恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-2	2021-04-09 01:14:49	2021-04-09 01:15:18	29 秒

魔盾分数

1.4

正常的

文件详细信息

文件名	browsing_data_remover.exe
文件大小	350096 字节
文件类型	PE32 executable (console) Intel 80386, for MS Windows
MD5	fd123e789e99dff0cf27421a495e2ece
SHA1	629ad539d4cc768aa32e7306bec2dfbe306367e5
SHA256	91a03c8c3ad7c143d312a76218471a7104df682e5a1b9c80fc1e16ce788d9ded
SHA512	d76cb002ec2b8b0a5f59ac6e05cd4ed8b5bc05d9a012dcdef06b93c8b1843fcbb2d90a1f5a6a654e92327b9b6ce10005785af51141ebf64ce8378283d3d49208
CRC32	DCBDA2E0
Ssdeep	6144:NALci/Iq5yeUGIXLfi4EV1izUQ8ns91wS8iqBbcGnFAOECsIPr:iwiP5yYI7fibi2PFXP
Yara	Detected a console program sample Detected Digital Signature Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
	样本下载提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	A 96.7.129.29 CNAME acroipm.adobe.com.edgesuite.net A 96.7.129.34 CNAME a1983.dscd.akamai.net

摘要

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\api-ms-win-core-datetime-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-datetime-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-datetime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\System32\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\system\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\System32\wbem\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCMapStringEx
kernel32.dll.AreFileApisANSI
kernelbase.dll.CompareStringEx
api-ms-win-core-localization-l1-2-1.dll.EnumSystemLocalesEx
kernel32.dll.GetDateFormatEx
api-ms-win-core-localization-l1-2-1.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
api-ms-win-core-localization-l1-2-1.dll.GetUserDefaultLocaleName
api-ms-win-core-localization-l1-2-1.dll.IsValidLocaleName
kernel32.dll.LCIDToLocaleName
api-ms-win-core-localization-l1-2-1.dll.LocaleNameToLCID
kernel32.dll.AcquireSRWLockShared
kernel32.dll.ReleaseSRWLockShared
ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId

PE 信息

初始地址	0x00400000
入口地址	0x0041fe40
声明校验值	0x0006367d
实际校验值	0x0006367d
最低操作系统版本要求	5.1
PDB路径	D:\webapps\b\build\slave\repo\build\src\out\Release\browsing_data_remover.exe.pdb
编译时间	2017-12-11 17:04:35
载入哈希	4eba277eeb54cff81d28cb73860e0334
导出DLL库名称	browsing_data_remover.exe

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
dc36c076b81d34ca7b27365d6493974561f4b382	Mon Dec 11 18:50:12 2017	是	无

证书链	Certificate Chain 1
发行给	VeriSign Class 3 Public Primary Certification Authority - G5
发行人	VeriSign Class 3 Public Primary Certification Authority - G5
有效期	Thu Jul 17 075959 2036
SHA1 哈希	4eb6d578499b1ccf5f581ead56be3d9b6744a5e5

证书链	Certificate Chain 2
发行给	VeriSign Class 3 Code Signing 2010 CA
发行人	VeriSign Class 3 Public Primary Certification Authority - G5
有效期	Sat Feb 08 075959 2020
SHA1 哈希	495847a93187cfb8c71f840cb7b41497ad95c64f

证书链	Certificate Chain 3
发行给	TAOBAO (CHINA) SOFTWARE CO.,LTD.
发行人	VeriSign Class 3 Code Signing 2010 CA
有效期	Sun Jul 15 075959 2018
SHA1 哈希	51133a37ffad0b668844984e77109f29482d7dab

证书链	Timestamp Chain 1
发行给	GlobalSign Root CA
发行人	GlobalSign Root CA
有效期	Fri Jan 28 200000 2028
SHA1 哈希	b1bc968bd4f49d622aa89a81f2150152a41d829c

