分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2022-07-05 17:11:05 | 2022-07-05 17:13:13 | 128 秒 |
魔盾分数
9.663
危险的
文件详细信息
| 文件名 | 3_191212232906.exe.vir.vir |
|---|---|
| 文件大小 | 535040 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | e0f4ba65bebb6709897acc1a5ff2d21d |
| SHA1 | 04596c28f574b7834b0f77d0108c8e4ff3a4bc43 |
| SHA256 | 1f160cdca1170276e23ed2c44d7e43f321b7f3c3d361b8c092e72b21aae99151 |
| SHA512 | eefc9055da4718525a18d8e9698d7185c1135ef18ae2a02adfcb346efe66d2d4b57f8e4a61341e041742bbd0aa77d8610cf72bc3077eece72d4c54654101101e |
| CRC32 | CE286733 |
| Ssdeep | 12288:tva3M0gltl6BO1F66Bb+IMBiyht4KbNHb8AMwWutU2M7cH:LHaLt4K578Tu |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 是 | 92.118.234.235 | 希腊 |
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0045082f |
| 声明校验值 | 0x000929d8 |
| 实际校验值 | 0x000929d8 |
| 最低操作系统版本要求 | 5.1 |
| 编译时间 | 2019-12-12 00:36:45 |
| 载入哈希 | ab9500d7f22ef0dbe212b36aaa35c8ab |
| 导出DLL库名称 | DKNEW.exe |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0006832f | 0x00068400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.60 |
| .rdata | 0x0006a000 | 0x00011e44 | 0x00012000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.43 |
| .data | 0x0007c000 | 0x0000546c | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.30 |
| .rsrc | 0x00082000 | 0x000002b8 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.17 |
| .reloc | 0x00083000 | 0x000058ba | 0x00005a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.01 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x00082058 | 0x0000025f | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.95 | ASCII text, with very long lines, with no line terminators |
导入
库: KERNEL32.dll:
• 0x46a040 CreateProcessA
• 0x46a044 TerminateProcess
• 0x46a048 ExitThread
• 0x46a04c GetStartupInfoA
• 0x46a050 OutputDebugStringA
• 0x46a054 CreateThread
• 0x46a058 TerminateThread
• 0x46a05c SetThreadPriority
• 0x46a060 GetSystemDefaultUILanguage
• 0x46a064 SetUnhandledExceptionFilter
• 0x46a068 GetLastError
• 0x46a06c GetProcAddress
• 0x46a070 LoadLibraryA
• 0x46a074 OpenEventA
• 0x46a078 GetSystemInfo
• 0x46a07c CreateMutexA
• 0x46a080 ReleaseMutex
• 0x46a084 GetVersionExA
• 0x46a088 CreateFileW
• 0x46a08c SetEnvironmentVariableA
• 0x46a090 CompareStringW
• 0x46a094 GetTickCount
• 0x46a098 DeleteCriticalSection
• 0x46a09c EnterCriticalSection
• 0x46a0a0 VirtualAlloc
• 0x46a0a4 GetTimeZoneInformation
• 0x46a0a8 GetProcessHeap
• 0x46a0ac SetEndOfFile
• 0x46a0b0 GetDriveTypeW
• 0x46a0b4 WriteConsoleW
• 0x46a0b8 LoadLibraryW
• 0x46a0bc IsValidLocale
• 0x46a0c0 EnumSystemLocalesA
• 0x46a0c4 GetLocaleInfoA
• 0x46a0c8 LeaveCriticalSection
• 0x46a0cc GetStringTypeW
• 0x46a0d0 FlushFileBuffers
• 0x46a0d4 SetStdHandle
• 0x46a0d8 GetCurrentDirectoryW
• 0x46a0dc CreateFileA
• 0x46a0e0 GetFullPathNameA
• 0x46a0e4 IsValidCodePage
• 0x46a0e8 GetOEMCP
• 0x46a0ec GetACP
• 0x46a0f0 GetConsoleMode
• 0x46a0f4 GetConsoleCP
• 0x46a0f8 QueryPerformanceCounter
• 0x46a0fc InitializeCriticalSectionAndSpinCount
• 0x46a100 SetHandleCount
• 0x46a104 GetEnvironmentStringsW
• 0x46a108 FreeEnvironmentStringsW
• 0x46a10c GetModuleFileNameA
• 0x46a110 ExitProcess
• 0x46a114 HeapSize
• 0x46a118 GetLocaleInfoW
• 0x46a11c GetModuleFileNameW
• 0x46a120 WriteFile
