恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-1	2020-09-25 16:41:50	2020-09-25 16:44:12	142 秒

魔盾分数

10.0

Emotet病毒

文件详细信息

文件名	4763449172IW.doc
文件大小	207695 字节
文件类型	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Quod., Author: Ambre Henry, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 24 20:42:00 2020, Last Saved Time/Date: Thu Sep 24 20:42:00 2020, Number of Pages: 1, Number of Words: 2393, Number of Characters: 13643, Security: 8
MD5	064af79391aa32492b3e8467099ee2a9
SHA1	cf7e60b090575b299efb87d818c4e30157b567b0
SHA256	fa773c6d7cbb0ad257bcbb9fee574b45b8b27505b3f0928726c4c1d257966fcc
SHA512	cea48dabb029d29e8cca09d0c9de87ec681ee979d2fdf9629728dd338f2443eef92f5827f7edc12d2247f9de5a31d75e2be103ebb878cf97074c9fa2b483262a
CRC32	221F69B0
Ssdeep	3072:6UqJ1NgsA8k/gvh0NZ0lGX1nZ7jZ/9nsYjs:6BtgVIveNZvnHyYjs
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	A 23.198.99.176 CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 23.198.99.183
qualitychildcarepreschool.com	未知	A 162.241.154.46
www.sanambakshi.com	A 209.205.123.182 CNAME sanambakshi.com
enews.enkj.com	A 123.59.232.99
dagranitegiare.com	未知	A 45.119.81.203
bappeda.barrukab.go.id	A 114.7.197.82

摘要

登录查看详细行为信息

没有信息可以显示.

RExif
Jr5_gl1odvv1o39h0Aqitobfbl7k_zeee6X1rhboyajijx
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
Picture 1
Normal
Default Paragraph Font
Table Normal
No List

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	未发现病毒	20200925
Elastic	malicious (high confidence)	20200917
Cynet	未发现病毒	20200924
CMC	未发现病毒	20200925
CAT-QuickHeal	W97M.Emotet.Heur	20200925
McAfee	W97M/Downloader.dbv	20200924
Malwarebytes	未发现病毒	20200925
Zillya	未发现病毒	20200925
Sangfor	未发现病毒	20200814
K7AntiVirus	Trojan ( 0056edf51 )	20200925
K7GW	Trojan ( 0056edf51 )	20200925
Arcabit	未发现病毒	20200925
TrendMicro	Trojan.W97M.EMOTET.TIOIBELH	20200925
BitDefenderTheta	未发现病毒	20200918
Cyren	W97M/Downldr.IE.gen!Eldorado	20200925
Symantec	ISB.Downloader!gen411	20200925
ESET-NOD32	VBA/TrojanDownloader.Agent.UFY	20200925
Baidu	未发现病毒	20190318
TrendMicro-HouseCall	Trojan.W97M.EMOTET.TIOIBELH	20200925
Avast	未发现病毒	20200925
ClamAV	未发现病毒	20200924
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen	20200925
BitDefender	未发现病毒	20200925
NANO-Antivirus	未发现病毒	20200925
ViRobot	未发现病毒	20200925
SUPERAntiSpyware	未发现病毒	20200918
MicroWorld-eScan	未发现病毒	20200925
Tencent	Heur.Macro.Generic.h.7ebe026b	20200925
Ad-Aware	未发现病毒	20200925
Sophos	Mal/DocDl-K	20200925
Comodo	未发现病毒	20200925
F-Secure	未发现病毒	20200925
DrWeb	未发现病毒	20200925
VIPRE	未发现病毒	20200925
Invincea	Mal/DocDl-K	20200925
McAfee-GW-Edition	W97M/Downloader.dbv	20200925
FireEye	未发现病毒	20200925
Emsisoft	未发现病毒	20200925
Ikarus	Win32.SuspectCrc	20200925
Jiangmin	未发现病毒	20200925
Avira	未发现病毒	20200925
Antiy-AVL	未发现病毒	20200925
Kingsoft	未发现病毒	20200925
Microsoft	未发现病毒	20200925
AegisLab	未发现病毒	20200925
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic	20200925
GData	未发现病毒	20200925
TACHYON	未发现病毒	20200925
AhnLab-V3	Downloader/DOC.Emotet.S1294	20200925
VBA32	未发现病毒	20200924
ALYac	未发现病毒	20200925
MAX	未发现病毒	20200925
Zoner	未发现病毒	20200920
Rising	Malware.ObfusVBA@ML.84 (VBA)	20200925
Yandex	未发现病毒	20200911
SentinelOne	DFI - Malicious OLE	20200724
Fortinet	VBA/Agent.DBV!tr.dldr	20200925
AVG	未发现病毒	20200925
Panda	未发现病毒	20200924
Qihoo-360	virus.office.qexvmc.1090	20200925

进程树

WINWORD.EXE id: 2500

搜索
WINWORD.EXE (2500)