证书链	Timestamp Chain 2
发行给	GlobalSign Timestamping CA - G2
发行人	GlobalSign Root CA
有效期	Fri Jan 28 200000 2028
SHA1 哈希	c0e49d2d7d90a5cd427f02d9125694d5d6ec5b71

证书链	Timestamp Chain 3
发行给	GlobalSign TSA for MS Authenticode - G2
发行人	GlobalSign Timestamping CA - G2
有效期	Thu Jun 24 080000 2027
SHA1 哈希	63b82fab61f583909695050b00249c502933ec79

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0003d16a	0x0003d200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.61
.rdata	0x0003f000	0x00010aac	0x00010c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.72
.data	0x00050000	0x00002b68	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.22
.gfids	0x00053000	0x0000032c	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.34
.tls	0x00054000	0x00000002	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.reloc	0x00055000	0x00002a5c	0x00002c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.52

覆盖

偏移量	0x00052400
大小	0x00003390

导入

库: KERNEL32.dll:

• 0x43f000 SetEnvironmentVariableA

• 0x43f004 FreeEnvironmentStringsW

• 0x43f008 GetEnvironmentStringsW

• 0x43f00c GetOEMCP

• 0x43f010 IsValidCodePage

• 0x43f014 FindNextFileA

• 0x43f018 FindFirstFileExA

• 0x43f01c GetTickCount

• 0x43f020 SetDllDirectoryW

• 0x43f024 HeapAlloc

• 0x43f028 HeapReAlloc

• 0x43f02c HeapFree

• 0x43f030 HeapSize

• 0x43f034 GetCurrentDirectoryW

• 0x43f038 CreateFileW

• 0x43f03c DeleteFileW

• 0x43f040 WriteFile

• 0x43f044 OutputDebugStringA

• 0x43f048 CloseHandle

• 0x43f04c GetLastError

• 0x43f050 SetLastError

• 0x43f054 GetCurrentProcessId

• 0x43f058 GetModuleFileNameW

• 0x43f05c GetCommandLineW

• 0x43f060 LocalFree

• 0x43f064 GetModuleHandleW

• 0x43f068 GetProcAddress

• 0x43f06c FindClose

• 0x43f070 FindFirstFileW

• 0x43f074 FindFirstFileExW

• 0x43f078 FindNextFileW

• 0x43f07c GetFileAttributesW

• 0x43f080 CreateDirectoryW

• 0x43f084 ReadFile

• 0x43f088 RemoveDirectoryW

• 0x43f08c SetFileAttributesW

• 0x43f090 GetCurrentProcess

• 0x43f094 CopyFileW

• 0x43f098 MoveFileExW

• 0x43f09c WaitForSingleObject

• 0x43f0a0 TerminateProcess

• 0x43f0a4 GetExitCodeProcess

• 0x43f0a8 OpenProcess

• 0x43f0ac IsDebuggerPresent

• 0x43f0b0 RaiseException

• 0x43f0b4 Sleep

• 0x43f0b8 GetCurrentThreadId

• 0x43f0bc QueryPerformanceCounter

• 0x43f0c0 QueryPerformanceFrequency

• 0x43f0c4 GetSystemTimeAsFileTime

• 0x43f0c8 GetVersionExW

• 0x43f0cc GetNativeSystemInfo

• 0x43f0d0 FlushFileBuffers

• 0x43f0d4 SetFilePointerEx

• 0x43f0d8 GetProcessId

• 0x43f0dc GetModuleHandleExW

• 0x43f0e0 EnterCriticalSection

• 0x43f0e4 LeaveCriticalSection

• 0x43f0e8 InitializeCriticalSectionAndSpinCount

• 0x43f0ec TryEnterCriticalSection

• 0x43f0f0 DeleteCriticalSection

• 0x43f0f4 RtlCaptureStackBackTrace

• 0x43f0f8 SetUnhandledExceptionFilter

• 0x43f0fc TlsAlloc

• 0x43f100 TlsGetValue

• 0x43f104 TlsSetValue

• 0x43f108 TlsFree

