比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-04-21 19:11:52 2021-04-21 19:13:56 124 秒

魔盾分数

8.95

危险的

文件详细信息

文件名 superfinger.exe
文件大小 2535000 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 dcd1b93dedb0093e635b6a4e6f17c5ac
SHA1 ddb19f36afb0b00844514fa60fff7b9fff9f9d12
SHA256 6d2a0c0e395aa30ecc48a8a53b188bf0a15ea9e4924655759d794a32b2a131c1
SHA512 bf18957922b58a09aa3cc3c9218f7e77ca524b629f39bf8d7992778b2ce6310935cd635a6415310aa6aac35048a4d8315842136714357fbd91f0fa4c831915d7
CRC32 4B1035F9
Ssdeep 49152:yI/LhG2T05xF+LmebL/rHNFJP1esYe2PEgHhFtTcDCtlA3NgXJc:9o5xY/b7XJPVY19QDD/
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
time1903.beijing-time.org A 119.23.209.237
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.116.243.153
CNAME a1983.dscd.akamai.net
A 104.116.243.72
upfinger.oss-cn-shanghai.aliyuncs.com A 106.14.229.122

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00970350
声明校验值 0x00000000
实际校验值 0x00274f1e
最低操作系统版本要求 4.0
编译时间 2021-03-26 22:27:52
载入哈希 a1bbb82ac1178c4d9c0589e88d4df7bb
图标
图标精确哈希值 f29225ed025a4abdb99971d0b1f93066
图标相似性哈希值 3b5d3c7d207e37dceeedd301e35e2e58

PEiD 规则

[u'UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
e7591b85c2bb0d5db275c6d0ea864f86698adfa1 Thu Dec 29 16:46:53 2011
WinVerifyTrust returned error 0x80096010
证书链 Certificate Chain 1
发行给 Class 3 Public Primary Certification Authority
发行人 Class 3 Public Primary Certification Authority
有效期 Wed Aug 02 075959 2028
SHA1 哈希 742c3192e607e424eb4549542be1bbc53e6174e2
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2009-2 CA
发行人 Class 3 Public Primary Certification Authority
有效期 Tue May 21 075959 2019
SHA1 哈希 12d4872bc3ef019e7e0b6f132480ae29db5b1ca3
证书链 Certificate Chain 3
发行给 360.cn
发行人 VeriSign Class 3 Code Signing 2009-2 CA
有效期 Sat Mar 16 075959 2013
SHA1 哈希 7f63633e66a5b4c502575f5e99ece6f4fe38c4c2
证书链 Timestamp Chain 1
发行给 Thawte Timestamping CA
发行人 Thawte Timestamping CA
有效期 Fri Jan 01 075959 2021
SHA1 哈希 be36a4562fb2ee05dbb3d32323adf445084ed656
证书链 Timestamp Chain 2
发行给 VeriSign Time Stamping Services CA
发行人 Thawte Timestamping CA
有效期 Wed Dec 04 075959 2013
SHA1 哈希 f46ac0c6efbb8c6a14f55f09e2d37df4c0de012d
证书链 Timestamp Chain 3
发行给 VeriSign Time Stamping Services Signer - G2
发行人 VeriSign Time Stamping Services CA
有效期 Fri Jun 15 075959 2012
SHA1 哈希 ada8aaa643ff7dc38dd40fa4c97ad559ff4846de

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
UPX0 0x00001000 0x0031e000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
UPX1 0x0031f000 0x00252000 0x00252000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 8.00
.rsrc 0x00571000 0x00018000 0x00017400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.23

覆盖

偏移量 0x00269800
大小 0x00001658

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
TEXTINCLUDE 0x00571d28 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
TEXTINCLUDE 0x00571d28 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
TEXTINCLUDE 0x00571d28 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
WAVE 0x00571e80 0x00001448 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.35 RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz
RT_CURSOR 0x00573864 0x00000134 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.43 AmigaOS bitmap font
RT_CURSOR 0x00573864 0x00000134 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.43 AmigaOS bitmap font
RT_CURSOR 0x00573864 0x00000134 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.43 AmigaOS bitmap font
RT_CURSOR 0x00573864 0x00000134 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.43 AmigaOS bitmap font
RT_CURSOR 0x00573864 0x00000134 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.43 AmigaOS bitmap font
RT_CURSOR 0x00573864 0x00000134 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.43 AmigaOS bitmap font
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x00575024 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_ICON 0x00575584 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 0.63 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00575584 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 0.63 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00575584 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 0.63 dBase III DBT, version number 0, next free block index 40
RT_MENU 0x00585dc0 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.28 data
RT_MENU 0x00585dc0 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.28 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00587030 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x00587aa4 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_GROUP_CURSOR 0x00587b2c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x00587b2c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x00587b2c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x00587b2c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x00587b2c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON 0x00587b84 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x00587b84 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x00587b84 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_MANIFEST 0x00587b9c 0x000002b9 LANG_NEUTRAL SUBLANG_NEUTRAL 5.02 XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库: KERNEL32.DLL:
0x987fe8 LoadLibraryA
0x987fec GetProcAddress
0x987ff0 VirtualProtect
0x987ff4 VirtualAlloc
0x987ff8 VirtualFree
0x987ffc ExitProcess
库: ADVAPI32.dll:
0x988004 RegCloseKey
库: AVIFIL32.dll:
0x98800c AVIStreamInfoA
库: COMCTL32.dll:
0x988014 None
库: comdlg32.dll:
0x98801c ChooseColorA
库: GDI32.dll:
0x988024 PatBlt
库: iphlpapi.dll:
0x98802c GetAdaptersInfo
库: MSVFW32.dll:
0x988034 DrawDibDraw
库: ole32.dll:
0x98803c OleRun
库: OLEAUT32.dll:
0x988044 LHashValOfNameSys
库: oledlg.dll:
0x98804c None
库: RASAPI32.dll:
0x988054 RasHangUpA
库: SHELL32.dll:
0x98805c DragFinish
库: USER32.dll:
0x988064 GetDC
库: VERSION.dll:
0x98806c VerLanguageNameA
库: WININET.dll:
0x988074 InternetOpenA
库: WINMM.dll:
0x98807c PlaySoundA
库: WINSPOOL.DRV:
0x988084 ClosePrinter
库: WS2_32.dll:
0x98808c select
.rsrc
#6n6J
+3EHdA
l=8b>
Y`OW'
没有防病毒引擎扫描信息!