WINWORD.EXE, PID: 2500, 上一级进程 PID: 2172

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49170	114.7.197.82 bappeda.barrukab.go.id	80
192.168.122.201	49165	123.59.232.99 enews.enkj.com	443
192.168.122.201	49162	162.241.154.46 qualitychildcarepreschool.com	443
192.168.122.201	49174	162.241.41.111	7080
192.168.122.201	49163	209.205.123.182 www.sanambakshi.com	443
192.168.122.201	49164	209.205.123.182 www.sanambakshi.com	443
192.168.122.201	49158	23.198.99.176 acroipm.adobe.com	80
192.168.122.201	49168	45.119.81.203 dagranitegiare.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53225	192.168.122.1	53
192.168.122.201	60001	192.168.122.1	53
192.168.122.201	60293	192.168.122.1	53
192.168.122.201	61084	192.168.122.1	53
192.168.122.201	63282	192.168.122.1	53
192.168.122.201	63619	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	A 23.198.99.176 CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 23.198.99.183
qualitychildcarepreschool.com	未知	A 162.241.154.46
www.sanambakshi.com	A 209.205.123.182 CNAME sanambakshi.com
enews.enkj.com	A 123.59.232.99
dagranitegiare.com	未知	A 45.119.81.203
bappeda.barrukab.go.id	A 114.7.197.82

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49170	114.7.197.82 bappeda.barrukab.go.id	80
192.168.122.201	49165	123.59.232.99 enews.enkj.com	443
192.168.122.201	49162	162.241.154.46 qualitychildcarepreschool.com	443
192.168.122.201	49174	162.241.41.111	7080
192.168.122.201	49163	209.205.123.182 www.sanambakshi.com	443
192.168.122.201	49164	209.205.123.182 www.sanambakshi.com	443
192.168.122.201	49158	23.198.99.176 acroipm.adobe.com	80
192.168.122.201	49168	45.119.81.203 dagranitegiare.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53225	192.168.122.1	53
192.168.122.201	60001	192.168.122.1	53
192.168.122.201	60293	192.168.122.1	53
192.168.122.201	61084	192.168.122.1	53
192.168.122.201	63282	192.168.122.1	53
192.168.122.201	63619	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://bappeda.barrukab.go.id/wp-content/B/	GET /wp-content/B/ HTTP/1.1 Host: bappeda.barrukab.go.id Connection: Keep-Alive
URL专业沙箱检测 -> http://162.241.41.111:7080/Gob4aLLq1SA9oC4/WYDt28Ex3nHVq/Y3sc/3QPSVvISkRPDAO9S4Dy/	POST /Gob4aLLq1SA9oC4/WYDt28Ex3nHVq/Y3sc/3QPSVvISkRPDAO9S4Dy/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 162.241.41.111/Gob4aLLq1SA9oC4/WYDt28Ex3nHVq/Y3sc/3QPSVvISkRPDAO9S4Dy/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-------------------yE178uOwNfqEIiQOVIn Host: 162.241.41.111:7080 Content-Length: 4564 Cache-Control: no-cache

URI

HTTP数据

URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://bappeda.barrukab.go.id/wp-content/B/

GET /wp-content/B/ HTTP/1.1
Host: bappeda.barrukab.go.id
Connection: Keep-Alive

URL专业沙箱检测 -> http://162.241.41.111:7080/Gob4aLLq1SA9oC4/WYDt28Ex3nHVq/Y3sc/3QPSVvISkRPDAO9S4Dy/

POST /Gob4aLLq1SA9oC4/WYDt28Ex3nHVq/Y3sc/3QPSVvISkRPDAO9S4Dy/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: 162.241.41.111/Gob4aLLq1SA9oC4/WYDt28Ex3nHVq/Y3sc/3QPSVvISkRPDAO9S4Dy/
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=-------------------yE178uOwNfqEIiQOVIn
Host: 162.241.41.111:7080
Content-Length: 4564
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

源地址	目标地址	ICMP类型	数据
192.168.1.1	192.168.122.201	3

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2020-09-25 16:43:13.843713+0800	114.7.197.82	80	192.168.122.201	49170	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2020-09-25 16:42:42.876789+0800	192.168.122.201	49162	162.241.154.46	443	TLSv1	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3	CN=qualitychildcarepreschool.com	b1:de:98:55:1f:1e:39:3e:19:82:d8:ac:50:fb:aa:f7:5f:7d:47:dc
2020-09-25 16:43:09.983664+0800	192.168.122.201	49168	45.119.81.203	443	TLSv1	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3	CN=dagranitegiare.com	76:05:02:e7:c4:fb:83:cd:c5:94:50:b3:e6:18:2a:4a:cd:c1:92:e2
2020-09-25 16:42:46.049259+0800	192.168.122.201	49165	123.59.232.99	443	TLSv1	C=CN, O=WoTrus CA Limited, CN=WoTrus DV Server CA [Run by the Issuer]	CN=*.enkj.com	ca:e2:d2:34:5b:47:66:ba:36:e2:bf:09:22:50:28:dc:2f:af:2b:6a

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 50.771 seconds )

