恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2022-09-24 18:19:12	2022-09-24 18:21:38	146 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	bj_1000.zip ==> Whale.exe
文件大小	15729331 字节
文件类型	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	dffee0bb4d612852277868953f84009c
SHA1	4f73de9a24a5340f9191239364ffa1c884a77580
SHA256	4643bc8d3d6ec1463a0cca637863fde6dcf732d69e81f85a6f4e8c2f40375931
SHA512	5ced146876ef6de380833baebc48f673541eed289f66a08b7f154bc06bf9921bd823b71faa499bf8011763e7596a0a2176ddc9e8b6ab7992afc57fc9338fab15
CRC32	88A6DF4E
Ssdeep	49152:p8jwOUN4HLpd6mDRqpmWpSrCmlEKSd2mncQ4Qoe:kUN4r6mDspmWpiCmlEK3Q4W
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级
是	119.23.192.24	中国
否	13.89.179.12	美国
否	140.249.240.227	中国
是	172.247.174.250	美国
否	172.247.175.90	美国
是	183.6.248.88	中国
是	27.124.2.241	印度
否	27.124.20.131	印度
否	27.124.46.83	印度
是	47.102.104.230	中国
是	47.102.157.200	中国
否	47.52.254.12	加拿大

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
watson.microsoft.com	未知	CNAME onedsblobprdcus17.centralus.cloudapp.azure.com A 13.89.179.12 CNAME legacywatson.trafficmanager.net
360stat.org	未知	A 27.124.46.83
www.taobao.com	未知	A 140.249.240.227 CNAME www.taobao.com.danuoyi.tbcache.com A 140.249.240.147
wa02.googla.org	未知	A 172.247.175.90
sm02.googls.net	未知	A 27.124.20.131
api.360foov.com	未知	A 47.52.254.12

摘要

登录查看详细行为信息

没有信息显示.

无信息.

vGk$U

没有防病毒引擎扫描信息!

进程树

Whale.exe id: 2900
- Whale.exe id: 2684

cmd.exe, PID: 2796, 上一级进程 PID: 2336

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

Whale.exe, PID: 2900, 上一级进程 PID: 2796

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

Whale.exe, PID: 2684, 上一级进程 PID: 2900

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级
是	119.23.192.24	中国
否	13.89.179.12	美国
否	140.249.240.227	中国
是	172.247.174.250	美国
否	172.247.175.90	美国
是	183.6.248.88	中国
是	27.124.2.241	印度
否	27.124.20.131	印度
否	27.124.46.83	印度
是	47.102.104.230	中国
是	47.102.157.200	中国
否	47.52.254.12	加拿大