• 0x46a124 GetModuleHandleW
• 0x46a128 TlsFree
• 0x46a12c TlsSetValue
• 0x46a130 TlsGetValue
• 0x46a134 TlsAlloc
• 0x46a138 HeapCreate
• 0x46a13c IsProcessorFeaturePresent
• 0x46a140 IsDebuggerPresent
• 0x46a144 UnhandledExceptionFilter
• 0x46a148 InitializeCriticalSection
• 0x46a14c VirtualFree
• 0x46a150 lstrcpyA
• 0x46a154 CloseHandle
• 0x46a158 CancelIo
• 0x46a15c ResetEvent
• 0x46a160 InterlockedExchange
• 0x46a164 CreateEventA
• 0x46a168 GetCurrentProcess
• 0x46a16c LCMapStringW
• 0x46a170 WaitForSingleObject
• 0x46a174 Sleep
• 0x46a178 SetEvent
• 0x46a17c RtlUnwind
• 0x46a180 RaiseException
• 0x46a184 GetCPInfo
• 0x46a188 GetUserDefaultLCID
• 0x46a18c SetLastError
• 0x46a190 FormatMessageA
• 0x46a194 FreeLibrary
• 0x46a198 SleepEx
• 0x46a19c ReadFile
• 0x46a1a0 PeekNamedPipe
• 0x46a1a4 WaitForMultipleObjects
• 0x46a1a8 GetFileType
• 0x46a1ac GetStdHandle
• 0x46a1b0 ExpandEnvironmentStringsA
• 0x46a1b4 VerifyVersionInfoA
• 0x46a1b8 VerSetConditionMask
• 0x46a1bc GetSystemDirectoryA
• 0x46a1c0 GetModuleHandleA
• 0x46a1c4 MultiByteToWideChar
• 0x46a1c8 WideCharToMultiByte
• 0x46a1cc InterlockedIncrement
• 0x46a1d0 InterlockedDecrement
• 0x46a1d4 EncodePointer
• 0x46a1d8 DecodePointer
• 0x46a1dc HeapFree
• 0x46a1e0 GetSystemTimeAsFileTime
• 0x46a1e4 GetCurrentThreadId
• 0x46a1e8 GetCommandLineA
• 0x46a1ec HeapSetInformation
• 0x46a1f0 GetStartupInfoW
• 0x46a1f4 HeapReAlloc
• 0x46a1f8 HeapAlloc
• 0x46a1fc FindClose
• 0x46a200 FileTimeToSystemTime
• 0x46a204 FileTimeToLocalFileTime
• 0x46a208 GetDriveTypeA
• 0x46a20c FindFirstFileExA
• 0x46a210 GetCurrentProcessId
• 0x46a214 GetFileInformationByHandle
• 0x46a218 SetFilePointer
• 0x46a21c GetFileAttributesA
库: ADVAPI32.dll:
• 0x46a000 CryptDestroyKey
• 0x46a004 CryptImportKey
• 0x46a008 CryptEncrypt
• 0x46a00c CryptCreateHash
• 0x46a010 CryptHashData
• 0x46a014 CryptGetHashParam
• 0x46a018 CryptDestroyHash
• 0x46a01c CryptAcquireContextA
• 0x46a020 CryptGenRandom
• 0x46a024 CryptReleaseContext
• 0x46a028 RegOpenKeyExA
• 0x46a02c RegCloseKey
• 0x46a030 RegQueryValueExA
库: WS2_32.dll:
• 0x46a278 accept
• 0x46a27c listen
• 0x46a280 freeaddrinfo
• 0x46a284 getaddrinfo
• 0x46a288 recvfrom
• 0x46a28c ioctlsocket
• 0x46a290 getpeername
• 0x46a294 getsockopt
• 0x46a298 bind
• 0x46a29c getsockname
• 0x46a2a0 __WSAFDIsSet
• 0x46a2a4 WSASetLastError
• 0x46a2a8 WSAGetLastError
• 0x46a2ac inet_ntoa
• 0x46a2b0 inet_addr
• 0x46a2b4 WSAIoctl
• 0x46a2b8 connect
• 0x46a2bc WSAStartup
• 0x46a2c0 select
• 0x46a2c4 htons
• 0x46a2c8 ntohs
• 0x46a2cc setsockopt
• 0x46a2d0 WSACleanup
• 0x46a2d4 recv
• 0x46a2d8 socket
• 0x46a2dc closesocket
• 0x46a2e0 gethostbyname
• 0x46a2e4 send
• 0x46a2e8 gethostname
• 0x46a2ec htonl
• 0x46a2f0 ntohl
• 0x46a2f4 sendto
库: WLDAP32.dll:
• 0x46a230 None
• 0x46a234 None
• 0x46a238 None
• 0x46a23c None
• 0x46a240 None
• 0x46a244 None
• 0x46a248 None
• 0x46a24c None
• 0x46a250 None
• 0x46a254 None
• 0x46a258 None
• 0x46a25c None
• 0x46a260 None
• 0x46a264 None
• 0x46a268 None
• 0x46a26c None
• 0x46a270 None
库: CRYPT32.dll:
• 0x46a038 CertFreeCertificateContext
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x44f5b0 | LZ4_compress |
| 2 | 0x449600 | LZ4_compressBound |
| 3 | 0x44d6f0 | LZ4_compress_continue |
| 4 | 0x44e9c0 | LZ4_compress_default |
