恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2021-04-21 21:39:56	2021-04-21 21:41:59	123 秒

魔盾分数

3.2665

可疑的

文件详细信息

文件名	qax.exe
文件大小	478192 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	8b8d8b4ea3dea4dad5f182848b97ff80
SHA1	4ebab33b6276e2529bf3659594dd8a6edcb9bffd
SHA256	ecafaf3cc5a8b689df587cb1b4004b9238576f7847c7f8db1cd4132468e376c1
SHA512	bf28028a1b35dd7a8ea712c03e186eb003fc5520227c405fc4408c3b4998cdbff8070cc5ad67824ab431d7a139695576a2cb03d34c23b16027fa19a4771c908d
CRC32	4BFBB1CB
Ssdeep	6144:Nqc0BiuNhcTvpjGZ4bBRmetOOAIklrYu/XbT6iiHnHFKaZ5CUm+8olv6JA:Ac0BE9Cc/OjIklrYOrWiiv5CLgiJA
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 104.75.169.10 A 104.75.169.8

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00402100
声明校验值	0x00000000
实际校验值	0x0007f6c7
最低操作系统版本要求	6.0
编译时间	2021-04-15 18:49:50
载入哈希	85ff4fa6bd88ca86b4f1135514125911
图标
图标精确哈希值	f6b04579d6a93cfcb72847b1b6b520ff
图标相似性哈希值	6ea6cee5848bed18069f5ee78efb7867

版本信息

LegalCopyright
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
8c741d786a38085f4cd9fc932ffe46f6ce588b76	Wed Mar 10 13:47:04 2021	否	WinVerifyTrust returned error 0x80096010

证书链	Certificate Chain 1
发行给	DigiCert Assured ID Root CA
发行人	DigiCert Assured ID Root CA
有效期	Mon Nov 10 080000 2031
SHA1 哈希	0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

证书链	Certificate Chain 2
发行给	DigiCert Assured ID Code Signing CA-1
发行人	DigiCert Assured ID Root CA
有效期	Tue Feb 10 200000 2026
SHA1 哈希	409aa4a74a0cda7c0fee6bd0bb8823d16b5f1875

证书链	Certificate Chain 3
发行给	Tencent Technology(Shenzhen) Company Limited
发行人	DigiCert Assured ID Code Signing CA-1
有效期	Fri Feb 23 075959 2024
SHA1 哈希	b550768bc5f6fd1ad4943b10fe4e6edd1a8571e3

证书链	Timestamp Chain 1
发行给	DigiCert Assured ID Root CA
发行人	DigiCert Assured ID Root CA
有效期	Mon Nov 10 080000 2031
SHA1 哈希	0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

证书链	Timestamp Chain 2
发行给	DigiCert SHA2 Assured ID Timestamping CA
发行人	DigiCert Assured ID Root CA
有效期	Tue Jan 07 200000 2031
SHA1 哈希	3ba63a6e4841355772debef9cdcf4d5af353a297

证书链	Timestamp Chain 3
发行给	DigiCert Timestamp 2021
发行人	DigiCert SHA2 Assured ID Timestamping CA
有效期	Mon Jan 06 080000 2031
SHA1 哈希	e1d782a8e191beef6bca1691b5aab494a6249bf3

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00001382	0x00001400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.28
.rdata	0x00003000	0x0000029a	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.77
.data	0x00004000	0x0005f55c	0x0005f400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.rsrc	0x00064000	0x00010248	0x00010400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.04
.reloc	0x00075000	0x000000c4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	2.83

覆盖

偏移量	0x00071600
大小	0x000035f0

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
AFX_DIALOG_LAYOUT	0x000641e0	0x00000002	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.00	data
RT_ICON	0x000641e8	0x0000fdd8	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.00	dBase IV DBT of \366.DBF, blocks size 0, block length 62976, next free block index 40, next free block 0, next used block 0
RT_DIALOG	0x000641a0	0x00000040	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.37	data
RT_GROUP_ICON	0x00073fc0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 128x123
RT_VERSION	0x00073fd8	0x00000270	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.55	data

导入

库: KERNEL32.dll:

• 0x403008 HeapCreate

• 0x40300c GetModuleHandleW

• 0x403010 CreateEventW

• 0x403014 TerminateProcess

• 0x403018 GetCurrentProcess

• 0x40301c IsProcessorFeaturePresent

• 0x403020 HeapDestroy

• 0x403024 WaitForSingleObject

• 0x403028 HeapAlloc

• 0x40302c UnhandledExceptionFilter

• 0x403030 SetUnhandledExceptionFilter

库: USER32.dll:

• 0x403038 DialogBoxParamW

库: COMCTL32.dll:

• 0x403000 None

.text
`.rdata
@.data
.rsrc
@.reloc
HeapAlloc
CreateEventW
WaitForSingleObject
HeapCreate
GetModuleHandleW
HeapDestroy
KERNEL32.dll
DialogBoxParamW
USER32.dll
COMCTL32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
BhWY$A3
v;zDx
"&U#3~
O*W22]-&
fv+iw

没有防病毒引擎扫描信息!

