比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2022-02-21 18:20:10 2022-02-21 18:21:01 51 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 GTA5线上小助手3.0.2.4.exe
文件大小 25900100 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 87da89dbb42efa5ee2ab2c3356ba81de
SHA1 23eaaa611751b2ffe438b849fa002f9f5a91b966
SHA256 4c955ca42ac495ec17254a6510a55e0fa780b177d33be21dae61175ec1258eeb
SHA512 f2a99ee95456d00127e0db84fc413959e20b11dfc659ceb64ded2f1057dcdc832ca43eafb7f06372e3dcc873ebb6043faf1e7fdfb8827fa622fd74e62528ebcb
CRC32 A1F43CD6
Ssdeep 393216:E1FSzQoPpBHxQpmQIF0yh+ZHsU61f04gV:E1FS8OH2pmpuyhbU61f04gV
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.118.235.235 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
aka.ms A 104.118.235.235

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x140013d50
声明校验值 0x00000000
最低操作系统版本要求 6.0
PDB路径 D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
编译时间 2022-01-15 04:11:05
载入哈希 6dbf27f4c70fe2c8ed3e0122ba75d641

版本信息

Translation
LegalCopyright
Assembly Version
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0001830c 0x00018400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.31
.rdata 0x0001a000 0x00009202 0x00009400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.52
.data 0x00024000 0x000014f8 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.50
.pdata 0x00026000 0x00001404 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.83
_RDATA 0x00028000 0x000000f4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.44
.rsrc 0x00029000 0x0000ea34 0x0000ec00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.55
.reloc 0x00038000 0x00000318 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.68