• 0x43f10c ReadConsoleW

• 0x43f110 GetDriveTypeW

• 0x43f114 WriteConsoleW

• 0x43f118 GetTimeZoneInformation

• 0x43f11c EnumSystemLocalesW

• 0x43f120 GetUserDefaultLCID

• 0x43f124 IsValidLocale

• 0x43f128 GetACP

• 0x43f12c GetCommandLineA

• 0x43f130 GetStdHandle

• 0x43f134 GetModuleFileNameA

• 0x43f138 ExitProcess

• 0x43f13c GetFileType

• 0x43f140 SetStdHandle

• 0x43f144 GetFullPathNameW

• 0x43f148 GetConsoleMode

• 0x43f14c GetConsoleCP

• 0x43f150 GetProcessHeap

• 0x43f154 LoadLibraryExW

• 0x43f158 IsProcessorFeaturePresent

• 0x43f15c UnhandledExceptionFilter

• 0x43f160 GetStartupInfoW

• 0x43f164 InitializeSListHead

• 0x43f168 WideCharToMultiByte

• 0x43f16c MultiByteToWideChar

• 0x43f170 EncodePointer

• 0x43f174 DecodePointer

• 0x43f178 CompareStringW

• 0x43f17c LCMapStringW

• 0x43f180 GetLocaleInfoW

• 0x43f184 GetStringTypeW

• 0x43f188 GetCPInfo

• 0x43f18c RtlUnwind

• 0x43f190 FreeLibrary

库: SHELL32.dll:

• 0x43f198 CommandLineToArgvW

库: WINMM.dll:

• 0x43f1a0 timeGetTime

导出

序列	地址	名称
1	0x412c50	GetHandleVerifier

.text
`.rdata
@.data
.gfids
@.tls
.reloc
QQVWj
QQVWj
QQVWj

没有防病毒引擎扫描信息!

进程树

browsing_data_remover.exe id: 2556

搜索
browsing_data_remover.exe (2556)

browsing_data_remover.exe, PID: 2556, 上一级进程 PID: 2216

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.202	49160	96.7.129.34 acroipm.adobe.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.202	50785	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	A 96.7.129.29 CNAME acroipm.adobe.com.edgesuite.net A 96.7.129.34 CNAME a1983.dscd.akamai.net

TCP

源地址	源端口	目标地址	目标端口
192.168.122.202	49160	96.7.129.34 acroipm.adobe.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.202	50785	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 15.629 seconds )

10.93 Suricata
1.672 NetworkAnalysis
1.439 VirusTotal
0.845 Static
0.337 peid
0.336 TargetInfo
0.046 BehaviorAnalysis
0.011 AnalysisInfo
0.011 Strings
0.002 Memory

Signatures ( 1.48 seconds )

1.382 md_url_bl
0.012 antiav_detectreg
0.01 md_domain_bl
0.007 antiav_detectfile
0.006 geodo_banking_trojan
0.006 infostealer_ftp
0.005 anomaly_persistence_autorun
0.005 infostealer_bitcoin
0.004 infostealer_im
0.004 ransomware_extensions
0.004 ransomware_files
0.003 antivm_vbox_files
0.003 disables_browser_warn
0.003 network_http
0.002 tinba_behavior
0.002 api_spamming
0.002 antianalysis_detectreg
0.002 infostealer_mail
0.002 network_torgateway
0.001 stealth_decoy_document
0.001 rat_nanocore
0.001 betabot_behavior
0.001 cerber_behavior
0.001 stealth_timeout
0.001 antidbg_devices
0.001 banker_zeus_mutex
0.001 bot_athenahttp
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 disables_system_restore
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http

Reporting ( 0.468 seconds )

0.466 ReportHTMLSummary
0.002 Malheur


Task ID	628829
Mongo ID	606f3a427e769a06aceb2bb2
Cuckoo release	1.4-Maldun