进程树

superfinger.exe, PID: 2440, 上一级进程 PID: 2168
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49165 104.116.243.72 acroipm.adobe.com 80
192.168.122.201 49167 106.14.229.122 upfinger.oss-cn-shanghai.aliyuncs.com 80
192.168.122.201 49160 119.23.209.237 time1903.beijing-time.org 80
192.168.122.201 49166 119.23.209.237 time1903.beijing-time.org 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
time1903.beijing-time.org A 119.23.209.237
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.116.243.153
CNAME a1983.dscd.akamai.net
A 104.116.243.72
upfinger.oss-cn-shanghai.aliyuncs.com A 106.14.229.122

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49165 104.116.243.72 acroipm.adobe.com 80
192.168.122.201 49167 106.14.229.122 upfinger.oss-cn-shanghai.aliyuncs.com 80
192.168.122.201 49160 119.23.209.237 time1903.beijing-time.org 80
192.168.122.201 49166 119.23.209.237 time1903.beijing-time.org 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://time1903.beijing-time.org/time.asp 
GET /time.asp HTTP/1.1
Accept: */*
Referer: http://time1903.beijing-time.org/time.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: time1903.beijing-time.org
Cache-Control: no-cache
URL专业沙箱检测 -> http://time1903.beijing-time.org/time.asp 
GET /time.asp HTTP/1.1
Accept: */*
Referer: http://time1903.beijing-time.org/time.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: time1903.beijing-time.org
Cache-Control: no-cache
Cookie: ASPSESSIONIDQSQQSDQR=LNLDPGFDMMJFIHDGGLPPDCJJ
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
URL专业沙箱检测 -> http://upfinger.oss-cn-shanghai.aliyuncs.com/finger_version.txt 
GET /finger_version.txt HTTP/1.1
Accept: */*
Referer: http://upfinger.oss-cn-shanghai.aliyuncs.com/finger_version.txt
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: upfinger.oss-cn-shanghai.aliyuncs.com
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 18.187 seconds )

  • 11.027 Suricata
  • 1.734 VirusTotal
  • 1.722 Static
  • 1.552 NetworkAnalysis
  • 1.113 BehaviorAnalysis
  • 0.708 TargetInfo
  • 0.303 peid
  • 0.011 Strings
  • 0.01 AnalysisInfo
  • 0.005 config_decoder
  • 0.002 Memory

Signatures ( 46.004 seconds )

  • 44.116 network_http
  • 1.393 md_url_bl
  • 0.066 api_spamming
  • 0.05 stealth_timeout
  • 0.047 stealth_decoy_document
  • 0.023 mimics_filetime
  • 0.022 reads_self
  • 0.022 antiav_detectreg
  • 0.019 infostealer_browser_password
  • 0.015 infostealer_browser
  • 0.015 stealth_file
  • 0.015 kovter_behavior
  • 0.015 md_domain_bl
  • 0.014 antiemu_wine_func
  • 0.01 bootkit
  • 0.009 infostealer_ftp
  • 0.007 antiav_detectfile
  • 0.006 ipc_namedpipe
  • 0.006 anomaly_persistence_autorun
  • 0.006 antivm_generic_disk
  • 0.006 virus
  • 0.005 antivm_generic_services
  • 0.005 antivm_generic_scsi
  • 0.005 infostealer_bitcoin
  • 0.005 infostealer_im
  • 0.004 antivm_vbox_libs
  • 0.004 stealth_network
  • 0.004 anormaly_invoke_kills
  • 0.004 hancitor_behavior
  • 0.004 antianalysis_detectreg
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 webmail_phish
  • 0.003 injection_createremotethread
  • 0.003 antidbg_windows
  • 0.003 antivm_vbox_files
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 internet_dropper
  • 0.002 rat_nanocore
  • 0.002 network_document_http
  • 0.002 maldun_anomaly_massive_file_ops
  • 0.002 betabot_behavior
  • 0.002 network_execute_http
  • 0.002 generic_phish
  • 0.002 dyre_behavior
  • 0.002 exec_crash
  • 0.002 injection_runpe
  • 0.002 secure_login_phish
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 recon_beacon
  • 0.001 mimics_agent
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antiav_avast_libs
  • 0.001 wscript_downloader_http
  • 0.001 office_dl_write_exe
  • 0.001 network_anomaly
  • 0.001 antivm_vmware_libs
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 cerber_behavior
  • 0.001 h1n1_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.572 seconds )

  • 0.511 ReportHTMLSummary
  • 0.061 Malheur
Task ID 631843
Mongo ID 608009437e769a0f71493ce5
Cuckoo release 1.4-Maldun