覆盖

偏移量 0x00038318
大小 0x0187b12c

导入

库: KERNEL32.dll:
0x14001a038 FindNextFileW
0x14001a040 GetCurrentProcess
0x14001a048 GetModuleHandleExW
0x14001a050 GetModuleFileNameW
0x14001a058 LeaveCriticalSection
0x14001a068 GetEnvironmentVariableW
0x14001a070 FindClose
0x14001a078 MultiByteToWideChar
0x14001a080 GetLastError
0x14001a088 GetFileAttributesExW
0x14001a090 GetFullPathNameW
0x14001a098 GetProcAddress
0x14001a0a0 DeleteCriticalSection
0x14001a0a8 WideCharToMultiByte
0x14001a0b0 IsWow64Process
0x14001a0b8 LoadLibraryExW
0x14001a0c0 FreeLibrary
0x14001a0c8 TlsFree
0x14001a0d0 TlsSetValue
0x14001a0d8 TlsGetValue
0x14001a0e0 TlsAlloc
0x14001a0e8 EnterCriticalSection
0x14001a0f0 FindFirstFileExW
0x14001a0f8 OutputDebugStringW
0x14001a100 LoadLibraryA
0x14001a108 GetModuleHandleW
0x14001a118 SetLastError
0x14001a120 RaiseException
0x14001a128 RtlPcToFileHeader
0x14001a130 RtlUnwindEx
0x14001a138 InitializeSListHead
0x14001a140 GetSystemTimeAsFileTime
0x14001a148 GetCurrentThreadId
0x14001a150 GetCurrentProcessId
0x14001a158 QueryPerformanceCounter
0x14001a160 IsDebuggerPresent
0x14001a170 TerminateProcess
0x14001a180 UnhandledExceptionFilter
0x14001a188 RtlVirtualUnwind
0x14001a190 RtlLookupFunctionEntry
0x14001a198 RtlCaptureContext
0x14001a1a0 LCMapStringEx
0x14001a1a8 DecodePointer
0x14001a1b0 EncodePointer
0x14001a1c0 GetStringTypeW
库: USER32.dll:
0x14001a1e0 MessageBoxW
库: SHELL32.dll:
0x14001a1d0 ShellExecuteW
库: ADVAPI32.dll:
0x14001a000 RegOpenKeyExW
0x14001a008 RegGetValueW
0x14001a010 DeregisterEventSource
0x14001a018 RegisterEventSourceW
0x14001a020 ReportEventW
0x14001a028 RegCloseKey
库: api-ms-win-crt-runtime-l1-1-0.dll:
0x14001a2a0 _exit
0x14001a2a8 __p___argc
0x14001a2b0 _initterm_e
0x14001a2b8 _initterm
0x14001a2d8 _configure_wide_argv
0x14001a2e0 _initialize_onexit_table
0x14001a2e8 _set_app_type
0x14001a2f0 __p___wargv
0x14001a2f8 _seh_filter_exe
0x14001a308 _cexit
0x14001a310 terminate
0x14001a318 _errno
0x14001a320 exit
0x14001a328 abort
0x14001a330 _crt_atexit
0x14001a338 _c_exit
库: api-ms-win-crt-stdio-l1-1-0.dll:
0x14001a350 setvbuf
0x14001a358 fflush
0x14001a360 _wfopen
0x14001a368 __stdio_common_vswprintf
0x14001a370 __stdio_common_vfwprintf
0x14001a378 _set_fmode
0x14001a388 __acrt_iob_func
0x14001a390 fputwc
0x14001a398 fputws
0x14001a3a0 __p__commode
库: api-ms-win-crt-heap-l1-1-0.dll:
0x14001a208 _set_new_mode
0x14001a210 _callnewh
0x14001a218 free
0x14001a220 malloc
0x14001a228 calloc
库: api-ms-win-crt-string-l1-1-0.dll:
0x14001a3b0 wcsnlen
0x14001a3b8 strcpy_s
0x14001a3c0 _wcsdup
0x14001a3c8 strcspn
0x14001a3d0 wcsncmp
0x14001a3d8 toupper
库: api-ms-win-crt-convert-l1-1-0.dll:
0x14001a1f0 _wtoi
0x14001a1f8 wcstoul
库: api-ms-win-crt-locale-l1-1-0.dll:
0x14001a238 setlocale
0x14001a240 ___lc_locale_name_func
0x14001a248 localeconv
0x14001a250 _unlock_locales
0x14001a258 _lock_locales
0x14001a260 ___mb_cur_max_func
0x14001a268 _configthreadlocale
0x14001a270 __pctype_func
0x14001a278 ___lc_codepage_func
库: api-ms-win-crt-math-l1-1-0.dll:
0x14001a288 frexp
0x14001a290 __setusermatherr
库: api-ms-win-crt-time-l1-1-0.dll:
0x14001a3e8 _gmtime64_s
0x14001a3f0 _time64
0x14001a3f8 wcsftime
.text
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
bad allocation
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
cross device link
destination address required
device or resource busy
directory not empty
executable format error
file exists
file too large
filename too long
function not supported
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
interrupted
invalid argument
invalid seek
io error
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no lock available
no message available
no message
no protocol option
no space on device
no stream resources
no such device or address
no such device
no such file or directory
no such process
not a directory
not a socket
not a stream
not connected
not enough memory
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
permission denied
protocol error
protocol not supported
read only file system
resource deadlock would occur
resource unavailable try again
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many files open
too many links
too many symbolic link levels
value too large
wrong protocol type
unknown error
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdefghijklmnopqrstuvwxyz
bad exception
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
hostfxr_main_bundle_startupinfo
hostfxr_set_error_writer
hostfxr_main_startupinfo
hostfxr_main
Unknown exception
bad array new length
string too long
iostream
bad cast
bad locale name
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
invalid string position
iostream stream error
vector too long
invalid stoul argument
stoul argument out of range
false
ntdll.dll
RtlGetVersion
74e592c2fa383d4a3960714caef0c4f2
c3ab8ff13720e8ad9047dd39466b3c89
D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
.text$di
.text$mn
.text$mn$00
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.gehcont
.gfids
.rdata
.rdata$T
.rdata$r
.rdata$voltmd
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.tls$
.tls$ZZZ
.xdata
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.data$rs
.pdata
_RDATA
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
hostfxr.dll
The library %s was found, but loading it from %s failed
- Installing .NET prerequisites might help resolve this problem.
https://go.microsoft.com/fwlink/?linkid=798306
%s
.NET Runtime
Application:
Path:
Message:
DOTNET_DISABLE_GUI_ERRORS
- https://aka.ms/dotnet-core-applaunch?
6.0.2
To run this application, you must install .NET Desktop Runtime
The framework '
' was not found.
Bundle header version compatibility check failed.
&apphost_version=
Would you like to download it now?
&gui=true
Showing error dialog for application: '%s' - error code: 0x%x - url: '%s'
Redirecting errors to custom writer.
COREHOST_TRACE
Tracing enabled @ %s
COREHOST_TRACEFILE
COREHOST_TRACE_VERBOSITY
Unable to open COREHOST_TRACEFILE=%s for writing
win10
DOTNET_RUNTIME_ID
Did not find [%s] directory [%s]
0123456789
DOTNET_ROOT_
DOTNET_ROOT(x86)
DOTNET_ROOT
https://aka.ms/dotnet-core-applaunch?
missing_runtime=true
&arch=
&rid=
%c GMT
Failed to load the dll from [%s], HRESULT: 0x%X
pal::load_library
Failed to pin library [%s] in [%s]
Loaded library from %s
Probed for and did not resolve library symbol %S
ProgramFiles(x86)
_DOTNET_TEST_DEFAULT_INSTALL_PATH
ProgramFiles
dotnet
SOFTWARE\dotnet
_DOTNET_TEST_REGISTRY_PATH
HKEY_CURRENT_USER\
\Setup\InstalledVersions\
InstallLocation
HKCU\
HKLM\
_DOTNET_TEST_GLOBALLY_REGISTERED_PATH
Can't open the SDK installed location registry key, result: 0x%X
Can't get the size of the SDK location registry value or it's empty, result: 0x%X
Can't get the value of the SDK location registry value, result: 0x%X
win81
Failed to read environment variable [%s], HRESULT: 0x%X
Error resolving full path [%s]
\\?\UNC\
Reading fx resolver directory=[%s]
Considering fxr version=[%s]...
A fatal error occurred, the folder [%s] does not contain any version-numbered child folders
Detected latest fxr version=[%s]...
Resolved fxr [%s]...
A fatal error occurred, the required library %s could not be found in [%s]
Using environment variable %s=[%s] as runtime location.
Using global installation location [%s] as runtime location.
A fatal error occurred, the default install location cannot be obtained.
or register the runtime location in [
If this is a framework-dependent application, install the runtime in the global location [%s] or use the %s environment variable to specify the runtime location%s.
The .NET runtime can be found at:
- %s&apphost_version=%s
The managed DLL bound to this executable could not be retrieved from the executable image.
This executable is not bound to a managed DLL to execute. The binding value is: '%s'
The managed DLL bound to this executable is: '%s'
_ To run this application, you need to install a newer version of .NET Core.
Failed to resolve full path of the current executable [%s]
A fatal error was encountered. This executable was not bound to load a managed DLL.
Detected Single-File app bundle
The application to execute does not exist: '%s'.
Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo
Host path: [%s]
Dotnet path: [%s]
App path: [%s]
Bundle Header Offset: [%lx]
The required library %s does not support single-file apps.
Invoking fx resolver [%s] hostfxr_main_startupinfo
The required library %s does not support relative app dll paths.
Invoking fx resolver [%s] v1
The required library %s does not contain the expected entry point.
839cdfb0ecca5e0be3dbccd926e7651ef50fdf10
apphost
--- Invoked %s [version: %s, commit hash: %s] main = {
没有防病毒引擎扫描信息!

