比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-09-25 08:34:43 2022-09-25 08:35:53 70 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 dndsbf.exe
文件大小 19571586 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 27fa76cadc44557049f9401cbf585383
SHA1 044d2c42b3e9cff45377f0591dd550c954525103
SHA256 e6de209ee6e66cda502aaf9db16d9e5f287ce2d49887a6e29c5505db3c95af60
SHA512 0d400344e89769b4fcf3d47a352241fd69b596ab612d95a21dff82e397d8b83fca13130ce7cea9311f0ef446b2d281e26a3a439d3a6ee4baaf5fe9046e24a76b
CRC32 53C366B3
Ssdeep 393216:uNZH/f8DPKcLo02reSHhNJPuZdGyvtxLy1pQAqB30xazGvfpsNHjQi:uNh/f8ec8/y4JPuC2txLe2AVgzXHki
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00409978
声明校验值 0x00000000
实际校验值 0x012b85c1
最低操作系统版本要求 1.0
编译时间 1992-06-20 06:22:17
载入哈希 aa770df5b9e208c1ca436e9267f0d390
图标
图标精确哈希值 30adcb5c0b2e3c35eaec2c110733c9f8
图标相似性哈希值 c98f96d6ffe5af8d4eb0870c1dc20826

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
CODE 0x00001000 0x00009094 0x00009200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.54
DATA 0x0000b000 0x0000024c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.76
BSS 0x0000c000 0x00000e44 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0000d000 0x0000094c 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.43
.tls 0x0000e000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0000f000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x00010000 0x000008a8 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00011000 0x00002600 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 4.79

