分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2021-06-18 21:24:21 | 2021-06-18 21:25:05 | 44 秒 |
魔盾分数
10.0
危险的
文件详细信息
| 文件名 | 案件卷宗-嫌疑人资料.zip.exe |
|---|---|
| 文件大小 | 1982464 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 1e293a2394f9bede05c964de3533907e |
| SHA1 | 955da645e71f387ac75a9caa9ac1a32444f1fcde |
| SHA256 | c9cc2849dcf1ba35034dac2a72b906934e2eec8cf079665f6201e2f72f5001ff |
| SHA512 | 6047f7eb8aeae6286cbeb895697adfd15e3e264ec4d0e431afe3aae8bae3460268ce54a5eaa1d068e04878d246f2002e16dfaa4409a54bf139811632bd0fbb8b |
| CRC32 | 71C8395E |
| Ssdeep | 49152:NqZE4sCZMyGecugoOf0UrGLTaQprIdrnk+f6ZX4gHWW:Nq+5p72W8UNQpqTf6Z5H3 |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| acroipm.adobe.com |
CNAME acroipm.adobe.com.edgesuite.net A 23.218.94.163 CNAME a1983.dscd.akamai.net A 23.218.94.155 |
|
| guduo.xyz | A 27.124.3.188 |
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0068fbd3 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x001e96fb |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2021-06-17 16:08:48 |
| 载入哈希 | 73ec795c6c369c6ce2c3b4c3f6477daa |
| 图标 |  |
| 图标精确哈希值 | db773d84d5c5b074ef2b632f22fd3ee1 |
| 图标相似性哈希值 | d86aa4513162cb1fe334f170042eaace |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PEiD 规则
| [u'MoleBox V2.3X -> MoleStudio.com'] |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| 0\x00ext | 0x00001000 | 0x0009d9b6 | 0x00054000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 8.00 |
| 1\x00data | 0x0009f000 | 0x0017d1b2 | 0x0015a000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 8.00 |
| 2\x00ata | 0x0021d000 | 0x0005244a | 0x00008000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.91 |
| 3\x00src | 0x00270000 | 0x0001d478 | 0x0001e000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.54 |
| 4\x00ext | 0x0028e000 | 0x00011daf | 0x0000c000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.90 |
| 5\x00data | 0x002a0000 | 0x00000da4 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.09 |
| 6\x00ata | 0x002a1000 | 0x00007198 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.98 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| TEXTINCLUDE | 0x00270c80 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| TEXTINCLUDE | 0x00270c80 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| TEXTINCLUDE | 0x00270c80 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| RT_CURSOR | 0x00271170 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x00271170 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x00271170 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x00271170 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x00272878 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0028ae6c | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.21 | GLS_BINARY_LSB_FIRST |
| RT_MENU | 0x0028b2e0 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.28 | data |
| RT_MENU | 0x0028b2e0 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.28 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x0028c528 | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x0028cf70 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_GROUP_CURSOR | 0x0028cfbc | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_CURSOR | 0x0028cfbc | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_CURSOR | 0x0028cfbc | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_ICON | 0x0028d040 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x0028d040 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x0028d040 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_VERSION | 0x0028d054 | 0x00000254 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.49 | data |
| RT_MANIFEST | 0x0028d2a8 | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库: KERNEL32.dll:
• 0x6a0000 lstrcatA
• 0x6a0004 InitializeCriticalSection
• 0x6a0008 GetProcAddress
• 0x6a000c LocalFree
• 0x6a0010 RaiseException
• 0x6a0014 LocalAlloc
• 0x6a0018 GetModuleHandleA
• 0x6a001c LeaveCriticalSection
• 0x6a0020 EnterCriticalSection
• 0x6a0024 DuplicateHandle
