分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2021-01-02 04:34:10 | 2021-01-02 04:36:15 | 125 秒 |
魔盾分数
5.215
可疑的
文件详细信息
| 文件名 | 小叮当驱动人物透视.exe |
|---|---|
| 文件大小 | 657408 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 4e16c3eef17a4d49581801728833362b |
| SHA1 | 28bd34ade3e0b012604b520bcb881668e9db1c6a |
| SHA256 | df7ae8457685d6cd37d4175e6d9a3010090cc39610a26ada260d276723e54c62 |
| SHA512 | 9f1424076e06680f9abb5d8c4ebf0520fbc39c37b15cd1b899b60ef513ca8630de8b9722ab8d68e9971e161fe67e2331639afec864fb6141e9650266d271bce6 |
| CRC32 | CF45C4C3 |
| Ssdeep | 12288:+R+COvuq6bX9khzOg4olyAbl2Qc2MEmyN8k7eHglxOmCIF3agvwoS:KdfiMpoY6bc2MCLvxObIF3L |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x007f1670 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x000a0aa0 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2021-01-02 04:32:05 |
| 载入哈希 | a7878d59907aff724f46512d95d1ad04 |
| 图标 |  |
| 图标精确哈希值 | 7e8d0dbe5de19f74f384ae459c5abecf |
| 图标相似性哈希值 | 439e81c5165936c3ea55d4df339c6380 |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00353000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| UPX1 | 0x00354000 | 0x0009f000 | 0x0009e400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 |
| .rsrc | 0x003f3000 | 0x00002000 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.92 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| TEXTINCLUDE | 0x003e8c20 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.45 | data |
| TEXTINCLUDE | 0x003e8c20 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.45 | data |
| TEXTINCLUDE | 0x003e8c20 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.45 | data |
| RT_CURSOR | 0x003e9110 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.89 | data |
| RT_CURSOR | 0x003e9110 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.89 | data |
| RT_CURSOR | 0x003e9110 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.89 | data |
| RT_CURSOR | 0x003e9110 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.89 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_BITMAP | 0x003ea818 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.40 | data |
| RT_ICON | 0x003f4018 | 0x00000668 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x003f4018 | 0x00000668 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x003f4018 | 0x00000668 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x003f4018 | 0x00000668 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x003f4018 | 0x00000668 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_MENU | 0x003eb7f0 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.68 | data |
| RT_MENU | 0x003eb7f0 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.68 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_DIALOG | 0x003eca38 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.43 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_STRING | 0x003ed480 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.95 | data |
| RT_GROUP_CURSOR | 0x003ed4cc | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.97 | data |
| RT_GROUP_CURSOR | 0x003ed4cc | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.97 | data |
| RT_GROUP_CURSOR | 0x003ed4cc | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.97 | data |
| RT_GROUP_ICON | 0x003ed534 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.22 | data |
| RT_GROUP_ICON | 0x003ed534 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.22 | data |
| RT_GROUP_ICON | 0x003ed534 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.22 | data |
| RT_VERSION | 0x003f46b8 | 0x0000020c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.32 | data |
| RT_MANIFEST | 0x003f48c8 | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库: ADVAPI32.dll:
• 0x7f4c00 RegCloseKey
库: COMCTL32.dll:
• 0x7f4c08 None
库: comdlg32.dll:
• 0x7f4c10 ChooseColorA
库: GDI32.dll:
• 0x7f4c18 LineTo
库: gdiplus.dll:
• 0x7f4c20 GdipDeletePen
库: imm32.dll:
• 0x7f4c28 ImmGetContext
库: KERNEL32.DLL:
• 0x7f4c30 LoadLibraryA
• 0x7f4c34 ExitProcess
• 0x7f4c38 GetProcAddress
• 0x7f4c3c VirtualProtect
库: ole32.dll:
• 0x7f4c44 OleRun
库: OLEAUT32.dll:
• 0x7f4c4c VariantChangeType
