恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2022-09-24 21:12:17	2022-09-24 21:13:21	64 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	AdGuard.v7.9.3869.0.exe
文件大小	23108141 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	be9ee649dc21d58df87b33febec6b23b
SHA1	a83adc011440abf04ae04cff2b533c87c59011e2
SHA256	beec91d82354162d13f2c8acceea31bd8edabee91ba3a9d202dcc8ee5f098b99
SHA512	0d5fabc502d3ce47dc6b55588fdf2f476b8da7ede27b8e3f169703c308760b5f3096245ebb2b7bed39ff3b786cbb5a2e0f69eaabd821c90119c07c020ccf28a8
CRC32	8C60FDAC
Ssdeep	393216:h/kwPhXO6WmdOw+GTKmxpnq3KCpIFte3gYdWkYXhVJKhgKoUUBv7ZT3P6tm+xQ:h/h7Fnpn6pN3gYdWnx+hgKTUZ93PT+C
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0041cec9
声明校验值	0x009f28dc
最低操作系统版本要求	5.1
PDB路径	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
编译时间	2017-08-11 21:54:06
载入哈希	027ea80e8125c6dda271246922d4c3b0

版本信息

LegalCopyright
ProductName
FileDescription
FileVersion
CompanyName
Translation

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0002e200	0x0002e200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.69
.rdata	0x00030000	0x00009a00	0x00009a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.12
.data	0x0003a000	0x0001f400	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.24
.gfids	0x0005a000	0x00000200	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.06
.rsrc	0x0005b000	0x00020ee7	0x00021000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.50
.reloc	0x0007c000	0x00002000	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	7.54

覆盖

偏移量	0x0007df58
大小	0x0158bad5

导入

库: KERNEL32.dll:

• 0x430000 GetLastError

• 0x430004 SetLastError

• 0x430008 GetCurrentProcess

• 0x43000c DeviceIoControl

• 0x430010 SetFileTime

• 0x430014 CloseHandle

• 0x430018 CreateDirectoryW

• 0x43001c RemoveDirectoryW

• 0x430020 CreateFileW

• 0x430024 DeleteFileW

• 0x430028 CreateHardLinkW

• 0x43002c GetShortPathNameW

• 0x430030 GetLongPathNameW

• 0x430034 MoveFileW

• 0x430038 GetFileType

• 0x43003c GetStdHandle

• 0x430040 WriteFile

• 0x430044 ReadFile

• 0x430048 FlushFileBuffers

• 0x43004c SetEndOfFile

• 0x430050 SetFilePointer

• 0x430054 SetFileAttributesW

• 0x430058 GetFileAttributesW

• 0x43005c FindClose

• 0x430060 FindFirstFileW

• 0x430064 FindNextFileW

• 0x430068 GetVersionExW

• 0x43006c GetCurrentDirectoryW

• 0x430070 GetFullPathNameW

• 0x430074 FoldStringW

• 0x430078 GetModuleFileNameW

• 0x43007c GetModuleHandleW

• 0x430080 FindResourceW

• 0x430084 FreeLibrary

• 0x430088 GetProcAddress

• 0x43008c GetCurrentProcessId

• 0x430090 ExitProcess

• 0x430094 SetThreadExecutionState

• 0x430098 Sleep

• 0x43009c LoadLibraryW

• 0x4300a0 GetSystemDirectoryW

• 0x4300a4 CompareStringW

• 0x4300a8 AllocConsole

• 0x4300ac FreeConsole

• 0x4300b0 AttachConsole

• 0x4300b4 WriteConsoleW

• 0x4300b8 GetProcessAffinityMask

• 0x4300bc CreateThread

• 0x4300c0 SetThreadPriority

• 0x4300c4 InitializeCriticalSection

• 0x4300c8 EnterCriticalSection

• 0x4300cc LeaveCriticalSection

• 0x4300d0 DeleteCriticalSection

• 0x4300d4 SetEvent

• 0x4300d8 ResetEvent

• 0x4300dc ReleaseSemaphore

• 0x4300e0 WaitForSingleObject

• 0x4300e4 CreateEventW

• 0x4300e8 CreateSemaphoreW

• 0x4300ec GetSystemTime

• 0x4300f0 SystemTimeToTzSpecificLocalTime

• 0x4300f4 TzSpecificLocalTimeToSystemTime

• 0x4300f8 SystemTimeToFileTime

• 0x4300fc FileTimeToLocalFileTime

• 0x430100 LocalFileTimeToFileTime

• 0x430104 FileTimeToSystemTime

• 0x430108 GetCPInfo

• 0x43010c IsDBCSLeadByte

• 0x430110 MultiByteToWideChar

• 0x430114 WideCharToMultiByte

• 0x430118 GlobalAlloc

• 0x43011c GetTickCount

• 0x430120 SetCurrentDirectoryW

• 0x430124 GetExitCodeProcess

• 0x430128 GetLocalTime

• 0x43012c MapViewOfFile

• 0x430130 UnmapViewOfFile

• 0x430134 CreateFileMappingW

• 0x430138 OpenFileMappingW

• 0x43013c GetCommandLineW

• 0x430140 SetEnvironmentVariableW

• 0x430144 ExpandEnvironmentStringsW

• 0x430148 GetTempPathW

• 0x43014c MoveFileExW

• 0x430150 GetLocaleInfoW

• 0x430154 GetTimeFormatW

• 0x430158 GetDateFormatW

• 0x43015c GetNumberFormatW

• 0x430160 RaiseException

• 0x430164 GetSystemInfo

• 0x430168 VirtualProtect

• 0x43016c VirtualQuery

• 0x430170 LoadLibraryExA

• 0x430174 IsProcessorFeaturePresent

• 0x430178 IsDebuggerPresent

• 0x43017c UnhandledExceptionFilter

• 0x430180 SetUnhandledExceptionFilter

• 0x430184 GetStartupInfoW

• 0x430188 QueryPerformanceCounter

• 0x43018c GetCurrentThreadId

• 0x430190 GetSystemTimeAsFileTime

• 0x430194 InitializeSListHead

• 0x430198 TerminateProcess

• 0x43019c RtlUnwind

• 0x4301a0 EncodePointer

• 0x4301a4 InitializeCriticalSectionAndSpinCount

• 0x4301a8 TlsAlloc

• 0x4301ac TlsGetValue

• 0x4301b0 TlsSetValue

• 0x4301b4 TlsFree

• 0x4301b8 LoadLibraryExW

• 0x4301bc QueryPerformanceFrequency

• 0x4301c0 GetModuleHandleExW

• 0x4301c4 GetModuleFileNameA

• 0x4301c8 GetACP

• 0x4301cc HeapFree

• 0x4301d0 HeapAlloc

• 0x4301d4 HeapReAlloc

• 0x4301d8 GetStringTypeW

• 0x4301dc LCMapStringW

• 0x4301e0 FindFirstFileExA

• 0x4301e4 FindNextFileA

• 0x4301e8 IsValidCodePage

• 0x4301ec GetOEMCP

• 0x4301f0 GetCommandLineA

• 0x4301f4 GetEnvironmentStringsW

• 0x4301f8 FreeEnvironmentStringsW

• 0x4301fc GetProcessHeap

• 0x430200 SetStdHandle

• 0x430204 HeapSize

• 0x430208 GetConsoleCP

• 0x43020c GetConsoleMode

• 0x430210 SetFilePointerEx

• 0x430214 DecodePointer

.text
`.rdata
@.data
.gfids
@.rsrc
@.reloc
t1h!0
SUVWj
D$$EUj
t$$WSj
$SUVWj
SUVWh
D$4Pj
D$$Pj

没有防病毒引擎扫描信息!

