恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-3	2021-04-21 22:34:29	2021-04-21 22:34:57	28 秒

魔盾分数

8.55

危险的

文件详细信息

文件名	Tothliandd.dll
文件大小	450560 字节
文件类型	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	990573145893b10eead62e0b8c8a35a8
SHA1	6943b880fbaa4810cfcc82ab883f66d830bca297
SHA256	247c8b900652cb858d3d0d8e72673048c6f570155d376c70af63aa2bdfe3f8fe
SHA512	36612209b58970ea2f7f4cf123673ff6e4df4373b36004c8878d59a90af48ddd2be5103824e4acc7f1b20c2d36358be5c5c3afeb1b8280d006bcd934123734b3
CRC32	368883EC
Ssdeep	6144:IalG5+JIKpWkgEEroEj6va3wzDP7pceIdtCTeW0bFILat9:IalG5/KAkgBrohva3o7ieId4iW0L7
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 23.218.107.34 CNAME a1983.dscd.akamai.net A 23.218.107.43

摘要

登录查看详细行为信息

PE 信息

初始地址	0x10000000
入口地址	0x1004ba89
声明校验值	0x00000000
实际校验值	0x00079a1b
最低操作系统版本要求	4.0
编译时间	2021-04-21 15:47:16
载入哈希	f4debaf2c0e32d83eff3f69137b75f96
导出DLL库名称	Tothliandd.dll

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PEiD 规则

[u'Armadillo v1.xx - v2.xx']

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000549f2	0x00055000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.12
.rdata	0x00056000	0x0000255c	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.57
.data	0x00059000	0x0001e13c	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.43
.rsrc	0x00078000	0x000002b4	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.43
.reloc	0x00079000	0x00002740	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.50

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x00078058	0x0000025c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.13	data

导入

库: KERNEL32.dll:

• 0x10056030 VirtualAlloc

• 0x10056034 VirtualFree

• 0x10056038 LoadLibraryA

• 0x1005603c MultiByteToWideChar

• 0x10056040 WideCharToMultiByte

• 0x10056044 lstrcpynA

• 0x10056048 lstrcatA

• 0x1005604c GetVersion

• 0x10056050 GetVersionExA

• 0x10056054 GetSystemInfo

• 0x10056058 IsWow64Process

• 0x1005605c CreateFileA

• 0x10056060 DeviceIoControl

• 0x10056064 GetProcessHeap

• 0x10056068 HeapAlloc

• 0x1005606c HeapFree

• 0x10056070 GetTempPathA

• 0x10056074 RtlMoveMemory

• 0x10056078 Module32First

• 0x1005607c InitializeCriticalSectionAndSpinCount

• 0x10056080 EnterCriticalSection

• 0x10056084 LeaveCriticalSection

• 0x10056088 TryEnterCriticalSection

• 0x1005608c SetCriticalSectionSpinCount

• 0x10056090 DeleteCriticalSection

• 0x10056094 ExitProcess

• 0x10056098 HeapReAlloc

• 0x1005609c IsBadReadPtr

• 0x100560a0 WriteFile

• 0x100560a4 WaitForSingleObject

• 0x100560a8 CreateProcessA

• 0x100560ac GetStartupInfoA

• 0x100560b0 CloseHandle

• 0x100560b4 GetTickCount

• 0x100560b8 GetUserDefaultLCID

• 0x100560bc FindNextFileA

• 0x100560c0 FindFirstFileA

• 0x100560c4 FindClose

• 0x100560c8 ReadFile

• 0x100560cc GetFileSize

• 0x100560d0 SetFilePointer

• 0x100560d4 GetEnvironmentVariableA

• 0x100560d8 GetCommandLineA

• 0x100560dc GetModuleFileNameA

• 0x100560e0 FreeLibrary

• 0x100560e4 LCMapStringA

• 0x100560e8 FlushFileBuffers

• 0x100560ec SetStdHandle

• 0x100560f0 IsBadCodePtr

• 0x100560f4 SetUnhandledExceptionFilter

• 0x100560f8 GetStringTypeW

• 0x100560fc GetStringTypeA

• 0x10056100 VirtualQueryEx

• 0x10056104 SetWaitableTimer

• 0x10056108 GetCurrentProcess

• 0x1005610c CreateWaitableTimerA

• 0x10056110 lstrcpyn

• 0x10056114 GetProcAddress

• 0x10056118 GetModuleHandleA

• 0x1005611c Process32Next

• 0x10056120 Process32First

• 0x10056124 CreateToolhelp32Snapshot

• 0x10056128 GetDiskFreeSpaceExA

• 0x1005612c GetDriveTypeA

• 0x10056130 CreateEventA

• 0x10056134 GetLocalTime

• 0x10056138 OpenEventA

• 0x1005613c GetOEMCP

• 0x10056140 GetACP

• 0x10056144 GetCPInfo

• 0x10056148 IsBadWritePtr

• 0x1005614c RaiseException

• 0x10056150 LCMapStringW

• 0x10056154 HeapCreate

• 0x10056158 HeapDestroy

• 0x1005615c GetEnvironmentStringsW

• 0x10056160 GetEnvironmentStrings

• 0x10056164 FreeEnvironmentStringsW

• 0x10056168 FreeEnvironmentStringsA

• 0x1005616c GetFileType

• 0x10056170 GetStdHandle

• 0x10056174 SetHandleCount

• 0x10056178 GetLastError

• 0x1005617c TlsGetValue

• 0x10056180 SetLastError

• 0x10056184 TlsFree

• 0x10056188 TlsAlloc

• 0x1005618c TlsSetValue

• 0x10056190 GetCurrentThreadId

• 0x10056194 TerminateProcess

• 0x10056198 RtlUnwind

• 0x1005619c InterlockedIncrement

• 0x100561a0 InterlockedDecrement

• 0x100561a4 InitializeCriticalSection

• 0x100561a8 CreateThread

库: USER32.dll:

