恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2021-04-21 21:31:34	2021-04-21 21:32:16	42 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	呢兔下载器5.7.5.exe
文件大小	15638528 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	bfd2c3566c5191cd1f4eb6314698be30
SHA1	aec0e89880a5b6375bbabfefe5d638427469c652
SHA256	ddb07b66230f3e92c550c534ef812f55d177c4281a11ddfdefbcdc1ca267c55b
SHA512	63848f5221ef9289206204945ece406bdb34181f4614927f872ff8e39bed26d8c4445d815200d4eac83a7235bdddb5f9e7ec0645802c09a136f0c14af92cf4e4
CRC32	40DA0439
Ssdeep	196608:ThYFnGJx+RPveSvRXstVcFG1pTRXIQdso0Q3w2mxpX0W+ZgEBP9b6O4S14C+laLG:tYVRAICpTbO5Ww2mnJq9P4SWCjzX6c3
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	CNAME a1983.dscd.akamai.net CNAME acroipm.adobe.com.edgesuite.net A 23.63.74.41 A 23.63.74.64

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x01e40e50
声明校验值	0x00000000
实际校验值	0x00ef3dcd
最低操作系统版本要求	5.0
编译时间	2021-04-21 03:16:11
载入哈希	c06bb6ec0083de6b0493a087a1ef6c6b
图标
图标精确哈希值	c1754e2e6b20155153b3ab8e82a5f273
图标相似性哈希值	cbff724c3bd4d19aa4d4f8a3d15c7eae
导出DLL库名称	MZ\x90

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00399846	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.00
.rdata	0x0039b000	0x00c5df54	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.00
.data	0x00ff9000	0x001d3aa2	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.vmp0	0x011cd000	0x0078a6e9	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.00
.vmp1	0x01958000	0x00ee6bb0	0x00ee7000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.99
.rsrc	0x0283f000	0x00001aed	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.07

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x0283f61c	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.72	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 11264200
RT_ICON	0x0283f61c	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.72	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 11264200
RT_ICON	0x0283f61c	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.72	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 11264200
RT_GROUP_ICON	0x028406ec	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x028406ec	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x028406ec	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x02840700	0x00000220	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.49	data
RT_MANIFEST	0x02840920	0x000001cd	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.08	XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库: user32.dll:

• 0x1de6000 PeekMessageA

库: gdi32.dll:

• 0x1de6008 SetTextColor

库: kernel32.dll:

• 0x1de6010 GetVersionExA

• 0x1de6014 GetVersion

库: ole32.dll:

• 0x1de601c CoCreateInstance

库: gdiplus.dll:

• 0x1de6024 GdiplusStartup

库: imm32.dll:

• 0x1de602c ImmReleaseContext

库: shell32.dll:

• 0x1de6034 ShellExecuteA

库: winspool.drv:

• 0x1de603c DocumentPropertiesA

库: advapi32.dll:

• 0x1de6044 RegCreateKeyExA

库: comctl32.dll:

• 0x1de604c None

库: shlwapi.dll:

• 0x1de6054 PathFileExistsA

库: winmm.dll:

• 0x1de605c PlaySoundA

库: MSVFW32.dll:

• 0x1de6064 DrawDibDraw

库: AVIFIL32.dll:

• 0x1de606c AVIStreamInfoA

库: RASAPI32.dll:

• 0x1de6074 RasGetConnectStatusA

库: iphlpapi.dll:

• 0x1de607c GetAdaptersInfo

库: winmm.dll:

• 0x1de6084 waveOutClose

库: WS2_32.dll:

• 0x1de608c getpeername

库: kernel32.dll:

• 0x1de6094 GetVersion

• 0x1de6098 GetVersionExA

库: user32.dll:

• 0x1de60a0 SendDlgItemMessageA

库: gdi32.dll:

• 0x1de60a8 CreateDCA

库: MSIMG32.dll:

• 0x1de60b0 GradientFill

库: winspool.drv:

• 0x1de60b8 ClosePrinter

库: comdlg32.dll:

• 0x1de60c0 GetSaveFileNameA

库: advapi32.dll:

• 0x1de60c8 RegCloseKey

库: shell32.dll:

• 0x1de60d0 SHBrowseForFolderA

库: OLEAUT32.dll:

• 0x1de60d8 UnRegisterTypeLib

库: comctl32.dll:

• 0x1de60e0 ImageList_DrawIndirect

库: WININET.dll:

• 0x1de60e8 InternetCanonicalizeUrlA

库: WTSAPI32.dll:

• 0x1de60f0 WTSSendMessageW

库: kernel32.dll:

• 0x1de60f8 VirtualQuery

库: user32.dll:

• 0x1de6100 GetProcessWindowStation

库: kernel32.dll:

• 0x1de6108 LocalAlloc

• 0x1de610c LocalFree

• 0x1de6110 GetModuleFileNameW

• 0x1de6114 GetProcessAffinityMask

• 0x1de6118 SetProcessAffinityMask

• 0x1de611c SetThreadAffinityMask

• 0x1de6120 Sleep

• 0x1de6124 ExitProcess

• 0x1de6128 FreeLibrary

• 0x1de612c LoadLibraryA

• 0x1de6130 GetModuleHandleA

• 0x1de6134 GetProcAddress

库: user32.dll:

• 0x1de613c GetProcessWindowStation

• 0x1de6140 GetUserObjectInformationW

.text
`.rdata
@.data
.vmp0
`.vmp1
`.rsrc
1DoU|hU
waveOutClose
6'!]5
LocalAlloc
mC;mT
'/gke+y

没有防病毒引擎扫描信息!

进程树

_______________5.7.5.exe id: 2588

搜索
_______________5.7.5.exe (2588)

_______________5.7.5.exe, PID: 2588, 上一级进程 PID: 2252

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	23.63.74.64 acroipm.adobe.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	CNAME a1983.dscd.akamai.net CNAME acroipm.adobe.com.edgesuite.net A 23.63.74.41 A 23.63.74.64

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	23.63.74.64 acroipm.adobe.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 25.357 seconds )

10.618 Suricata
8.743 Static
2.88 TargetInfo
1.526 VirusTotal
0.966 NetworkAnalysis
0.435 peid
0.095 config_decoder
0.071 BehaviorAnalysis
0.011 Strings
0.01 AnalysisInfo
0.002 Memory

Signatures ( 1.434 seconds )

1.322 md_url_bl
0.018 antiav_detectreg
0.015 md_domain_bl
0.008 infostealer_ftp
0.005 anomaly_persistence_autorun
0.005 antiav_detectfile
0.005 infostealer_im
0.004 antianalysis_detectreg
0.004 geodo_banking_trojan
0.004 ransomware_files
0.003 api_spamming
0.003 stealth_timeout
0.003 antivm_vbox_files
0.003 infostealer_bitcoin
0.003 infostealer_mail
0.003 network_http
0.003 ransomware_extensions
0.002 tinba_behavior
0.002 stealth_decoy_document
0.002 disables_browser_warn
0.002 network_torgateway
0.001 rat_nanocore
0.001 betabot_behavior
0.001 kibex_behavior
0.001 shifu_behavior
0.001 cerber_behavior
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http
0.001 stealth_modify_uac_prompt

Reporting ( 0.507 seconds )

0.505 ReportHTMLSummary
0.002 Malheur


Task ID	631858
Mongo ID	608029887e769a0f72493b4e
Cuckoo release	1.4-Maldun