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49165	119.23.192.24	80
192.168.122.201	49169	140.249.240.227 www.taobao.com	80
192.168.122.201	49167	172.247.174.250	8080
192.168.122.201	49171	172.247.175.90 wa02.googla.org	443
192.168.122.201	49157	23.192.228.89	80
192.168.122.201	49166	27.124.2.241	8021
192.168.122.201	49172	27.124.20.131 sm02.googls.net	443
192.168.122.201	49168	27.124.46.83 360stat.org	80
192.168.122.201	49163	47.102.104.230	8080
192.168.122.201	49173	47.102.157.200	80
192.168.122.201	49179	47.52.254.12 api.360foov.com	443
192.168.122.201	49180	47.52.254.12 api.360foov.com	443
192.168.122.201	49182	47.52.254.12 api.360foov.com	443
192.168.122.201	49183	47.52.254.12 api.360foov.com	443
192.168.122.201	49184	47.52.254.12 api.360foov.com	443
192.168.122.201	49186	47.52.254.12 api.360foov.com	443
192.168.122.201	49187	47.52.254.12 api.360foov.com	443
192.168.122.201	49188	47.52.254.12 api.360foov.com	443
192.168.122.201	49190	47.52.254.12 api.360foov.com	443
192.168.122.201	49191	47.52.254.12 api.360foov.com	443
192.168.122.201	49192	47.52.254.12 api.360foov.com	443
192.168.122.201	49193	47.52.254.12 api.360foov.com	443
192.168.122.201	49194	47.52.254.12 api.360foov.com	443
192.168.122.201	49195	47.52.254.12 api.360foov.com	443
192.168.122.201	49196	47.52.254.12 api.360foov.com	443
192.168.122.201	49197	47.52.254.12 api.360foov.com	443
192.168.122.201	49198	47.52.254.12 api.360foov.com	443
192.168.122.201	49199	47.52.254.12 api.360foov.com	443
192.168.122.201	49201	47.52.254.12 api.360foov.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	51304	192.168.122.1	53
192.168.122.201	53759	192.168.122.1	53
192.168.122.201	53947	192.168.122.1	53
192.168.122.201	58097	192.168.122.1	53
192.168.122.201	59277	192.168.122.1	53
192.168.122.201	60155	192.168.122.1	53
192.168.122.201	61447	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53
192.168.122.201	63472	192.168.122.1	53
192.168.122.201	63902	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
watson.microsoft.com	未知	CNAME onedsblobprdcus17.centralus.cloudapp.azure.com A 13.89.179.12 CNAME legacywatson.trafficmanager.net
360stat.org	未知	A 27.124.46.83
www.taobao.com	未知	A 140.249.240.227 CNAME www.taobao.com.danuoyi.tbcache.com A 140.249.240.147
wa02.googla.org	未知	A 172.247.175.90
sm02.googls.net	未知	A 27.124.20.131
api.360foov.com	未知	A 47.52.254.12