• 0x10056208 EnumWindows

• 0x1005620c GetMessageA

• 0x10056210 TranslateMessage

• 0x10056214 DispatchMessageA

• 0x10056218 wsprintfA

• 0x1005621c MessageBoxA

• 0x10056220 GetClassNameA

• 0x10056224 GetWindowTextA

• 0x10056228 MsgWaitForMultipleObjects

• 0x1005622c GetSystemMetrics

• 0x10056230 PeekMessageA

• 0x10056234 GetWindowThreadProcessId

库: ADVAPI32.dll:

• 0x10056000 RegQueryValueExA

• 0x10056004 RegCreateKeyExA

• 0x10056008 RegSetValueExA

• 0x1005600c RegCloseKey

• 0x10056010 CryptGetHashParam

• 0x10056014 CryptDestroyHash

• 0x10056018 CryptHashData

• 0x1005601c CryptReleaseContext

• 0x10056020 CryptCreateHash

• 0x10056024 CryptAcquireContextA

• 0x10056028 RegOpenKeyA

库: ole32.dll:

• 0x10056260 CoInitializeSecurity

• 0x10056264 CoCreateInstance

• 0x10056268 CoSetProxyBlanket

• 0x1005626c CoUninitialize

• 0x10056270 CLSIDFromString

• 0x10056274 IIDFromString

• 0x10056278 CoInitialize

• 0x1005627c OleRun

• 0x10056280 CLSIDFromProgID

• 0x10056284 CoInitializeEx

库: WININET.dll:

• 0x1005623c InternetOpenA

• 0x10056240 InternetConnectA

• 0x10056244 InternetCloseHandle

• 0x10056248 HttpOpenRequestA

• 0x1005624c InternetSetOptionA

• 0x10056250 HttpSendRequestA

• 0x10056254 InternetReadFile

• 0x10056258 HttpQueryInfoA

库: OLEAUT32.dll:

• 0x100561b0 SafeArrayCreate

• 0x100561b4 RegisterTypeLib

• 0x100561b8 LHashValOfNameSys

• 0x100561bc LoadTypeLib

• 0x100561c0 VarR8FromBool

• 0x100561c4 VarR8FromCy

• 0x100561c8 VariantChangeType

• 0x100561cc VariantInit

• 0x100561d0 SafeArrayAllocDescriptor

• 0x100561d4 SafeArrayAllocData

• 0x100561d8 SafeArrayDestroy

• 0x100561dc VariantCopy

• 0x100561e0 VariantClear

• 0x100561e4 SafeArrayGetDim

• 0x100561e8 SafeArrayGetLBound

• 0x100561ec SafeArrayGetUBound

• 0x100561f0 SafeArrayAccessData

• 0x100561f4 SafeArrayUnaccessData

• 0x100561f8 SafeArrayGetElemsize

• 0x100561fc SysAllocString

• 0x10056200 SysFreeString

导出

序列	地址	名称
1	0x1003ca2a	Tothliandd

.text
`.rdata
@.data
.rsrc
.reloc
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end

没有防病毒引擎扫描信息!

进程树

rundll32.exe id: 2540

搜索
rundll32.exe (2540)

rundll32.exe, PID: 2540, 上一级进程 PID: 2184

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.203	49160	23.218.107.34 acroipm.adobe.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.203	64327	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 23.218.107.34 CNAME a1983.dscd.akamai.net A 23.218.107.43

TCP

源地址	源端口	目标地址	目标端口
192.168.122.203	49160	23.218.107.34 acroipm.adobe.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.203	64327	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 15.047 seconds )

10.669 Suricata
2.039 VirusTotal
0.855 NetworkAnalysis
0.726 Static
0.349 peid
0.348 TargetInfo
0.03 BehaviorAnalysis
0.016 Strings
0.012 AnalysisInfo
0.002 Memory
0.001 config_decoder

Signatures ( 1.414 seconds )

1.323 md_url_bl
0.015 antiav_detectreg
0.011 md_domain_bl
0.007 antiav_detectfile
0.005 anomaly_persistence_autorun
0.005 infostealer_ftp
0.004 geodo_banking_trojan
0.004 ransomware_extensions
0.004 ransomware_files
0.003 antianalysis_detectreg
0.003 infostealer_bitcoin
0.003 infostealer_im
0.003 network_http
0.002 tinba_behavior
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.002 network_torgateway
0.001 stealth_decoy_document
0.001 rat_nanocore
0.001 api_spamming
0.001 betabot_behavior
0.001 cerber_behavior
0.001 stealth_timeout
0.001 antivm_parallels_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http

Reporting ( 0.481 seconds )

0.48 ReportHTMLSummary
0.001 Malheur


Task ID	631869
Mongo ID	6080382d7e769a0f72493b82
Cuckoo release	1.4-Maldun