• 0x6a0028 GetShortPathNameA
• 0x6a002c ResumeThread
• 0x6a0030 WriteProcessMemory
• 0x6a0034 GetPrivateProfileSectionA
• 0x6a0038 GetStringTypeA
• 0x6a003c LCMapStringW
• 0x6a0040 LCMapStringA
• 0x6a0044 RtlUnwind
• 0x6a0048 WideCharToMultiByte
• 0x6a004c MultiByteToWideChar
• 0x6a0050 GetStringTypeW
qOzt]4
<+=vc
zfage
-!>49
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49162 | 185.247.228.16 | 17472 |
| 192.168.122.201 | 49160 | 23.218.94.155 acroipm.adobe.com | 80 |
| 192.168.122.201 | 49163 | 27.124.3.188 guduo.xyz | 1236 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| acroipm.adobe.com |
CNAME acroipm.adobe.com.edgesuite.net A 23.218.94.163 CNAME a1983.dscd.akamai.net A 23.218.94.155 |
|
| guduo.xyz | A 27.124.3.188 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49162 | 185.247.228.16 | 17472 |
| 192.168.122.201 | 49160 | 23.218.94.155 acroipm.adobe.com | 80 |
| 192.168.122.201 | 49163 | 27.124.3.188 guduo.xyz | 1236 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 23.508 seconds )
- 10.769 Suricata
- 5.099 NetworkAnalysis
- 4.124 BehaviorAnalysis
- 1.549 Static
- 1.028 VirusTotal
- 0.586 TargetInfo
- 0.323 peid
- 0.012 AnalysisInfo
- 0.011 Strings
- 0.005 config_decoder
- 0.002 Memory
Signatures ( 3.743 seconds )
- 1.379 md_url_bl
- 0.384 antiav_detectreg
- 0.24 api_spamming
- 0.198 stealth_decoy_document
- 0.184 stealth_timeout
- 0.136 infostealer_ftp
- 0.127 antiav_avast_libs
- 0.122 antisandbox_sunbelt_libs
- 0.096 antisandbox_sboxie_libs
- 0.092 antiav_bitdefender_libs
- 0.087 antianalysis_detectreg
- 0.075 infostealer_im
- 0.042 antivm_generic_scsi
- 0.042 infostealer_mail
- 0.022 stealth_file
- 0.021 kibex_behavior
- 0.02 antivm_parallels_keys
- 0.019 antivm_xen_keys
- 0.019 darkcomet_regkeys
- 0.017 geodo_banking_trojan
- 0.016 mimics_filetime
- 0.016 kovter_behavior
- 0.016 recon_fingerprint
- 0.015 antiemu_wine_func
- 0.015 injection_createremotethread
- 0.015 betabot_behavior
- 0.015 antivm_generic_diskreg
- 0.014 antivm_generic_services
- 0.014 reads_self
- 0.014 anormaly_invoke_kills
- 0.013 infostealer_browser_password
- 0.013 md_domain_bl
- 0.012 virus
- 0.011 antivm_generic_disk
- 0.011 antisandbox_productid
- 0.01 bootkit
- 0.01 antiav_detectfile
- 0.009 injection_runpe
- 0.007 anomaly_persistence_autorun
- 0.007 hancitor_behavior
- 0.007 bypass_firewall
- 0.007 antivm_vbox_keys
- 0.007 antivm_vmware_keys
- 0.007 infostealer_bitcoin
- 0.007 maldun_anomaly_invoke_vb_vba
- 0.006 antivm_vbox_libs
- 0.006 antivm_generic_bios
- 0.006 antivm_xen_keys
- 0.006 antivm_hyperv_keys
- 0.006 antivm_vbox_acpi
- 0.006 antivm_vpc_keys
- 0.006 packer_armadillo_regkey
- 0.005 maldun_anomaly_massive_file_ops
- 0.005 antivm_generic_cpu
- 0.005 antivm_generic_system
- 0.005 antivm_vbox_files
- 0.005 recon_programs
- 0.004 exec_crash
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 maldun_malicious_write_executeable_under_temp_to_regrun
- 0.003 maldun_anomaly_write_exe_and_obsfucate_extension
- 0.003 disables_browser_warn
- 0.003 network_http
- 0.002 tinba_behavior
- 0.002 rat_nanocore
- 0.002 infostealer_browser
- 0.002 shifu_behavior
- 0.002 maldun_anomaly_write_exe_and_dll_under_winroot_run
- 0.002 antidbg_windows
- 0.002 antidbg_devices
- 0.002 browser_security
- 0.002 maldun_malicious_drop_executable_file_to_temp_folder
- 0.002 network_torgateway
- 0.001 hawkeye_behavior
- 0.001 maldun_anomaly_terminated_process
- 0.001 network_tor
- 0.001 rat_luminosity
- 0.001 antivm_vmware_libs
- 0.001 injection_explorer
- 0.001 sets_autoconfig_url
- 0.001 ursnif_behavior
- 0.001 ipc_namedpipe
- 0.001 cerber_behavior
- 0.001 antianalysis_detectfile
- 0.001 antiemu_wine_reg
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 modify_proxy
- 0.001 malicous_targeted_flame
- 0.001 md_bad_drop
- 0.001 network_cnc_http
- 0.001 rat_pcclient
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.581 seconds )
- 0.552 ReportHTMLSummary
- 0.029 Malheur
| Task ID | 641024 |
|---|---|
| Mongo ID | 60cc9edb7e769a1c5870e105 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号