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49165	119.23.192.24	80
192.168.122.201	49169	140.249.240.227 www.taobao.com	80
192.168.122.201	49167	172.247.174.250	8080
192.168.122.201	49171	172.247.175.90 wa02.googla.org	443
192.168.122.201	49157	23.192.228.89	80
192.168.122.201	49166	27.124.2.241	8021
192.168.122.201	49172	27.124.20.131 sm02.googls.net	443
192.168.122.201	49168	27.124.46.83 360stat.org	80
192.168.122.201	49163	47.102.104.230	8080
192.168.122.201	49173	47.102.157.200	80
192.168.122.201	49179	47.52.254.12 api.360foov.com	443
192.168.122.201	49180	47.52.254.12 api.360foov.com	443
192.168.122.201	49182	47.52.254.12 api.360foov.com	443
192.168.122.201	49183	47.52.254.12 api.360foov.com	443
192.168.122.201	49184	47.52.254.12 api.360foov.com	443
192.168.122.201	49186	47.52.254.12 api.360foov.com	443
192.168.122.201	49187	47.52.254.12 api.360foov.com	443
192.168.122.201	49188	47.52.254.12 api.360foov.com	443
192.168.122.201	49190	47.52.254.12 api.360foov.com	443
192.168.122.201	49191	47.52.254.12 api.360foov.com	443
192.168.122.201	49192	47.52.254.12 api.360foov.com	443
192.168.122.201	49193	47.52.254.12 api.360foov.com	443
192.168.122.201	49194	47.52.254.12 api.360foov.com	443
192.168.122.201	49195	47.52.254.12 api.360foov.com	443
192.168.122.201	49196	47.52.254.12 api.360foov.com	443
192.168.122.201	49197	47.52.254.12 api.360foov.com	443
192.168.122.201	49198	47.52.254.12 api.360foov.com	443
192.168.122.201	49199	47.52.254.12 api.360foov.com	443
192.168.122.201	49201	47.52.254.12 api.360foov.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	51304	192.168.122.1	53
192.168.122.201	53759	192.168.122.1	53
192.168.122.201	53947	192.168.122.1	53
192.168.122.201	58097	192.168.122.1	53
192.168.122.201	59277	192.168.122.1	53
192.168.122.201	60155	192.168.122.1	53
192.168.122.201	61447	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53
192.168.122.201	63472	192.168.122.1	53
192.168.122.201	63902	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://47.102.104.230:8080/assets/scroll.jpg	GET /assets/scroll.jpg HTTP/1.1 Host: 47.102.104.230:8080 Connection: Keep-Alive
URL专业沙箱检测 -> http://119.23.192.24/static/a.jpg	GET /static/a.jpg HTTP/1.1 Host: 119.23.192.24 Connection: Keep-Alive
URL专业沙箱检测 -> http://172.247.174.250:8080/resource/banner_2021_w.jpg	GET /resource/banner_2021_w.jpg HTTP/1.1 Host: 172.247.174.250:8080 Connection: Keep-Alive
URL专业沙箱检测 -> http://27.124.2.241:8021/imgs/fill_2021_w.jpg	GET /imgs/fill_2021_w.jpg HTTP/1.1 Host: 27.124.2.241:8021 Connection: Keep-Alive
URL专业沙箱检测 -> http://360stat.org/static/resources/top.png	GET /static/resources/top.png HTTP/1.1 Host: 360stat.org Connection: Keep-Alive
URL专业沙箱检测 -> http://www.taobao.com/	GET / HTTP/1.1 Host: www.taobao.com Connection: Keep-Alive
URL专业沙箱检测 -> http://47.102.157.200/log/report	GET /log/report HTTP/1.1 Host: 47.102.157.200 Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2022-09-24 18:20:18.177969+0800	192.168.122.201	49183	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:13.166866+0800	192.168.122.201	49182	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:03.459030+0800	192.168.122.201	49194	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:19:50.666444+0800	192.168.122.201	49171	172.247.175.90	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.googla.org	9d:bb:04:57:9a:a7:b7:e3:c1:4b:31:67:4c:9f:04:74:c5:08:53:79
2022-09-24 18:20:03.171190+0800	192.168.122.201	49179	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:13.473173+0800	192.168.122.201	49196	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:19:50.661398+0800	192.168.122.201	49172	27.124.20.131	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.googls.net	3f:c8:90:84:9f:ac:d2:fe:b6:d6:78:e3:99:1f:f1:de:22:04:5c:08
2022-09-24 18:20:53.441839+0800	192.168.122.201	49192	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:58.450307+0800	192.168.122.201	49193	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:48.433612+0800	192.168.122.201	49191	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:28.188326+0800	192.168.122.201	49186	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:08.168258+0800	192.168.122.201	49180	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:38.219166+0800	192.168.122.201	49188	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:08.464527+0800	192.168.122.201	49195	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:34.024977+0800	192.168.122.201	49201	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:23.504342+0800	192.168.122.201	49198	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:23.176259+0800	192.168.122.201	49184	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:43.427696+0800	192.168.122.201	49190	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:20:33.196599+0800	192.168.122.201	49187	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:28.511450+0800	192.168.122.201	49199	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d
2022-09-24 18:21:18.501767+0800	192.168.122.201	49197	47.52.254.12	443	TLS 1.2	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=api.360foov.com	62:26:6b:bc:8b:10:15:ca:b4:05:59:81:b0:cc:40:fe:7f:40:c9:5d

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	Whale.exe
相关文件	C:\Users\test\AppData\Local\Temp\zip-tmp\Whale.exe
文件大小	15729331 字节
文件类型	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	dffee0bb4d612852277868953f84009c
SHA1	4f73de9a24a5340f9191239364ffa1c884a77580
SHA256	4643bc8d3d6ec1463a0cca637863fde6dcf732d69e81f85a6f4e8c2f40375931
CRC32	88A6DF4E
Ssdeep	49152:p8jwOUN4HLpd6mDRqpmWpSrCmlEKSd2mncQ4Qoe:kUN4r6mDspmWpiCmlEK3Q4W
	下载提交魔盾安全分析

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 35.673 seconds )

