分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2022-07-05 16:59:55 2022-07-05 17:02:11 136 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 XiaoXin ToolBox V1.0.3.exe
文件大小 8377336 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 716a8a81305922a720bbf4ec7ff2b32f
SHA1 b4f18b544fac498a459158a9053871b1ae6681eb
SHA256 eca4aeec1175b9f48f0a612a452a2814a3f04345fad45016889f33b9868acdd8
SHA512 08e487d4e387b4dfb9397417e93d32f04994a1a72457079f8e71fa2df8f99fe5c3c9cf6ed6b25d7bc68fdcd9e06606f1c589678200d25bd1d3c133820be5396d
CRC32 39A2515F
Ssdeep 196608:SP1Tid4/4hBhBNsUvf+1Zg3hjX2yY8JXej+BxCGcMJJNA3:dqgsU+1oT287BJs3
Yara 登录查看Yara规则
找不到该样本 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
103.205.252.104 中国
180.111.199.93 中国
47.96.130.35 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
gitclone.com 未知 A 47.96.130.35
q1.qlogo.cn 未知 CNAME q.qlogo.cn
A 180.111.199.93
A 180.111.198.52
A 180.111.199.110
A 180.111.198.158
A 180.111.199.109
A 180.111.199.184
A 180.111.199.95
A 180.111.198.41
A 180.111.198.106
A 180.111.198.198

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0129c058
声明校验值 0x008080bb
实际校验值 0x008080bb
最低操作系统版本要求 4.0
编译时间 2022-07-04 01:14:19
载入哈希 e59d7c7e8285eee901e619ad01d97421
导出DLL库名称 \x38\x31\x39\x31\x38\x31\x31\x38\x31\x31\x31\x36\x31\x31\x34\x31\x31\x31

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
0x00001000 0x003ca4cd 0x00111fd3 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.99
0x003cc000 0x002754d1 0x001322b8 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.98
0x00642000 0x00128c76 0x000334f3 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98
0x0076b000 0x002e0bac 0x002e1000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00
.exports 0x00a4c000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.76
.imports 0x00a4d000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.17
.rsrc 0x00a4e000 0x00002000 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.88
.themida 0x00a50000 0x0044c000 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.boot 0x00e9c000 0x0029f000 0x0029e3f8 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.96

导入

库: kernel32.dll:
0xe4d2d8 GetModuleHandleA
库: user32.dll:
0xe4d2e0 TranslateMessage
库: gdi32.dll:
0xe4d2e8 PtVisible
库: gdiplus.dll:
库: ole32.dll:
0xe4d2f8 CLSIDFromProgID
库: imm32.dll:
库: shell32.dll:
0xe4d308 ShellExecuteA
库: shlwapi.dll:
0xe4d310 PathFileExistsA
库: winmm.dll:
0xe4d318 timeKillEvent
库: winspool.drv:
0xe4d320 DocumentPropertiesA
库: advapi32.dll:
0xe4d328 CreateServiceA
库: comctl32.dll:
0xe4d330 None
库: WS2_32.dll:
0xe4d338 htons
库: comdlg32.dll:
0xe4d340 GetSaveFileNameA
库: OLEAUT32.dll:
0xe4d348 UnRegisterTypeLib

导出

序列 地址 名称
1 0x729720 e2ee_CacheClear
2 0x729760 e2ee_CacheDecr
3 0x729700 e2ee_CacheDelete
4 0x7296e0 e2ee_CacheExists
5 0x729620 e2ee_CacheGet
6 0x7296a0 e2ee_CacheGetMulti
7 0x7296c0 e2ee_CacheGetMultiText
8 0x729640 e2ee_CacheGetText
9 0x729740 e2ee_CacheIncr
10 0x729660 e2ee_CacheSet
11 0x729780 e2ee_CacheSetExpire
12 0x729680 e2ee_CacheSetText
@.exports
@.imports
.rsrc
@.themida
.boot
8iBz/
gic%uP)
PaQ"z
没有防病毒引擎扫描信息!

