 0x423908 None

• 0x42390c None

• 0x423910 None

• 0x423914 None

• 0x423918 None

• 0x42391c None

• 0x423920 None

• 0x423924 None

• 0x423928 None

• 0x42392c None

• 0x423930 None

• 0x423934 None

• 0x423938 None

• 0x42393c None

• 0x423940 None

• 0x423944 None

• 0x423948 None

• 0x42394c None

• 0x423950 None

• 0x423954 None

• 0x423958 None

• 0x42395c None

• 0x423960 None

• 0x423964 None

• 0x423968 None

• 0x42396c None

• 0x423970 None

• 0x423974 None

• 0x423978 None

• 0x42397c None

• 0x423980 None

• 0x423984 None

• 0x423988 None

• 0x42398c None

• 0x423990 None

• 0x423994 None

• 0x423998 None

• 0x42399c None

• 0x4239a0 None

• 0x4239a4 None

• 0x4239a8 None

• 0x4239ac None

• 0x4239b0 None

• 0x4239b4 None

• 0x4239b8 None

• 0x4239bc None

• 0x4239c0 None

• 0x4239c4 None

• 0x4239c8 None

• 0x4239cc None

• 0x4239d0 None

• 0x4239d4 None

• 0x4239d8 None

• 0x4239dc None

• 0x4239e0 None

• 0x4239e4 None

• 0x4239e8 None

• 0x4239ec None

• 0x4239f0 None

• 0x4239f4 None

• 0x4239f8 None

• 0x4239fc None

• 0x423a00 None

• 0x423a04 None

• 0x423a08 None

• 0x423a0c None

• 0x423a10 None

• 0x423a14 None

• 0x423a18 None

• 0x423a1c None

• 0x423a20 None

• 0x423a24 None

• 0x423a28 None

• 0x423a2c None

• 0x423a30 None

• 0x423a34 None

• 0x423a38 None

• 0x423a3c None

• 0x423a40 None

• 0x423a44 None

• 0x423a48 None

• 0x423a4c None

• 0x423a50 None

• 0x423a54 None

• 0x423a58 None

• 0x423a5c None

• 0x423a60 None

• 0x423a64 None

• 0x423a68 None

• 0x423a6c None

• 0x423a70 None

• 0x423a74 None

• 0x423a78 None

• 0x423a7c None

• 0x423a80 None

• 0x423a84 None

• 0x423a88 None

• 0x423a8c None

• 0x423a90 None

• 0x423a94 None

• 0x423a98 None

• 0x423a9c None

• 0x423aa0 None

• 0x423aa4 None

• 0x423aa8 None

• 0x423aac None

• 0x423ab0 None

• 0x423ab4 None

• 0x423ab8 None

• 0x423abc None

• 0x423ac0 None

• 0x423ac4 None

• 0x423ac8 None

• 0x423acc None

• 0x423ad0 None

• 0x423ad4 None

• 0x423ad8 None

• 0x423adc None

• 0x423ae0 None

• 0x423ae4 None

• 0x423ae8 None

• 0x423aec None

• 0x423af0 None

• 0x423af4 None

• 0x423af8 None

• 0x423afc None

• 0x423b00 None

• 0x423b04 None

• 0x423b08 None

• 0x423b0c None

• 0x423b10 None

• 0x423b14 None

• 0x423b18 None

• 0x423b1c None

• 0x423b20 None

• 0x423b24 None

• 0x423b28 None

• 0x423b2c None

• 0x423b30 None

• 0x423b34 None

• 0x423b38 None

• 0x423b3c None

• 0x423b40 None

• 0x423b44 None

• 0x423b48 None

• 0x423b4c None

• 0x423b50 None

• 0x423b54 None

• 0x423b58 None

• 0x423b5c None

• 0x423b60 None

• 0x423b64 None

• 0x423b68 None

• 0x423b6c None

• 0x423b70 None

库: MSVCRT.dll:

• 0x423c5c _adjust_fdiv

• 0x423c60 __p__commode

• 0x423c64 __p__fmode

• 0x423c68 __set_app_type

• 0x423c6c _except_handler3

• 0x423c70 _controlfp

• 0x423c74 __setusermatherr

• 0x423c78 _initterm

• 0x423c7c __getmainargs

• 0x423c80 _acmdln

• 0x423c84 exit

• 0x423c88 _XcptFilter

• 0x423c8c _exit

• 0x423c90 ??1type_info@@UAE@XZ

• 0x423c94 _onexit

• 0x423c98 __dllonexit

• 0x423c9c strcat

• 0x423ca0 sprintf

• 0x423ca4 memset

• 0x423ca8 memcpy

• 0x423cac _CxxThrowException

• 0x423cb0 __CxxFrameHandler

• 0x423cb4 _setmbcp

库: KERNEL32.dll:

• 0x423750 CloseHandle

• 0x423754 CreateFileA

• 0x423758 GetProcessHeap

• 0x42375c GetProcAddress

• 0x423760 LoadLibraryA

• 0x423764 HeapAlloc

• 0x423768 HeapReAlloc

• 0x42376c VirtualFree

• 0x423770 FreeLibrary

• 0x423774 VirtualAlloc

• 0x423778 IsBadReadPtr

• 0x42377c Sleep

• 0x423780 ExitProcess

• 0x423784 GetModuleHandleA

• 0x423788 GetStartupInfoA

• 0x42378c WriteFile

库: USER32.dll:

• 0x423d28 GetParent

• 0x423d2c SetWindowTextA

• 0x423d30 SendMessageA

• 0x423d34 EnableWindow

• 0x423d38 UpdateWindow

库: SHELL32.dll:

• 0x423cf4 SHBrowseForFolderA

• 0x423cf8 SHGetPathFromIDListA

库: WSOCK32.dll:

• 0x423da0 ioctlsocket

• 0x423da4 htons

• 0x423da8 inet_addr

• 0x423dac gethostbyname

• 0x423db0 bind

• 0x423db4 socket

• 0x423db8 WSAStartup

• 0x423dbc accept

• 0x423dc0 listen

• 0x423dc4 gethostname

• 0x423dc8 WSAAsyncSelect

.text
`.rdata
@.data
.idata
.reloc
SSh|+B
CMainFrame
K=N$3F0D
3F0jtV>DD
3F0D 3FPjrW'D%
3F0D@3FpjdR2QD
jrV*_'
F0D 2F0D
3F0D@3FrD
Q[F2D
+2VZDj3,1.
S2,0.
j2,0.
G`,'dF .
Ga,3~F .
G0Dj2,0.
Xj3,0.
F0Dj3,0.
.3V'o
F #+3VMo
#,x1G ,
23%,,0G ,
2%,<0G ,
P[F1D
Q[F1D
F h43V q
F ~53Vlp
j3.0@
'B0DW[F4D
4,X1F0.
=oa1T
YFZDj3,0.
YDZDj2.0D
5$'2V0D
ZDj3,0.
YEZDj2.0D
j3,0.
Q[v4D
3F0,?3I0.
v2F0.
R[y0K
t/,1.
j3,4.
tp,4.
tp,4.
tp,4.
tp,4.
tp,4.
0Tj3.0@
|2F0.
3F0Dj7.0T
B7F0D
3FZDj3,2.
F?Dj3,0.
P[Y0F
)3V@&
EGV2f!r@/_*
d4Y0eu/\!
p4U%tV
)S%lu4U!
'C0EA4_6
l\$Q(A_*_'
U0SJ5D!mz(V+
vFZ4C0
U%pu4U!
r\%U7s{#Q4
a^#qD
Gw!tg/S/C\3^0
)S%lg/]!
i_#q0tA/R1tV5qD
xFs6eR2U
iA#S0oA?qD
\D}+vV
a#Q FZ*UD
rV#|-bA'B=
i_2U6
1tC3D
B!aG#u2e]2qD
U0C_/@&oR4T
U0KV?c0aG#0d
dY3C0T\-U*PA/F-lV!U7
DC_#Q6EE#^0L\!qD
tR2E7
sV4qD
yDc0aA2c!rE/S!CG4\
H<T[4_3EK%U4tZ)^D
D@6i]2VD
DC0rP+@D
Go7tA3@6
DC0r@2BD
D]!m^)F!
DC4rZ(D"
v@(@6i]2VD
l#H'eC2o,a]"\!r
E*wZ(Tv
2)a_*_'
R!gZ(D,rV'T!x3F|FfP*_7e3FhFfC4Y*tUFgFf\6U*
DC0rP.BD
_W*\+nV>Y0
Go+nV>Y0
`#D1pw/t!sG4_=DV0Y'ez(V+LZ5DD
iv(E)DV0Y'ez(V+
i_#qD
X6eR"|-bA'B=CR*\7
E_@2B-c^60D
X!l_#HD
b3V0D
j*3F=N
l_)S%tVF0D
CF0Dq3F06
FF0Dv3F03
F0D43F0q
F0D93F0t
"F0D[3F0d
F0D-3F0`
F0D"3F0a
XF0D`3F0%
WF0De3F0"
ZF0Dn3F0j
vu]3F0D[utmD
3nF0D
vr]3F0D[uqmD
8nF0D
F0D33F0p
F0D83F0}