库: RASAPI32.dll:
• 0x7f4c54 RasHangUpA
库: SHELL32.dll:
• 0x7f4c5c ShellExecuteA
库: shlwapi.dll:
• 0x7f4c64 PathFileExistsA
库: USER32.dll:
• 0x7f4c6c GetDC
库: WININET.dll:
• 0x7f4c74 InternetOpenA
库: winmm.dll:
• 0x7f4c7c PlaySoundA
库: WINSPOOL.DRV:
• 0x7f4c84 OpenPrinterA
库: WS2_32.dll:
• 0x7f4c8c recv
.rsrc
h0sz(
gD__9
kMQGhr
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 221.228.218.144 yuhuan6.lanzoux.com | 443 |
| 192.168.122.201 | 49161 | 221.228.218.144 yuhuan6.lanzoux.com | 443 |
| 192.168.122.201 | 49163 | 23.63.74.41 acroipm.adobe.com | 80 |
| 192.168.122.201 | 49162 | 47.98.88.99 vip.d0.baidupan.com | 443 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59906 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65178 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 221.228.218.144 yuhuan6.lanzoux.com | 443 |
| 192.168.122.201 | 49161 | 221.228.218.144 yuhuan6.lanzoux.com | 443 |
| 192.168.122.201 | 49163 | 23.63.74.41 acroipm.adobe.com | 80 |
| 192.168.122.201 | 49162 | 47.98.88.99 vip.d0.baidupan.com | 443 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59906 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65178 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
| Timestamp | Source IP | Source Port | Destination IP | Destination Port | Version | Issuer | Subject | Fingerprint |
|---|---|---|---|---|---|---|---|---|
| 2021-01-02 04:34:27.884229+0800 | 192.168.122.201 | 49160 | 221.228.218.144 | 443 | TLSv1 | C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 | CN=*.lanzoux.com | ec:dc:62:08:9b:70:f8:ad:52:23:7c:f1:79:3f:d9:da:e7:6e:0d:15 |
| 2021-01-02 04:34:28.190650+0800 | 192.168.122.201 | 49161 | 221.228.218.144 | 443 | TLSv1 | C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 | CN=*.lanzoux.com | ec:dc:62:08:9b:70:f8:ad:52:23:7c:f1:79:3f:d9:da:e7:6e:0d:15 |
| 2021-01-02 04:34:28.509234+0800 | 192.168.122.201 | 49162 | 47.98.88.99 | 443 | TLSv1 | C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=vip.d0.baidupan.com | 5f:8d:b4:87:c2:ac:9e:33:c3:31:8f:5e:c1:2c:fc:4d:1b:cf:23:86 |
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 18.312 seconds )
- 11.831 Suricata
- 2.815 NetworkAnalysis
- 1.3 VirusTotal
- 0.859 BehaviorAnalysis
- 0.78 Static
- 0.366 TargetInfo
- 0.316 peid
- 0.028 AnalysisInfo
- 0.013 Strings
- 0.002 Memory
- 0.002 config_decoder
Signatures ( 1.768 seconds )
- 1.373 md_url_bl
- 0.048 api_spamming
- 0.044 antiav_detectreg
- 0.038 stealth_decoy_document
- 0.037 stealth_timeout
- 0.019 md_domain_bl
- 0.017 infostealer_ftp
- 0.01 antiemu_wine_func
- 0.01 infostealer_browser_password
- 0.01 kovter_behavior
- 0.01 antianalysis_detectreg
- 0.01 infostealer_im
- 0.008 antivm_generic_scsi
- 0.007 mimics_filetime
- 0.007 antivm_generic_services
- 0.007 antiav_detectfile
- 0.006 reads_self
- 0.006 infostealer_mail
- 0.005 stealth_file
- 0.005 anomaly_persistence_autorun
- 0.005 anormaly_invoke_kills
- 0.005 geodo_banking_trojan
- 0.004 bootkit
- 0.004 infostealer_bitcoin
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 antivm_vbox_libs
- 0.003 infostealer_browser
- 0.003 betabot_behavior
- 0.003 antivm_generic_disk
- 0.003 virus
- 0.003 network_http
- 0.002 tinba_behavior
- 0.002 rat_nanocore
- 0.002 antisandbox_sunbelt_libs
- 0.002 kibex_behavior
- 0.002 shifu_behavior
- 0.002 exec_crash
- 0.002 antidbg_windows
- 0.002 hancitor_behavior
- 0.002 antivm_parallels_keys
- 0.002 antivm_vbox_files
- 0.002 antivm_xen_keys
- 0.002 disables_browser_warn
- 0.002 darkcomet_regkeys
- 0.002 network_torgateway
- 0.001 antiav_avast_libs
- 0.001 antivm_vmware_libs
- 0.001 maldun_anomaly_massive_file_ops
- 0.001 injection_createremotethread
- 0.001 stealth_network
- 0.001 antisandbox_sboxie_libs
- 0.001 ipc_namedpipe
- 0.001 antiav_bitdefender_libs
- 0.001 cerber_behavior
- 0.001 injection_runpe
- 0.001 antivm_generic_diskreg
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 md_bad_drop
- 0.001 maldun_network_blacklist
- 0.001 network_cnc_http
Reporting ( 0.707 seconds )
- 0.619 ReportHTMLSummary
- 0.088 Malheur
| Task ID | 609246 |
|---|---|
| Mongo ID | 5fef87db7e769a7a062b5ac2 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号