恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2021-06-18 21:00:18	2021-06-18 21:00:38	20 秒

魔盾分数

0.05

正常的

文件详细信息

文件名	ACE-GAME.sys
文件大小	751872 字节
文件类型	PE32+ executable (native) x86-64, for MS Windows
MD5	32c9df5851abb153fdc8e84395503c10
SHA1	b33d1fcfe91286901f5d7d689effcbf7778139d4
SHA256	eead7704abec2b0dacf6c10a191efc9304777a464e3113b5d9a0418cb8bea7d6
SHA512	42dc93128a6ed4a21d5ec05bb729e792c9efae8ecc85d235dff0b963e713cca74f0df49239c50ff06a361b8838c6564a92b642c61edf2e302e9e5719ddf55246
CRC32	55C05935
Ssdeep	12288:mqyVaFXVkhT7q+Bjq0uS3Os/sSk6Fb2QnqPu9zOYvin6/v/fNTeDoNynk5Oz4SUM:mqyVawT7q+BjZuS3OcFb2QnqPu9zOYv+
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x140000000
入口地址	0x14016f000
声明校验值	0x000c746f
实际校验值	0x000c746f
最低操作系统版本要求	10.0
PDB路径	ACE-GAME.pdb
编译时间	2021-05-28 11:00:36
载入哈希	9e07573c0893789df0b3065881056dc9

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
PrivateBuild
LegalTrademarks
Comments
ProductName
SpecialBuild
ProductVersion
FileDescription
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
d61676bb75588a30349cba2c527788c623eb2031	Fri May 28 11:03:01 2021	是	无

证书链	Certificate Chain 1
发行给	DigiCert Assured ID Root CA
发行人	DigiCert Assured ID Root CA
有效期	Mon Nov 10 080000 2031
SHA1 哈希	0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

证书链	Certificate Chain 2
发行给	DigiCert Assured ID Code Signing CA-1
发行人	DigiCert Assured ID Root CA
有效期	Tue Feb 10 200000 2026
SHA1 哈希	409aa4a74a0cda7c0fee6bd0bb8823d16b5f1875

证书链	Certificate Chain 3
发行给	Tencent Technology(Shenzhen) Company Limited
发行人	DigiCert Assured ID Code Signing CA-1
有效期	Fri Feb 23 075959 2024
SHA1 哈希	b550768bc5f6fd1ad4943b10fe4e6edd1a8571e3

证书链	Timestamp Chain 1
发行给	DigiCert Assured ID Root CA
发行人	DigiCert Assured ID Root CA
有效期	Mon Nov 10 080000 2031
SHA1 哈希	0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

证书链	Timestamp Chain 2
发行给	DigiCert SHA2 Assured ID Timestamping CA
发行人	DigiCert Assured ID Root CA
有效期	Tue Jan 07 200000 2031
SHA1 哈希	3ba63a6e4841355772debef9cdcf4d5af353a297

证书链	Timestamp Chain 3
发行给	DigiCert Timestamp 2021
发行人	DigiCert SHA2 Assured ID Timestamping CA
有效期	Mon Jan 06 080000 2031
SHA1 哈希	e1d782a8e191beef6bca1691b5aab494a6249bf3

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000253c5	0x00025400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.98
.rdata	0x00027000	0x00041a14	0x00041c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	4.85
.data	0x00069000	0x001023a0	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.36
.pdata	0x0016c000	0x000019ec	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	5.30
.CRT	0x0016e000	0x00000008	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	0.06
INIT	0x0016f000	0x0000115c	0x00001200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.24
.rsrc	0x00171000	0x000003d0	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	3.24
.reloc	0x00172000	0x00000068	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	1.36
.tvm0	0x00173000	0x00046000	0x00046000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.75

覆盖

偏移量	0x000b1400
大小	0x00006500

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x00171060	0x00000370	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.49	data

导入

库: FLTMGR.SYS:

• 0x140027000 FltGetFileNameInformationUnsafe

• 0x140027008 FltReleaseFileNameInformation

• 0x140027010 FltStartFiltering

• 0x140027018 FltUnregisterFilter

• 0x140027020 FltRegisterFilter

• 0x140027028 FltGetRequestorProcessId

库: HIDPARSE.SYS:

• 0x140027050 HidP_GetCollectionDescription

库: ntoskrnl.exe:

• 0x140027060 KeAcquireGuardedMutex

• 0x140027068 KeReleaseGuardedMutex

• 0x140027070 ObfDereferenceObject

• 0x140027078 KeStackAttachProcess

• 0x140027080 KeUnstackDetachProcess

• 0x140027088 PsLookupProcessByProcessId

• 0x140027090 PsSetLoadImageNotifyRoutine

• 0x140027098 PsRemoveLoadImageNotifyRoutine

• 0x1400270a0 KeSetEvent

• 0x1400270a8 KeWaitForSingleObject

• 0x1400270b0 strncpy

• 0x1400270b8 PsGetCurrentProcessId

• 0x1400270c0 PsGetCurrentThreadId

• 0x1400270c8 PsSetCreateProcessNotifyRoutineEx

• 0x1400270d0 RtlInitUnicodeString

• 0x1400270d8 KeInitializeEvent

• 0x1400270e0 KeClearEvent

• 0x1400270e8 IofCompleteRequest

• 0x1400270f0 IoCreateDevice

• 0x1400270f8 IoCreateNotificationEvent

• 0x140027100 IoCreateSymbolicLink

• 0x140027108 IoDeleteDevice

• 0x140027110 IoDeleteSymbolicLink

• 0x140027118 ZwClose

• 0x140027120 MmGetSystemRoutineAddress

• 0x140027128 MmIsAddressValid

• 0x140027130 wcsncmp

• 0x140027138 wcsncpy

• 0x140027140 ExAllocatePool

• 0x140027148 RtlIntegerToUnicodeString

• 0x140027150 RtlCompareUnicodeString

• 0x140027158 RtlAppendUnicodeToString

• 0x140027160 PsCreateSystemThread

• 0x140027168 PsTerminateSystemThread

• 0x140027170 ObReferenceObjectByHandle

• 0x140027178 SeQuerySessionIdToken

• 0x140027180 PsReferencePrimaryToken

• 0x140027188 PsDereferencePrimaryToken

• 0x140027190 ObQueryNameString

• 0x140027198 PsGetProcessPeb

• 0x1400271a0 __C_specific_handler

• 0x1400271a8 DbgPrint

• 0x1400271b0 ZwWaitForSingleObject

• 0x1400271b8 RtlGetVersion

• 0x1400271c0 KeAcquireSpinLockRaiseToDpc

• 0x1400271c8 KeReleaseSpinLock

• 0x1400271d0 KeIpiGenericCall

• 0x1400271d8 MmGetPhysicalAddress

• 0x1400271e0 MmGetVirtualForPhysical

• 0x1400271e8 KeNumberProcessors

• 0x1400271f0 KeDelayExecutionThread

• 0x1400271f8 KeQueryTimeIncrement

• 0x140027200 wcsrchr

• 0x140027208 RtlCopyUnicodeString

• 0x140027210 RtlAppendUnicodeStringToString

• 0x140027218 ZwUnloadDriver

• 0x140027220 MmBuildMdlForNonPagedPool

• 0x140027228 MmMapLockedPagesSpecifyCache

• 0x140027230 MmUnmapLockedPages

• 0x140027238 IoAllocateMdl

• 0x140027240 IoFreeMdl

• 0x140027248 ZwCreateFile

• 0x140027250 ZwQueryInformationFile

• 0x140027258 ZwReadFile

• 0x140027260 ZwWriteFile

• 0x140027268 ZwCreateSection

• 0x140027270 ZwMapViewOfSection

• 0x140027278 ZwUnmapViewOfSection

• 0x140027280 KeRegisterBugCheckReasonCallback

• 0x140027288 ProbeForWrite

• 0x140027290 KeInitializeGuardedMutex

• 0x140027298 MmProbeAndLockPages

• 0x1400272a0 MmUnlockPages

• 0x1400272a8 MmProtectMdlSystemAddress

• 0x1400272b0 RtlAnsiStringToUnicodeString

• 0x1400272b8 RtlUnicodeStringToAnsiString

• 0x1400272c0 PsGetVersion

• 0x1400272c8 IoGetLowerDeviceObject

