分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
---|---|---|---|---|
文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2022-08-19 17:20:18 | 2022-08-19 17:22:27 | 129 秒 |
文件名 | 程序多开软件.exe |
---|---|
文件大小 | 993792 字节 |
文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | edbab4ebc71910bb58af2b6b737b079e |
SHA1 | fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf |
SHA256 | a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777 |
SHA512 | 6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc |
CRC32 | 7E97B7B3 |
Ssdeep | 24576:FdOWSTL8BjRV/nEl2Kdp+UIcQ+1XN9xmPiOOkZ:+CSdpX91d9k6X+ |
Yara | 登录查看Yara规则 |
找不到该样本 提交误报 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 114.55.41.228 | 未知 | 中国 |
否 | 220.181.33.11 | 中国 |
域名 | 安全评级 | 响应 |
---|---|---|
www.manyopen.com | 未知 |
A 114.55.41.228 A 120.77.81.7 |
hm.baidu.com | 未知 |
CNAME hm.e.shifen.com A 220.181.33.11 |
初始地址 | 0x00400000 |
---|---|
入口地址 | 0x00453ef8 |
声明校验值 | 0x000fbd42 |
实际校验值 | 0x000fbd42 |
最低操作系统版本要求 | 5.0 |
编译时间 | 2020-10-31 12:23:00 |
载入哈希 | 0bc90565770cdefc6f8477803ba7f5f6 |
图标 | |
图标精确哈希值 | 9ba8ad7f5533385738be0d5c1125555f |
图标相似性哈希值 | ec8b82e73a83000e9682d3e99e781e9c |
LegalCopyright | |
---|---|
InternalName | |
FileVersion | |
CompanyName | |
ProductName | |
ProductVersion | |
FileDescription | |
OriginalFilename | |
Translation |
名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0006941b | 0x00069600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.54 |
.rdata | 0x0006b000 | 0x000166e6 | 0x00016800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.43 |
.data | 0x00082000 | 0x000066d8 | 0x00002800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.31 |
.rsrc | 0x00089000 | 0x0006877c | 0x00068800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.41 |
.reloc | 0x000f2000 | 0x000076ea | 0x00007800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.66 |
名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
---|---|---|---|---|---|---|
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
PNG | 0x000c1794 | 0x000001a6 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 7.33 | PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced |
RC_DATA | 0x000d013c | 0x0000fa00 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.66 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
RC_DATA | 0x000d013c | 0x0000fa00 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.66 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
XML | 0x000dff00 | 0x00000af3 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.29 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
XML | 0x000dff00 | 0x00000af3 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.29 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
RT_ICON | 0x000e09f4 | 0x00010828 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.67 | data |
RT_GROUP_ICON | 0x000f121c | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 1.98 | MS Windows icon resource - 1 icon, 128x128 |
RT_VERSION | 0x000f1230 | 0x000002d0 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.63 | data |
RT_MANIFEST | 0x000f1500 | 0x00000279 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.01 | ASCII text, with CRLF line terminators |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 114.55.41.228 | 未知 | 中国 |
否 | 220.181.33.11 | 中国 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49160 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49161 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49162 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49163 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49164 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49169 | 220.181.33.11 hm.baidu.com | 443 |
192.168.122.201 | 49170 | 23.222.28.146 | 80 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 56270 | 192.168.122.1 | 53 |
192.168.122.201 | 59401 | 192.168.122.1 | 53 |
192.168.122.201 | 59906 | 192.168.122.1 | 53 |
域名 | 安全评级 | 响应 |
---|---|---|
www.manyopen.com | 未知 |
A 114.55.41.228 A 120.77.81.7 |
hm.baidu.com | 未知 |
CNAME hm.e.shifen.com A 220.181.33.11 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49160 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49161 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49162 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49163 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49164 | 114.55.41.228 www.manyopen.com | 80 |
192.168.122.201 | 49169 | 220.181.33.11 hm.baidu.com | 443 |
192.168.122.201 | 49170 | 23.222.28.146 | 80 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 56270 | 192.168.122.1 | 53 |
192.168.122.201 | 59401 | 192.168.122.1 | 53 |
192.168.122.201 | 59906 | 192.168.122.1 | 53 |
URI | HTTP数据 |
---|---|
URL专业沙箱检测 -> http://www.manyopen.com/announcement/index.html | GET /announcement/index.html HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.manyopen.com Connection: Keep-Alive |
URL专业沙箱检测 -> http://www.manyopen.com/update/crc32.txt | GET /update/crc32.txt HTTP/1.1 User-Agent: WinInet Host: www.manyopen.com Cache-Control: no-cache |
URL专业沙箱检测 -> http://www.manyopen.com/announcement/css/style.css | GET /announcement/css/style.css HTTP/1.1 Accept: */* Referer: http://www.manyopen.com/announcement/index.html Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.manyopen.com Connection: Keep-Alive |
URL专业沙箱检测 -> http://www.manyopen.com/announcement/js/jquery.min.js | GET /announcement/js/jquery.min.js HTTP/1.1 Accept: */* Referer: http://www.manyopen.com/announcement/index.html Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.manyopen.com Connection: Keep-Alive |
URL专业沙箱检测 -> http://www.manyopen.com/announcement/js/index.js | GET /announcement/js/index.js HTTP/1.1 Accept: */* Referer: http://www.manyopen.com/announcement/index.html Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.manyopen.com Connection: Keep-Alive |
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
无SMTP流量.
无IRC请求.
无ICMP流量.
无 CIF 结果
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Protocol | SID | Signature | Category |
---|---|---|---|---|---|---|---|---|
2022-08-19 17:20:41.076387+0800 | 192.168.122.201 | 49160 | 114.55.41.228 | 80 | TCP | 2007837 | ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet) | A Network Trojan was detected |
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Version | Issuer | Subject | Fingerprint |
---|---|---|---|---|---|---|---|---|
2022-08-19 17:20:41.637754+0800 | 192.168.122.201 | 49169 | 220.181.33.11 | 443 | TLS 1.2 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com | 48:6a:ed:d1:68:52:e5:97:4f:a0:92:46:b3:3c:56:46:3d:d9:9c:d5 |
No Suricata HTTP
HTML 总结报告 (需15-60分钟同步) |
下载 |
---|
Task ID | 704819 |
---|---|
Mongo ID | 62ff56ab7e769a11a60e4cbb |
Cuckoo release | 1.4-Maldun |