18.107 NetworkAnalysis
11.036 Suricata
2.519 TargetInfo
2.18 BehaviorAnalysis
1.145 VirusTotal
0.662 Dropped
0.011 Strings
0.01 AnalysisInfo
0.002 Memory
0.001 Static

Signatures ( 46.72 seconds )

44.155 network_http
1.477 md_url_bl
0.129 api_spamming
0.112 antiav_detectreg
0.107 stealth_decoy_document
0.107 stealth_timeout
0.044 infostealer_ftp
0.027 mimics_filetime
0.027 virus
0.026 antivm_generic_disk
0.025 bootkit
0.025 reads_self
0.025 shifu_behavior
0.025 infostealer_im
0.023 antianalysis_detectreg
0.022 stealth_file
0.019 antivm_generic_scsi
0.018 hancitor_behavior
0.018 md_domain_bl
0.017 antiav_detectfile
0.014 antivm_generic_services
0.014 kovter_behavior
0.014 infostealer_mail
0.013 antiemu_wine_func
0.013 infostealer_browser_password
0.012 anormaly_invoke_kills
0.012 infostealer_bitcoin
0.008 geodo_banking_trojan
0.007 injection_createremotethread
0.007 kibex_behavior
0.007 antivm_vbox_files
0.006 maldun_anomaly_massive_file_ops
0.006 betabot_behavior
0.006 anomaly_persistence_autorun
0.006 antivm_xen_keys
0.005 antiav_avast_libs
0.005 antisandbox_sunbelt_libs
0.005 antivm_parallels_keys
0.005 darkcomet_regkeys
0.005 ransomware_files
0.004 antivm_vbox_libs
0.004 injection_runpe
0.004 antivm_generic_diskreg
0.004 ransomware_extensions
0.004 recon_fingerprint
0.003 maldun_malicious_write_executeable_under_temp_to_regrun
0.003 maldun_anomaly_write_exe_and_obsfucate_extension
0.003 sets_autoconfig_url
0.003 stealth_network
0.003 antisandbox_sboxie_libs
0.003 antiav_bitdefender_libs
0.003 exec_crash
0.003 securityxploded_modules
0.003 disables_browser_warn
0.003 network_torgateway
0.002 tinba_behavior
0.002 hawkeye_behavior
0.002 network_tor
0.002 rat_nanocore
0.002 ransomware_message
0.002 Locky_behavior
0.002 ipc_namedpipe
0.002 dyre_behavior
0.002 encrypted_ioc
0.002 bypass_firewall
0.002 antidbg_devices
0.002 antisandbox_productid
0.002 antivm_xen_keys
0.002 antivm_hyperv_keys
0.002 antivm_vbox_keys
0.002 antivm_vmware_keys
0.002 antivm_vpc_keys
0.002 modify_proxy
0.002 maldun_anomaly_invoke_vb_vba
0.002 packer_armadillo_regkey
0.002 rat_pcclient
0.001 disables_spdy
0.001 office_dl_write_exe
0.001 infostealer_browser
0.001 dridex_behavior
0.001 rat_luminosity
0.001 antivm_vmware_libs
0.001 antisandbox_sleep
0.001 injection_explorer
0.001 kelihos_behavior
0.001 kazybot_behavior
0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
0.001 antidbg_windows
0.001 disables_wfp
0.001 cerber_behavior
0.001 antianalysis_detectfile
0.001 antivm_generic_bios
0.001 antivm_generic_cpu
0.001 antivm_generic_system
0.001 antivm_vbox_acpi
0.001 antivm_vmware_files
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 browser_security
0.001 codelux_behavior
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http
0.001 recon_programs
0.001 stealth_modify_uac_prompt

Reporting ( 0.603 seconds )

0.589 ReportHTMLSummary
0.014 Malheur


Task ID	710624
Mongo ID	632eda92dc327b8d422c8eb4
Cuckoo release	1.4-Maldun