覆盖

偏移量 0x0000cc00
大小 0x0129d782

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00011ccc 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_ICON 0x00011ccc 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_ICON 0x00011ccc 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_ICON 0x00011ccc 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_STRING 0x000129ec 0x000000ae LANG_NEUTRAL SUBLANG_NEUTRAL 3.05 data
RT_STRING 0x000129ec 0x000000ae LANG_NEUTRAL SUBLANG_NEUTRAL 3.05 data
RT_STRING 0x000129ec 0x000000ae LANG_NEUTRAL SUBLANG_NEUTRAL 3.05 data
RT_STRING 0x000129ec 0x000000ae LANG_NEUTRAL SUBLANG_NEUTRAL 3.05 data
RT_STRING 0x000129ec 0x000000ae LANG_NEUTRAL SUBLANG_NEUTRAL 3.05 data
RT_STRING 0x000129ec 0x000000ae LANG_NEUTRAL SUBLANG_NEUTRAL 3.05 data
RT_RCDATA 0x00012a9c 0x0000002c LANG_NEUTRAL SUBLANG_NEUTRAL 4.49 data
RT_GROUP_ICON 0x00012ac8 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US 2.65 MS Windows icon resource - 4 icons, 16x16, 16 colors
RT_VERSION 0x00012b08 0x00000488 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.80 data
RT_MANIFEST 0x00012f90 0x0000047e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.94 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库: kernel32.dll:
0x40d0c4 VirtualFree
0x40d0c8 VirtualAlloc
0x40d0cc LocalFree
0x40d0d0 LocalAlloc
0x40d0d4 WideCharToMultiByte
0x40d0d8 TlsSetValue
0x40d0dc TlsGetValue
0x40d0e0 MultiByteToWideChar
0x40d0e4 GetModuleHandleA
0x40d0e8 GetLastError
0x40d0ec GetCommandLineA
0x40d0f0 WriteFile
0x40d0f4 SetFilePointer
0x40d0f8 SetEndOfFile
0x40d0fc RtlUnwind
0x40d100 ReadFile
0x40d104 RaiseException
0x40d108 GetStdHandle
0x40d10c GetFileSize
0x40d110 GetSystemTime
0x40d114 GetFileType
0x40d118 ExitProcess
0x40d11c CreateFileA
0x40d120 CloseHandle
库: user32.dll:
0x40d128 MessageBoxA
库: oleaut32.dll:
0x40d130 VariantChangeTypeEx
0x40d134 VariantCopy
0x40d138 VariantClear
0x40d13c SysStringLen
0x40d140 SysAllocStringLen
库: advapi32.dll:
0x40d148 RegQueryValueExA
0x40d14c RegOpenKeyExA
0x40d150 RegCloseKey
0x40d154 OpenProcessToken
库: kernel32.dll:
0x40d160 WriteFile
0x40d164 VirtualQuery
0x40d168 VirtualProtect
0x40d16c VirtualFree
0x40d170 VirtualAlloc
0x40d174 Sleep
0x40d178 SizeofResource
0x40d17c SetLastError
0x40d180 SetFilePointer
0x40d184 SetErrorMode
0x40d188 SetEndOfFile
0x40d18c RemoveDirectoryA
0x40d190 ReadFile
0x40d194 LockResource
0x40d198 LoadResource
0x40d19c LoadLibraryA
0x40d1a0 IsDBCSLeadByte
0x40d1a8 GetVersionExA
0x40d1b0 GetSystemInfo
0x40d1b8 GetProcAddress
0x40d1bc GetModuleHandleA
0x40d1c0 GetModuleFileNameA
0x40d1c4 GetLocaleInfoA
0x40d1c8 GetLastError
0x40d1cc GetFullPathNameA
0x40d1d0 GetFileSize
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1e0 GetCurrentProcess
0x40d1e4 GetCommandLineA
0x40d1e8 GetACP
0x40d1ec InterlockedExchange
0x40d1f0 FormatMessageA
0x40d1f4 FindResourceA
0x40d1f8 DeleteFileA
0x40d1fc CreateProcessA
0x40d200 CreateFileA
0x40d204 CreateDirectoryA
0x40d208 CloseHandle
库: user32.dll:
0x40d210 TranslateMessage
0x40d214 SetWindowLongA
0x40d218 PeekMessageA
0x40d220 MessageBoxA
0x40d224 LoadStringA
0x40d228 ExitWindowsEx
0x40d22c DispatchMessageA
0x40d230 DestroyWindow
0x40d234 CreateWindowExA
0x40d238 CallWindowProcA
0x40d23c CharPrevA
库: comctl32.dll:
0x40d244 InitCommonControls
库: advapi32.dll:
`DATA
.idata
.rdata
P.reloc
P.rsrc
string
UhV%@
PhM,@
Ph|-@
Ph`.@
UWVSj
Uh49@
F$':@
|HtE=
,UT@@
,E B@
,UT@@
,E B@
Uh&C@
Exception
EInOutError
ERangeError
EZeroDivide
EInvalidPointer
m/d/yy
mmmm d, yyyy
AMPM
:mm:ss
Uhs[@
UhAj@
USERPROFILE
GetUserDefaultUILanguage
kernel32.dll
.DEFAULT\Control Panel\International
Locale
Control Panel\Desktop\ResourceLocale
[ExceptObject=nil]
lzma:
(%d)
(%d)
TSetupLanguageEntryA
Wow64DisableWow64FsRedirection
kernel32.dll
Wow64RevertWow64FsRedirection
shell32.dll
SeShutdownPrivilege
/SPAWNWND=
/Lang=
InnoSetupLdrWindow
STATIC
/SL5="$%x,%d,%d,
Runtime error at 00000000
Error
Inno Setup Setup Data (5.2.3)
Inno Setup Messages (5.1.11)
0123456789ABCDEFGHIJKLMNOPQRSTUV
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
WideCharToMultiByte
TlsSetValue
TlsGetValue
MultiByteToWideChar
GetModuleHandleA
GetLastError
GetCommandLineA
WriteFile
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
ExitProcess
CreateFileA
CloseHandle
user32.dll
MessageBoxA
oleaut32.dll
VariantChangeTypeEx
VariantCopy
VariantClear
SysStringLen
SysAllocStringLen
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
OpenProcessToken
LookupPrivilegeValueA
kernel32.dll
WriteFile
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
Sleep
SizeofResource
SetLastError
SetFilePointer
SetErrorMode
SetEndOfFile
RemoveDirectoryA
ReadFile
LockResource
LoadResource
LoadLibraryA
IsDBCSLeadByte
GetWindowsDirectoryA
GetVersionExA
GetUserDefaultLangID
GetSystemInfo
GetSystemDefaultLCID
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetFullPathNameA
GetFileSize
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetCurrentProcess
GetCommandLineA
GetACP
InterlockedExchange
FormatMessageA
FindResourceA
DeleteFileA
CreateProcessA
CreateFileA
CreateDirectoryA
CloseHandle
user32.dll
TranslateMessage
SetWindowLongA
PeekMessageA
MsgWaitForMultipleObjects
MessageBoxA
LoadStringA
ExitWindowsEx
DispatchMessageA
DestroyWindow
CreateWindowExA
CallWindowProcA
CharPrevA
comctl32.dll
InitCommonControls
advapi32.dll
AdjustTokenPrivileges
wxr""/p
r""/p
wr""/p
wwwwwwwxp
wwwwwwww
SI)[\
+aP_h
iYALp
MAINICON
December
Saturday
VS_VERSION_INFO
StringFileInfo
08040000
Comments
CompanyName
FileDescription
Setup
FileVersion
LegalCopyright
ProductName
ProductVersion
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