进程树

AdGuard.v7.9.3869.0.exe id: 2704
- msiexec.exe id: 1600
- cmd.exe id: 2536
- cmd.exe id: 2480

AdGuard.v7.9.3869.0.exe, PID: 2704, 上一级进程 PID: 2336

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

msiexec.exe, PID: 1600, 上一级进程 PID: 2704

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2536, 上一级进程 PID: 2704

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2480, 上一级进程 PID: 2704

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49157	23.192.228.78	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49157	23.192.228.78	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 50.158 seconds )

30.245 Static
11.14 Suricata
4.26 TargetInfo
1.691 BehaviorAnalysis
1.456 VirusTotal
0.944 NetworkAnalysis
0.34 peid
0.059 config_decoder
0.011 Strings
0.01 AnalysisInfo
0.002 Memory

Signatures ( 2.405 seconds )

1.445 md_url_bl
0.084 antiav_detectreg
0.08 api_spamming
0.062 stealth_timeout
0.057 stealth_decoy_document
0.045 mimics_filetime
0.036 infostealer_ftp
0.035 reads_self
0.031 bootkit
0.028 virus
0.027 stealth_file
0.024 ransomware_extensions
0.023 antiav_detectfile
0.022 infostealer_im
0.017 securityxploded_modules
0.017 antianalysis_detectreg
0.017 ransomware_files
0.016 infostealer_bitcoin
0.015 maldun_anomaly_write_exe_and_obsfucate_extension
0.014 sets_autoconfig_url
0.014 antivm_generic_scsi
0.014 antivm_generic_disk
0.013 maldun_malicious_write_executeable_under_temp_to_regrun
0.013 ransomware_message
0.013 ipc_namedpipe
0.012 infostealer_mail
0.011 antivm_generic_services
0.01 anormaly_invoke_kills
0.009 antivm_vbox_files
0.009 md_domain_bl
0.008 disables_spdy
0.008 infostealer_browser
0.008 maldun_anomaly_massive_file_ops
0.008 disables_wfp
0.008 hancitor_behavior
0.007 anomaly_persistence_autorun
0.007 geodo_banking_trojan
0.007 network_http
0.005 office_dl_write_exe
0.005 office_write_exe
0.005 betabot_behavior
0.005 kibex_behavior
0.005 infostealer_browser_password
0.004 kovter_behavior
0.004 antidbg_devices
0.004 antivm_parallels_keys
0.004 antivm_xen_keys
0.004 darkcomet_regkeys
0.004 rat_pcclient
0.004 recon_fingerprint
0.003 antiemu_wine_func
0.003 network_tor
0.003 antivm_vbox_libs
0.003 shifu_behavior
0.003 antidbg_windows
0.003 antivm_generic_diskreg
0.002 tinba_behavior
0.002 hawkeye_behavior
0.002 rat_nanocore
0.002 injection_createremotethread
0.002 maldun_anomaly_write_exe_and_dll_under_winroot_run
0.002 exec_crash
0.002 cerber_behavior
0.002 disables_browser_warn
0.002 packer_armadillo_regkey
0.001 removes_zoneid_ads
0.001 maldun_anomaly_terminated_process
0.001 antiav_avast_libs
0.001 rat_luminosity
0.001 TrickBotTaskDelete
0.001 kazybot_behavior
0.001 antisandbox_sunbelt_libs
0.001 antisandbox_sboxie_libs
0.001 deletes_self
0.001 antiav_bitdefender_libs
0.001 injection_runpe
0.001 bypass_firewall
0.001 sniffer_winpcap
0.001 antianalysis_detectfile
0.001 antisandbox_productid
0.001 antivm_xen_keys
0.001 antivm_hyperv_keys
0.001 antivm_vbox_acpi
0.001 antivm_vbox_keys
0.001 antivm_vmware_files
0.001 antivm_vmware_keys
0.001 antivm_vpc_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 codelux_behavior
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 malicous_targeted_flame
0.001 maldun_anomaly_invoke_vb_vba
0.001 md_bad_drop
0.001 network_cnc_http
0.001 network_tor_service
0.001 office_security
0.001 ransomware_radamant
0.001 rat_spynet
0.001 recon_programs
0.001 stealth_hiddenreg
0.001 stealth_hide_notifications
0.001 stealth_modify_uac_prompt
0.001 stealth_modify_security_center_warnings
0.001 stealth_web_history

Reporting ( 0.578 seconds )

0.541 ReportHTMLSummary
0.037 Malheur


Task ID	710641
Mongo ID	632f02b5dc327b8d442c8d0e
Cuckoo release	1.4-Maldun