• 0x1400272d0 IoDriverObjectType

• 0x1400272d8 _wcsnicmp

• 0x1400272e0 ZwOpenKey

• 0x1400272e8 ZwQueryValueKey

• 0x1400272f0 ZwOpenSymbolicLinkObject

• 0x1400272f8 ZwQuerySymbolicLinkObject

• 0x140027300 RtlUpcaseUnicodeString

• 0x140027308 wcsstr

• 0x140027310 _wcsupr

• 0x140027318 ExAcquireRundownProtection

• 0x140027320 ExReleaseRundownProtection

• 0x140027328 PsInitialSystemProcess

• 0x140027330 _strnicmp

• 0x140027338 strncmp

• 0x140027340 RtlInitAnsiString

• 0x140027348 ExAcquireFastMutex

• 0x140027350 ExReleaseFastMutex

• 0x140027358 RtlInt64ToUnicodeString

• 0x140027360 RtlFreeUnicodeString

• 0x140027368 RtlFreeAnsiString

• 0x140027370 wcsncpy_s

• 0x140027378 ZwSetInformationFile

• 0x140027380 CcCoherencyFlushAndPurgeCache

• 0x140027388 RtlWalkFrameChain

• 0x140027390 KeEnterCriticalRegion

• 0x140027398 KeLeaveCriticalRegion

• 0x1400273a0 ExInitializeResourceLite

• 0x1400273a8 ExAcquireResourceSharedLite

• 0x1400273b0 ExAcquireResourceExclusiveLite

• 0x1400273b8 ExReleaseResourceLite

• 0x1400273c0 ExDeleteResourceLite

• 0x1400273c8 RtlInitializeGenericTableAvl

• 0x1400273d0 RtlInsertElementGenericTableAvl

• 0x1400273d8 RtlDeleteElementGenericTableAvl

• 0x1400273e0 RtlLookupElementGenericTableAvl

• 0x1400273e8 RtlIsGenericTableEmptyAvl

• 0x1400273f0 IoGetCurrentProcess

• 0x1400273f8 KeBugCheckEx

• 0x140027400 ExFreePoolWithTag

• 0x140027408 KeDeregisterBugCheckReasonCallback

• 0x140027410 ExAllocatePoolWithTag

• 0x140027418 ProbeForRead

• 0x140027420 ZwCreateKey

• 0x140027428 ZwDeleteKey

• 0x140027430 ZwEnumerateKey

• 0x140027438 ZwSetValueKey

库: HAL.dll:

• 0x140027038 KeStallExecutionProcessor

• 0x140027040 KeQueryPerformanceCounter

.text
h.rdata
H.data
.pdata
H.CRT
HINIT
b.rsrc
B.reloc
B.tvm0
D$pH% 
HiD$`
HiD$`
HiD$`
HiD$h
t#=cE
tT=98
tM=98
u*HcG<=

没有防病毒引擎扫描信息!

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 16.707 seconds )

10.669 Suricata
4.077 VirusTotal
0.842 Static
0.386 peid
0.372 TargetInfo
0.327 NetworkAnalysis
0.017 AnalysisInfo
0.011 Strings
0.002 BehaviorAnalysis
0.002 Memory
0.002 config_decoder

Signatures ( 0.081 seconds )

0.012 antiav_detectreg
0.01 md_domain_bl
0.009 md_url_bl
0.005 anomaly_persistence_autorun
0.005 antiav_detectfile
0.005 infostealer_ftp
0.004 ransomware_files
0.003 infostealer_bitcoin
0.003 infostealer_im
0.003 ransomware_extensions
0.002 tinba_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 geodo_banking_trojan
0.002 disables_browser_warn
0.002 infostealer_mail
0.001 rat_nanocore
0.001 betabot_behavior
0.001 cerber_behavior
0.001 antivm_parallels_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop

Reporting ( 0.471 seconds )

0.465 ReportHTMLSummary
0.006 Malheur


Task ID	641022
Mongo ID	60cc990c7e769a1c5a7130cf
Cuckoo release	1.4-Maldun