进程树

GTA5_______________3.0.2.4.exe, PID: 2416, 上一级进程 PID: 2272
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.118.235.235 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.118.235.235 aka.ms 443
192.168.122.201 49157 184.25.56.131 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
aka.ms A 104.118.235.235

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.118.235.235 aka.ms 443
192.168.122.201 49157 184.25.56.131 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2022-02-21 18:20:41.451278+0800 192.168.122.201 49161 104.118.235.235 443 TLS 1.2 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=go.microsoft.com 3c:3e:41:08:22:06:12:df:74:18:c4:a0:e4:23:3c:15:11:42:97:82

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 58.373 seconds )

  • 30.126 Static
  • 10.636 Suricata
  • 7.843 VirusTotal
  • 5.068 TargetInfo
  • 3.888 NetworkAnalysis
  • 0.534 peid
  • 0.194 BehaviorAnalysis
  • 0.057 config_decoder
  • 0.014 Strings
  • 0.011 AnalysisInfo
  • 0.002 Memory

Signatures ( 1.545 seconds )

  • 1.331 md_url_bl
  • 0.046 antiav_detectreg
  • 0.017 infostealer_ftp
  • 0.015 stealth_file
  • 0.01 api_spamming
  • 0.01 infostealer_im
  • 0.009 antianalysis_detectreg
  • 0.009 md_domain_bl
  • 0.008 stealth_decoy_document
  • 0.007 stealth_timeout
  • 0.007 antiav_detectfile
  • 0.006 infostealer_mail
  • 0.005 anomaly_persistence_autorun
  • 0.005 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 antivm_generic_scsi
  • 0.003 antivm_vbox_files
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antivm_generic_services
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 disables_browser_warn
  • 0.002 darkcomet_regkeys
  • 0.002 network_torgateway
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 mimics_filetime
  • 0.001 dridex_behavior
  • 0.001 reads_self
  • 0.001 antivm_generic_disk
  • 0.001 anormaly_invoke_kills
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 antidbg_devices
  • 0.001 antisandbox_productid
  • 0.001 antivm_generic_diskreg
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 recon_fingerprint

Reporting ( 0.479 seconds )

  • 0.476 ReportHTMLSummary
  • 0.003 Malheur
Task ID 678092
Mongo ID 621367d5dc327b68c6eba6bc
Cuckoo release 1.4-Maldun