| 5 | 0x44f530 | LZ4_compress_destSize |
| 6 | 0x44e970 | LZ4_compress_fast |
| 7 | 0x449840 | LZ4_compress_fast_continue |
| 8 | 0x44d790 | LZ4_compress_fast_extState |
| 9 | 0x44e9c0 | LZ4_compress_limitedOutput |
| 10 | 0x44d6c0 | LZ4_compress_limitedOutput_continue |
| 11 | 0x44f5f0 | LZ4_compress_limitedOutput_withState |
| 12 | 0x44f620 | LZ4_compress_withState |
| 13 | 0x44f580 | LZ4_create |
| 14 | 0x44f580 | LZ4_createStream |
| 15 | 0x44cd40 | LZ4_createStreamDecode |
| 16 | 0x44cda0 | LZ4_decoderRingBufferSize |
| 17 | 0x44be20 | LZ4_decompress_fast |
| 18 | 0x44d260 | LZ4_decompress_fast_continue |
| 19 | 0x44d680 | LZ4_decompress_fast_usingDict |
| 20 | 0x44d740 | LZ4_decompress_fast_withPrefix64k |
| 21 | 0x44b7f0 | LZ4_decompress_safe |
| 22 | 0x44cdd0 | LZ4_decompress_safe_continue |
| 23 | 0x44bb00 | LZ4_decompress_safe_partial |
| 24 | 0x44d600 | LZ4_decompress_safe_usingDict |
| 25 | 0x44c070 | LZ4_decompress_safe_withPrefix64k |
| 26 | 0x44cd50 | LZ4_freeStream |
| 27 | 0x44cd50 | LZ4_freeStreamDecode |
| 28 | 0x449640 | LZ4_initStream |
| 29 | 0x449720 | LZ4_loadDict |
| 30 | 0x449670 | LZ4_resetStream |
| 31 | 0x44d760 | LZ4_resetStreamState |
| 32 | 0x449690 | LZ4_resetStream_fast |
| 33 | 0x44b7a0 | LZ4_saveDict |
| 34 | 0x44cd70 | LZ4_setStreamDecode |
| 35 | 0x449630 | LZ4_sizeofState |
| 36 | 0x449630 | LZ4_sizeofStreamState |
| 37 | 0x44d780 | LZ4_slideInputBuffer |
| 38 | 0x44d740 | LZ4_uncompress |
| 39 | 0x44d750 | LZ4_uncompress_unknownOutputSize |
| 40 | 0x4495e0 | LZ4_versionNumber |
| 41 | 0x4495f0 | LZ4_versionString |
.text
`.rdata
@.data
.rsrc
@.reloc
Whma@
Ph-2@
PhR3@
PhR3@
Ph21@
PhQ.@
Ph=5@
Ph`q@
VPWPh
T$hRj
w.t&=
wItA=
w)t!=
w/t'=
tFVWj
T$,RSj
Vh|>G
T$4Rj
PQhE,E
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 是 | 92.118.234.235 | 希腊 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49161 | 184.28.235.201 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49161 | 184.28.235.201 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 16.296 seconds )
- 10.395 Suricata
- 2.453 NetworkAnalysis
- 1.04 VirusTotal
- 0.908 Static
- 0.849 BehaviorAnalysis
- 0.331 TargetInfo
- 0.296 peid
- 0.012 Strings
- 0.009 AnalysisInfo
- 0.002 Memory
- 0.001 config_decoder
Signatures ( 1.74 seconds )
- 1.315 md_url_bl
- 0.062 api_spamming
- 0.049 stealth_timeout
- 0.048 stealth_decoy_document
- 0.044 andromeda_behavior
- 0.039 vawtrak_behavior
- 0.033 antivm_vmware_events
- 0.029 betabot_behavior
- 0.028 cryptowall_behavior
- 0.021 Locky_behavior
- 0.011 antiav_detectreg
- 0.008 md_domain_bl
- 0.005 anomaly_persistence_autorun
- 0.005 infostealer_ftp
- 0.004 antiav_detectfile
- 0.004 geodo_banking_trojan
- 0.004 ransomware_files
- 0.003 infostealer_bitcoin
- 0.003 infostealer_im
- 0.003 network_http
- 0.003 ransomware_extensions
- 0.002 tinba_behavior
- 0.002 antianalysis_detectreg
- 0.002 antivm_vbox_files
- 0.002 disables_browser_warn
- 0.002 infostealer_mail
- 0.001 rat_nanocore
- 0.001 cerber_behavior
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 md_bad_drop
- 0.001 network_cnc_http
Reporting ( 0.523 seconds )
- 0.523 ReportHTMLSummary
| Task ID | 698057 |
|---|---|
| Mongo ID | 62c400c97e769a0d6d18ea6b |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号