分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-07-05 16:52:13 2022-07-05 16:52:43 30 秒

魔盾分数

9.138

危险的

文件详细信息

文件名 bdch.dll.1
文件大小 842240 字节
文件类型 PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 aba2d34fa519be59e271d6bc5bf1ea87
SHA1 25900373741a1788a49e0e07afc30a7f1fef0a11
SHA256 2199e4930cdf5e56bf7d3c8010e823ba47f734eb6b4c46cb120d95d5204c06d0
SHA512 014bfe01f4952f3329deaecbbd81510887b635ecef61ff0a1cfef32a8de6989c6f9d03ef46a1ab3ac9b6ee689f42046cbb0913761d9c84488985223b9047c601
CRC32 202B0630
Ssdeep 24576:M+4RKuZNLM5O1MIomeloT8ICtT+zwYsW:M+qKujLMaMIQtYzwPW
Yara 登录查看Yara规则
找不到该样本 提交误报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x180000000
入口地址 0x180002c20
声明校验值 0x00000000
实际校验值 0x000d3b46
最低操作系统版本要求 6.0
编译时间 2022-06-29 16:54:43
载入哈希 519ff2fcf50b8feeefc096cd20de8b3c
导出DLL库名称 bdch.dll

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000123f4 0x00012400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.53
.rdata 0x00014000 0x000b82be 0x000b8400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.89
.data 0x000cd000 0x00002368 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.03
.pdata 0x000d0000 0x00001248 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.73
_RDATA 0x000d2000 0x000000fc 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.99
.rsrc 0x000d3000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.71
.reloc 0x000d4000 0x00000738 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.19

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x000d3060 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 XML 1.0 document text

导入

库: KERNEL32.dll:
0x180014000 CloseHandle
0x180014008 GetProcAddress
0x180014010 GetModuleHandleW
0x180014018 WideCharToMultiByte
0x180014020 SetErrorMode
0x180014030 WriteConsoleW
0x180014038 RtlCaptureContext
0x180014040 RtlLookupFunctionEntry
0x180014048 RtlVirtualUnwind
0x180014050 UnhandledExceptionFilter
0x180014060 GetCurrentProcess
0x180014068 TerminateProcess
0x180014078 QueryPerformanceCounter
0x180014080 GetCurrentProcessId
0x180014088 GetCurrentThreadId
0x180014090 GetSystemTimeAsFileTime
0x180014098 InitializeSListHead
0x1800140a0 IsDebuggerPresent
0x1800140a8 GetStartupInfoW
0x1800140b0 EnterCriticalSection
0x1800140b8 LeaveCriticalSection
0x1800140c8 DeleteCriticalSection
0x1800140d0 EncodePointer
0x1800140d8 DecodePointer
0x1800140e0 MultiByteToWideChar
0x1800140e8 GetStringTypeW
0x1800140f0 GetCPInfo
0x1800140f8 RtlUnwindEx
0x180014100 RtlPcToFileHeader
0x180014108 RaiseException
0x180014110 InterlockedFlushSList
0x180014118 GetLastError
0x180014120 SetLastError
0x180014130 TlsAlloc
0x180014138 TlsGetValue
0x180014140 TlsSetValue
0x180014148 TlsFree
0x180014150 FreeLibrary
0x180014158 LoadLibraryExW
0x180014160 ExitProcess
0x180014168 GetModuleHandleExW
0x180014170 GetModuleFileNameW
0x180014178 SetFilePointerEx
0x180014180 GetStdHandle
0x180014188 GetFileType
0x180014190 FlushFileBuffers
0x180014198 WriteFile
0x1800141a0 GetConsoleOutputCP
0x1800141a8 GetConsoleMode
0x1800141b0 HeapFree
0x1800141b8 HeapAlloc
0x1800141c0 LCMapStringW
0x1800141c8 FindClose
0x1800141d0 FindFirstFileExW
0x1800141d8 FindNextFileW
0x1800141e0 IsValidCodePage
0x1800141e8 GetACP
0x1800141f0 GetOEMCP
0x1800141f8 GetCommandLineA
0x180014200 GetCommandLineW
0x180014208 GetEnvironmentStringsW
0x180014210 FreeEnvironmentStringsW
0x180014218 GetProcessHeap
0x180014220 HeapReAlloc
0x180014228 SetStdHandle
0x180014230 HeapSize
0x180014238 CreateFileW

导出

序列 地址 名称
1 0x1800027e0 BdCreateObject
2 0x180002800 BdDestroyObject
3 0x180002810 EnableCrashHandler
4 0x180002850 MCPV_migrate_update_data
5 0x180002830 SetSettingsFile
6 0x180002820 SignalHandler
.text
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
bad allocation
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
cross device link
destination address required
device or resource busy
directory not empty
executable format error
file exists
file too large
filename too long
function not supported
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
interrupted
invalid argument
invalid seek
io error
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no lock available
no message available
no message
no protocol option
no space on device
no stream resources
no such device or address
no such device
no such file or directory
no such process
not a directory
not a socket
not a stream
not connected
not enough memory
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
permission denied
protocol error
protocol not supported
read only file system
resource deadlock would occur
resource unavailable try again
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many files open
too many links
too many symbolic link levels
value too large
wrong protocol type
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdefghijklmnopqrstuvwxyz
bad exception
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CorExitProcess
AreFileApisANSI
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
log10
9>powf
>Unknown exception
bad array new length
vector too long
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
api-ms-
mscoree.dll
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
ja-JP
zh-CN
ko-KR
zh-TW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
kernel32
没有防病毒引擎扫描信息!

进程树


rundll32.exe, PID: 2612, 上一级进程 PID: 2248

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49162 23.15.14.8 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49162 23.15.14.8 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 14.222 seconds )

  • 10.345 Suricata
  • 1.305 VirusTotal
  • 0.942 NetworkAnalysis
  • 0.821 Static
  • 0.374 TargetInfo
  • 0.345 peid
  • 0.064 BehaviorAnalysis
  • 0.012 Strings
  • 0.009 AnalysisInfo
  • 0.003 Memory
  • 0.002 config_decoder

Signatures ( 1.373 seconds )

  • 1.283 md_url_bl
  • 0.011 antiav_detectreg
  • 0.009 md_domain_bl
  • 0.005 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_files
  • 0.003 api_spamming
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 network_http
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 stealth_decoy_document
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.001 antiemu_wine_func
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 mimics_filetime
  • 0.001 stealth_file
  • 0.001 betabot_behavior
  • 0.001 antivm_generic_disk
  • 0.001 infostealer_browser_password
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.439 seconds )

  • 0.439 ReportHTMLSummary
Task ID 698047
Mongo ID 62c3fbf57e769a0d6c18e947
Cuckoo release 1.4-Maldun