19.819 BehaviorAnalysis
15.44 Suricata
11.222 NetworkAnalysis
2.582 Strings
1.182 VirusTotal
0.393 TargetInfo
0.13 AnalysisInfo
0.003 Memory

Signatures ( 29.079 seconds )

14.965 network_http
3.872 antiav_detectreg
1.915 md_url_bl
1.315 infostealer_ftp
0.8 antianalysis_detectreg
0.734 infostealer_im
0.556 stealth_decoy_document
0.54 api_spamming
0.454 infostealer_mail
0.449 stealth_timeout
0.289 antivm_generic_scsi
0.209 darkcomet_regkeys
0.203 kibex_behavior
0.202 antivm_parallels_keys
0.201 antivm_xen_keys
0.186 recon_fingerprint
0.142 geodo_banking_trojan
0.141 betabot_behavior
0.137 antivm_generic_diskreg
0.125 antisandbox_productid
0.086 packer_armadillo_regkey
0.074 antivm_generic_services
0.071 antivm_vbox_keys
0.07 antivm_vmware_keys
0.069 anormaly_invoke_kills
0.068 antivm_xen_keys
0.068 antivm_hyperv_keys
0.068 maldun_anomaly_invoke_vb_vba
0.067 bypass_firewall
0.066 antivm_vbox_acpi
0.066 antivm_vpc_keys
0.064 mimics_filetime
0.062 antivm_generic_system
0.061 antivm_generic_bios
0.061 antivm_generic_cpu
0.055 stealth_file
0.044 anomaly_persistence_autorun
0.042 md_domain_bl
0.029 bootkit
0.025 antiav_detectfile
0.018 kovter_behavior
0.017 infostealer_bitcoin
0.015 antiemu_wine_func
0.015 antivm_generic_disk
0.015 infostealer_browser_password
0.015 virus
0.014 maldun_anomaly_massive_file_ops
0.014 antidbg_windows
0.014 disables_browser_warn
0.012 antiemu_wine_reg
0.01 shifu_behavior
0.01 antivm_vbox_files
0.009 hancitor_behavior
0.009 browser_security
0.008 anomaly_persistence_bootexecute
0.008 anomaly_reset_winsock
0.008 antisandbox_sleep
0.008 gootkit_behavior
0.008 modify_proxy
0.007 banker_prinimalka
0.007 creates_largekey
0.007 ransomware_extensions
0.007 ransomware_files
0.006 infostealer_browser
0.006 browser_addon
0.006 network_torgateway
0.005 dridex_behavior
0.005 cerber_behavior
0.005 disables_system_restore
0.005 disables_windows_defender
0.004 tinba_behavior
0.004 ransomeware_modifies_desktop_wallpaper
0.004 antidbg_devices
0.004 office_martian_children
0.004 stealth_modify_uac_prompt
0.003 hawkeye_behavior
0.003 network_tor
0.003 antivm_vbox_libs
0.003 rat_nanocore
0.003 antiav_avast_libs
0.003 stack_pivot
0.003 injection_createremotethread
0.003 antivm_vbox_window
0.003 sets_autoconfig_url
0.003 antisandbox_sunbelt_libs
0.003 rat_pcclient
0.003 rat_spynet
0.003 stealth_hiddenreg
0.003 stealth_hide_notifications
0.002 ransomware_dmalocker
0.002 maldun_malicious_write_executeable_under_temp_to_regrun
0.002 rat_luminosity
0.002 maldun_anomaly_write_exe_and_obsfucate_extension
0.002 injection_explorer
0.002 ursnif_behavior
0.002 kazybot_behavior
0.002 antisandbox_sboxie_libs
0.002 ipc_namedpipe
0.002 antiav_bitdefender_libs
0.002 dyre_behavior
0.002 exec_crash
0.002 encrypted_ioc
0.002 injection_runpe
0.002 antisandbox_script_timer
0.002 antivm_vmware_files
0.002 codelux_behavior
0.002 md_bad_drop
0.002 network_cnc_http
0.002 ransomware_radamant
0.002 stealth_modify_security_center_warnings
0.001 antivm_vmware_libs
0.001 kelihos_behavior
0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
0.001 ispy_behavior
0.001 vawtrak_behavior
0.001 h1n1_behavior
0.001 pony_behavior
0.001 cryptowall_behavior
0.001 sniffer_winpcap
0.001 modifies_certs
0.001 antiav_srp
0.001 antianalysis_detectfile
0.001 antivm_vpc_files
0.001 banker_cridex
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_helper_object
0.001 browser_startpage
0.001 disables_app_launch
0.001 disables_uac
0.001 disables_wer
0.001 disables_windowsupdate
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 malicous_targeted_flame
0.001 troldesh_behavior
0.001 maldun_network_blacklist
0.001 network_tor_service
0.001 locker_regedit
0.001 locker_taskmgr
0.001 stealth_hidden_extension

Reporting ( 2.413 seconds )

1.219 Malheur
1.194 ReportHTMLSummary


Task ID	577658
Mongo ID	5f6dae632f8f2e0ab452d118
Cuckoo release	1.4-Maldun