进程树


XiaoXin ToolBox V1.0.3.exe, PID: 2600, 上一级进程 PID: 2272

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
103.205.252.104 中国
180.111.199.93 中国
47.96.130.35 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49162 103.205.252.104 9969
192.168.122.201 49163 180.111.199.93 q1.qlogo.cn 80
192.168.122.201 49158 184.28.235.201 80
192.168.122.201 49161 47.96.130.35 gitclone.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 53118 192.168.122.1 53
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
gitclone.com 未知 A 47.96.130.35
q1.qlogo.cn 未知 CNAME q.qlogo.cn
A 180.111.199.93
A 180.111.198.52
A 180.111.199.110
A 180.111.198.158
A 180.111.199.109
A 180.111.199.184
A 180.111.199.95
A 180.111.198.41
A 180.111.198.106
A 180.111.198.198

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49162 103.205.252.104 9969
192.168.122.201 49163 180.111.199.93 q1.qlogo.cn 80
192.168.122.201 49158 184.28.235.201 80
192.168.122.201 49161 47.96.130.35 gitclone.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 53118 192.168.122.1 53
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://103.205.252.104:9969/api/xiaoxin/gonggao.html
GET /api/xiaoxin/gonggao.html HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 103.205.252.104:9969

URL专业沙箱检测 -> http://q1.qlogo.cn/g?b=qq&nk=&s=640
GET /g?b=qq&nk=&s=640 HTTP/1.1
Accept: */*
Referer: http://q1.qlogo.cn/g?b=qq&nk=&s=640
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: q1.qlogo.cn
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2022-07-05 17:00:27.469092+0800 192.168.122.201 49161 47.96.130.35 443 TLSv1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G1 CN=gitclone.com c7:a5:19:c0:b1:89:b2:90:b5:e3:dc:6c:98:25:44:d6:c7:a2:c6:2c

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 70.747 seconds )

  • 22.468 BehaviorAnalysis
  • 19.086 Static
  • 13.368 NetworkAnalysis
  • 12.611 Suricata
  • 1.816 TargetInfo
  • 1.022 VirusTotal
  • 0.307 peid
  • 0.036 config_decoder
  • 0.016 Strings
  • 0.015 AnalysisInfo
  • 0.002 Memory

Signatures ( 43.3 seconds )

  • 34.891 network_http
  • 1.668 md_url_bl
  • 1.391 api_spamming
  • 1.12 stealth_timeout
  • 1.097 stealth_decoy_document
  • 0.703 process_interest
  • 0.664 injection_createremotethread
  • 0.46 injection_runpe
  • 0.435 vawtrak_behavior
  • 0.307 process_needed
  • 0.056 antiav_detectreg
  • 0.047 stealth_file
  • 0.044 mimics_filetime
  • 0.039 reads_self
  • 0.036 virus
  • 0.033 antivm_generic_disk
  • 0.03 bootkit
  • 0.029 hancitor_behavior
  • 0.024 infostealer_ftp
  • 0.014 infostealer_im
  • 0.013 md_domain_bl
  • 0.012 antianalysis_detectreg
  • 0.01 antidbg_windows
  • 0.01 antiav_detectfile
  • 0.007 antivm_generic_scsi
  • 0.007 infostealer_bitcoin
  • 0.007 infostealer_mail
  • 0.006 antivm_generic_services
  • 0.006 injection_explorer
  • 0.006 anomaly_persistence_autorun
  • 0.006 geodo_banking_trojan
  • 0.006 ransomware_extensions
  • 0.006 ransomware_files
  • 0.005 antivm_vbox_libs
  • 0.005 anormaly_invoke_kills
  • 0.004 antiemu_wine_func
  • 0.004 infostealer_browser_password
  • 0.004 kovter_behavior
  • 0.004 antivm_vbox_files
  • 0.003 antiav_avast_libs
  • 0.003 maldun_anomaly_massive_file_ops
  • 0.003 betabot_behavior
  • 0.003 antisandbox_sunbelt_libs
  • 0.003 kibex_behavior
  • 0.003 shifu_behavior
  • 0.003 exec_crash
  • 0.003 antivm_parallels_keys
  • 0.003 antivm_xen_keys
  • 0.003 disables_browser_warn
  • 0.003 network_torgateway
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antivm_vbox_window
  • 0.002 antisandbox_sboxie_libs
  • 0.002 antiav_bitdefender_libs
  • 0.002 cerber_behavior
  • 0.002 antisandbox_script_timer
  • 0.002 antivm_generic_diskreg
  • 0.002 browser_security
  • 0.002 darkcomet_regkeys
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.001 network_tor
  • 0.001 packer_themida
  • 0.001 antivm_vmware_libs
  • 0.001 ursnif_behavior
  • 0.001 dyre_behavior
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 codelux_behavior
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.736 seconds )

  • 0.731 ReportHTMLSummary
  • 0.005 Malheur
Task ID 698052
Mongo ID 62c3feb3dc327b14ec5afd05
Cuckoo release 1.4-Maldun