VF0Dr3F00
ZF0Do3F04
RF0Ds3F0 
[F0Dj3F0/
F0Dz3F0<
QF0Dn3F0)
oP-mD
F0D*3F0i
F0D23F0w
F0D73F0|
Q1sVfr6eR-mD
1nF0D
vp]3F0D[usmD
6nF0D
v}]3F0D[uw
v]3F0:
F0D$3F0a
F0D(3F0m
|F0DP3F0?
}F0DM3F0x
I]5U6tnF0D
pnF0D
U(eG#mD
eU2mD
F0D-3F0o
F0D33F0p
F0D83F0}
EnF0D
vC .V>UD
3`0SjeK#0D
3'F#wW5F'.V>UD
7eP3B!.V>UD
~%C,iV*TjeK#0D
0DeT3YjeK#0D
!xVF0D
3aG%XjeK#0D
hA#Q0.V>UD
hT(l3F0DMZ%B+s\ Dd
nU)0DkV4^!l
 l_F0D
f*D-mR2UdEW/D-o]F0D
c4_"e@5Y+nR*0D
B!mZ3]dEW/D-o]F0D
T-tZ)^D
T-tZ)^D
q3C-nV5CdEW/D-o]F0D
T-tZ)^D
T-tZ)^D
T-tZ)^D
$Q7eWfc=sG#]7
eA0U6
u@/^!s@fc!rE#BdPA#]-u^fu iG/_*
T-tZ)^D
D%nZ3]ibR5U  `?C0e^50D
p v"Y0i\(0D
_)pF2UdC_3C0eAfu iG/_*
T-tZ)^D
T-tZ)^D
T-tZ)^D
DH\+UdEW/D-o]F0D
c4_"e@5Y+nR*0D
3F`6oU#C7i\(Q(
)VdWZ(T+w@h:D
i]F0as3FlD
@%cVx0xE]2U6>>L0D
B+xJF0DC_)C!PA)H=
eP3B-tJF0D
e^'B/
SV4F-cV5las3F0DC_)B!
#H!\@.U(lo)@!no%_)mR(TD
Y*SG'
/eJF0D
oF0D.X#ID
SV4F-cV5las3F0DRV+Q6k3Fw6oF60D
nE/B+n^#^0B_)S/
Y*SG'
d3F0DKV4^!l
 l_F0D
e@%B-pG/_*
Y*SG'
a^#qD
v.W*\D
3F}+vV
 l_F0D
i_#q0tA/R1tV5qD
jd_*0D
v.W*\D
 l_F0D
^-tZ'\-zVF0D
p)e*i]/D-a_/J!
rV'D!I]5D%nP#0D
v.W*\D
AFYDe3(0 
_FIDN3'0)
z3F0DRV+Q6k3Fy*sG'\(TZ+UDEA4_6
hT(l3F0DnG"\(.W*\D
E)bV4CD
vR5DD
EqF0d
3F}'AU#UD
uG.U*tZ3]D
F0D 3F0d
`3^&e_20d
F0DYjF0d
3F~%vV40D
0D 3F0d
%@F0D
t4_1p3F0
rZ0U6DV5SD
rR6X-c@fU6r\40E
jd_*0D
U%dc2BD
0DCA#Q0e~3D!xrF0D
a#\!a@#}1tV>0D
rA)BD
3Fs(o@#x%nW*UDS_#U4
_1nGF0D
bY#S0
i_#q0tA/R1tV5qD
a]%U(I\F0D
vV(DD
nF+g-nW)G7
RghT(l3FC0rP+@D
@2B(e]F0)e^%@=
c0aA2E4
C_#Q*uCF07oP-U0
3!U0h\5D&y]']!
3FX0o]50D
P)^*eP207e]"0D
_'t_F0D
@#\!cGF0#eG5_'k]']!
T#D,o@2^%mVFq
tR2E7
U6vZ%UD
U6vZ%UD
@!nc4_'e@5d+kV(0D
E4lZ%Q0eg)[!nv>0D
C!rrF0D
nR6C,oGF0D
jd_*0D
33C!r
X6eR"t!sX2_4
^"oA+Q0i\(qD
U0T[4U%dw#C/t\60D
U7kG)@D
v.W*\D
U7kG)@D
3Fy*tV4^!t|6U*UA*qD
3Fy*tV4^!ta#Q FZ*UD
3Fy*tV4^!tp*_7e{'^ lVFq
pV(`6oP#C7T\-U*
dY3C0T\-U*PA/F-lV!U7
rZ0Y(eT#f%lF#qD
v.W*\D
3Fw!tp3B6e]2`6oP#C7
0xGF0D
5:DkV4^!l
 l_F0D
^%p@._0
r\%U7s
eK20D
jd_*0D
xrF0DRV!s(o@#{!y3f0D
B!aG#{!yv>qDRV!c!te'\1ev>qD
e_#D!KV?qD
VG?@!_Z(V+@sF0D
?3F0$
~3zujwd
29u(w%
3}ukwi
P3+u,w 
x3sutwH
3guhw\
 3[u\wp
3F0DShellex
103.40.247.228
Defghi
Defghi Klmnopqr Tuvwxyab Defg
Defghijk Mnopqrstu Wxyabcd Fghijklm Opq
Default
A3F0D