进程树

qax.exe id: 2496

搜索
qax.exe (2496)

qax.exe, PID: 2496, 上一级进程 PID: 2144

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	101.72.205.199	443
192.168.122.201	49174	101.72.205.199	443
192.168.122.201	49161	104.75.169.10 acroipm.adobe.com	80
192.168.122.201	49162	112.25.18.136	443
192.168.122.201	49175	112.25.18.136	443
192.168.122.201	49164	114.80.187.84	443
192.168.122.201	49177	114.80.187.84	443
192.168.122.201	49165	118.123.241.206	443
192.168.122.201	49178	118.123.241.206	443
192.168.122.201	49166	121.207.229.136	443
192.168.122.201	49179	121.207.229.136	443
192.168.122.201	49167	122.156.134.217	443
192.168.122.201	49180	122.156.134.217	443
192.168.122.201	49168	124.236.20.140	443
192.168.122.201	49181	124.236.20.140	443
192.168.122.201	49169	125.37.206.217	443
192.168.122.201	49183	125.37.206.217	443
192.168.122.201	49170	125.76.247.218	443
192.168.122.201	49173	14.29.40.5	443
192.168.122.201	49171	140.249.60.232	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 104.75.169.10 A 104.75.169.8

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	101.72.205.199	443
192.168.122.201	49174	101.72.205.199	443
192.168.122.201	49161	104.75.169.10 acroipm.adobe.com	80
192.168.122.201	49162	112.25.18.136	443
192.168.122.201	49175	112.25.18.136	443
192.168.122.201	49164	114.80.187.84	443
192.168.122.201	49177	114.80.187.84	443
192.168.122.201	49165	118.123.241.206	443
192.168.122.201	49178	118.123.241.206	443
192.168.122.201	49166	121.207.229.136	443
192.168.122.201	49179	121.207.229.136	443
192.168.122.201	49167	122.156.134.217	443
192.168.122.201	49180	122.156.134.217	443
192.168.122.201	49168	124.236.20.140	443
192.168.122.201	49181	124.236.20.140	443
192.168.122.201	49169	125.37.206.217	443
192.168.122.201	49183	125.37.206.217	443
192.168.122.201	49170	125.76.247.218	443
192.168.122.201	49173	14.29.40.5	443
192.168.122.201	49171	140.249.60.232	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2021-04-21 21:40:16.673799+0800	192.168.122.201	49160	101.72.205.199	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:50.553914+0800	192.168.122.201	49168	124.236.20.140	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:27.514398+0800	192.168.122.201	49164	114.80.187.84	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:41:13.794240+0800	192.168.122.201	49173	14.29.40.5	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:33.600864+0800	192.168.122.201	49165	118.123.241.206	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:22.652792+0800	192.168.122.201	49162	112.25.18.136	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:39.183558+0800	192.168.122.201	49166	121.207.229.136	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:41:02.225617+0800	192.168.122.201	49170	125.76.247.218	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:44.061359+0800	192.168.122.201	49167	122.156.134.217	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:40:56.181439+0800	192.168.122.201	49169	125.37.206.217	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05
2021-04-21 21:41:07.579337+0800	192.168.122.201	49171	140.249.60.232	443	TLS 1.2	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.alicdn.com	f6:d8:a8:fc:fd:52:c3:b7:42:eb:ae:02:e9:08:e0:af:3c:c6:17:05

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 19.749 seconds )

11.931 Suricata
5.384 VirusTotal
0.97 NetworkAnalysis
0.587 Static
0.403 TargetInfo
0.301 peid
0.148 BehaviorAnalysis
0.011 AnalysisInfo
0.011 Strings
0.002 Memory
0.001 config_decoder

Signatures ( 1.483 seconds )

1.37 md_url_bl
0.012 antiav_detectreg
0.01 md_domain_bl
0.008 api_spamming
0.006 stealth_decoy_document
0.006 stealth_timeout
0.006 antiav_detectfile
0.005 anomaly_persistence_autorun
0.005 infostealer_ftp
0.004 geodo_banking_trojan
0.004 infostealer_bitcoin
0.004 ransomware_files
0.003 antiemu_wine_func
0.003 kovter_behavior
0.003 infostealer_im
0.003 network_http
0.003 ransomware_extensions
0.002 tinba_behavior
0.002 infostealer_browser_password
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.002 network_torgateway
0.001 rat_nanocore
0.001 network_anomaly
0.001 stealth_network
0.001 betabot_behavior
0.001 dyre_behavior
0.001 cerber_behavior
0.001 secure_login_phish
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http

Reporting ( 0.556 seconds )

0.522 ReportHTMLSummary
0.034 Malheur


Task ID	631861
Mongo ID	60802bca7e769a0f704941b5
Cuckoo release	1.4-Maldun