dndsbf.exe, PID: 2676, 上一级进程 PID: 2280
dndsbf.tmp, PID: 2780, 上一级进程 PID: 2676
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 23.192.228.78 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 23.192.228.78 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 30.406 seconds )

  • 12.802 Suricata
  • 8.803 Static
  • 4.51 TargetInfo
  • 1.616 VirusTotal
  • 1.257 NetworkAnalysis
  • 0.909 BehaviorAnalysis
  • 0.438 peid
  • 0.041 config_decoder
  • 0.015 Strings
  • 0.013 AnalysisInfo
  • 0.002 Memory

Signatures ( 2.435 seconds )

  • 1.785 md_url_bl
  • 0.044 antiav_detectreg
  • 0.043 api_spamming
  • 0.034 stealth_timeout
  • 0.031 stealth_decoy_document
  • 0.026 antiav_detectfile
  • 0.022 virus
  • 0.022 infostealer_ftp
  • 0.021 bootkit
  • 0.02 mimics_filetime
  • 0.02 reads_self
  • 0.02 ransomware_extensions
  • 0.018 infostealer_bitcoin
  • 0.017 stealth_file
  • 0.015 antivm_generic_disk
  • 0.014 infostealer_im
  • 0.011 antivm_vbox_files
  • 0.011 md_domain_bl
  • 0.011 ransomware_files
  • 0.01 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.01 rat_pcclient
  • 0.009 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.009 anomaly_persistence_autorun
  • 0.009 securityxploded_modules
  • 0.009 antianalysis_detectreg
  • 0.008 maldun_anomaly_massive_file_ops
  • 0.008 sets_autoconfig_url
  • 0.008 infostealer_mail
  • 0.008 network_http
  • 0.007 ransomware_message
  • 0.007 ipc_namedpipe
  • 0.007 antidbg_windows
  • 0.007 hancitor_behavior
  • 0.007 geodo_banking_trojan
  • 0.005 infostealer_browser
  • 0.005 injection_createremotethread
  • 0.004 disables_spdy
  • 0.004 infostealer_browser_password
  • 0.004 disables_wfp
  • 0.004 antidbg_devices
  • 0.003 tinba_behavior
  • 0.003 network_tor
  • 0.003 rat_nanocore
  • 0.003 office_dl_write_exe
  • 0.003 office_write_exe
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 antivm_generic_scsi
  • 0.003 injection_runpe
  • 0.003 kovter_behavior
  • 0.003 disables_browser_warn
  • 0.003 network_cnc_http
  • 0.002 antiemu_wine_func
  • 0.002 rat_luminosity
  • 0.002 antivm_generic_services
  • 0.002 kazybot_behavior
  • 0.002 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.002 anormaly_invoke_kills
  • 0.002 cerber_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vmware_files
  • 0.002 antivm_xen_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 codelux_behavior
  • 0.002 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 hawkeye_behavior
  • 0.001 maldun_anomaly_terminated_process
  • 0.001 antivm_vbox_libs
  • 0.001 antiav_avast_libs
  • 0.001 dridex_behavior
  • 0.001 antivm_vbox_window
  • 0.001 injection_explorer
  • 0.001 ursnif_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 ransomware_file_modifications
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 vawtrak_behavior
  • 0.001 antisandbox_script_timer
  • 0.001 sniffer_winpcap
  • 0.001 antianalysis_detectfile
  • 0.001 antisandbox_productid
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vpc_files
  • 0.001 banker_cridex
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 malicous_targeted_flame
  • 0.001 md_bad_drop
  • 0.001 network_tor_service
  • 0.001 office_security
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_web_history

Reporting ( 0.595 seconds )

  • 0.585 ReportHTMLSummary
  • 0.01 Malheur
Task ID 710651
Mongo ID 632fa2937e769a059de15c93
Cuckoo release 1.4-Maldun