没有防病毒引擎扫描信息!

进程树

data1.exe id: 2640
services.exe id: 424
- nklxci.exe id: 2356
  - nklxci.exe id: 2372
- mscorsvw.exe id: 2624
- mscorsvw.exe id: 1332

data1.exe, PID: 2640, 上一级进程 PID: 2320

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

services.exe, PID: 424, 上一级进程 PID: 328

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

nklxci.exe, PID: 2356, 上一级进程 PID: 424

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

nklxci.exe, PID: 2372, 上一级进程 PID: 2356

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

mscorsvw.exe, PID: 2624, 上一级进程 PID: 424

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

mscorsvw.exe, PID: 1332, 上一级进程 PID: 424

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49164	103.40.247.228	8001
192.168.122.201	49165	119.167.182.164 ref.tbfull.com	15950

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	62882	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
ref.tbfull.com	A 119.167.182.164

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49164	103.40.247.228	8001
192.168.122.201	49165	119.167.182.164 ref.tbfull.com	15950

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	62882	192.168.122.1	53

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 27.256 seconds )

9.881 BehaviorAnalysis
9.551 Suricata
4.49 NetworkAnalysis
2.057 VirusTotal
0.595 Static
0.383 peid
0.27 TargetInfo
0.016 AnalysisInfo
0.012 Strings
0.001 Memory

Signatures ( 0.66 seconds )

0.108 api_spamming
0.089 stealth_timeout
0.081 stealth_decoy_document
0.043 antiav_detectreg
0.039 process_interest
0.037 injection_createremotethread
0.026 injection_runpe
0.024 vawtrak_behavior
0.017 process_needed
0.017 infostealer_ftp
0.01 md_domain_bl
0.009 antisandbox_sleep
0.009 antianalysis_detectreg
0.009 infostealer_im
0.008 md_url_bl
0.007 shifu_behavior
0.007 kovter_behavior
0.006 antiemu_wine_func
0.006 mimics_filetime
0.006 infostealer_browser_password
0.005 antivm_vbox_libs
0.005 stealth_file
0.005 reads_self
0.005 antivm_generic_disk
0.005 virus
0.005 antiav_detectfile
0.005 infostealer_mail
0.004 bootkit
0.004 anomaly_persistence_autorun
0.004 hancitor_behavior
0.004 ransomware_files
0.003 antivm_generic_scsi
0.003 geodo_banking_trojan
0.003 infostealer_bitcoin
0.003 ransomware_extensions
0.002 antivm_generic_services
0.002 betabot_behavior
0.002 kibex_behavior
0.002 exec_crash
0.002 antivm_parallels_keys
0.002 antivm_vbox_files
0.002 antivm_xen_keys
0.002 disables_browser_warn
0.002 darkcomet_regkeys
0.002 network_torgateway
0.001 tinba_behavior
0.001 rat_nanocore
0.001 antiav_avast_libs
0.001 dridex_behavior
0.001 antivm_vmware_libs
0.001 antisandbox_sunbelt_libs
0.001 antisandbox_sboxie_libs
0.001 antiav_bitdefender_libs
0.001 anormaly_invoke_kills
0.001 cerber_behavior
0.001 antisandbox_productid
0.001 antivm_generic_diskreg
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 recon_fingerprint

Reporting ( 0.68 seconds )

0.646 ReportHTMLSummary
0.034 Malheur


Task ID	535201
Mongo ID	5e8de825bb7d5727e178b8b4
Cuckoo release	1.4-Maldun