恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2023-01-26 20:14:50	2023-01-26 20:16:59	129 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	TX枪林弹雨精灵辅助1.4.exe
文件大小	2739852 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	b2c85d91079bd776d905a56aaabebfa0
SHA1	12fcb5e81feb4d2148f1d7d0108923606851201e
SHA256	894873ffa409b2cdc3916ac24c2bfde56dbdc71020ae7be6e7f374429f519ceb
SHA512	3b4c964e8d3a8c1ee9038f8a061794e2b051e5e05f63ee3285302520850ccd32fc5cab05a6f162dd302627b8d896b5c74ee39a2ed62d79e32cbcdda54ccc8366
CRC32	4BC60ED3
Ssdeep	49152:5hYAT0EPn+jifyHeAH5mQohHpf2siE1JAc/6DI1BVHXCAxlqE/SgFpbRomR+cjnf:Z0EAifOtH5mQoxpf2sZJ36DYV3xXqKpd
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	154.195.83.13	未知

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
www.90se.top	未知	A 154.195.83.13

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00403861
声明校验值	0x00000000
实际校验值	0x002a28c4
最低操作系统版本要求	4.0
编译时间	1972-12-25 13:33:23
载入哈希	9165ea3e914e03bda3346f13edbd6ccd

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00004dcc	0x00005000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.52
.rdata	0x00006000	0x00000a4a	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.56
.data	0x00007000	0x00001f58	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.86
.data	0x00009000	0x00123000	0x00123000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.93
.rsrc	0x0012c000	0x00002660	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.02

覆盖

偏移量	0x0012f000
大小	0x0016de8c

导入

库: KERNEL32.dll:

• 0x406000 GetProcAddress

• 0x406004 LoadLibraryA

• 0x406008 CloseHandle

• 0x40600c WriteFile

• 0x406010 CreateDirectoryA

• 0x406014 GetTempPathA

• 0x406018 ReadFile

• 0x40601c SetFilePointer

• 0x406020 CreateFileA

• 0x406024 GetModuleFileNameA

• 0x406028 GetStringTypeA

• 0x40602c LCMapStringW

• 0x406030 LCMapStringA

• 0x406034 HeapAlloc

• 0x406038 HeapFree

• 0x40603c GetModuleHandleA

• 0x406040 GetStartupInfoA

• 0x406044 GetCommandLineA

• 0x406048 GetVersion

• 0x40604c ExitProcess

• 0x406050 HeapDestroy

• 0x406054 HeapCreate

• 0x406058 VirtualFree

• 0x40605c VirtualAlloc

• 0x406060 HeapReAlloc

• 0x406064 TerminateProcess

• 0x406068 GetCurrentProcess

• 0x40606c UnhandledExceptionFilter

• 0x406070 FreeEnvironmentStringsA

• 0x406074 FreeEnvironmentStringsW

• 0x406078 WideCharToMultiByte

• 0x40607c GetEnvironmentStrings

• 0x406080 GetEnvironmentStringsW

• 0x406084 SetHandleCount

• 0x406088 GetStdHandle

• 0x40608c GetFileType

• 0x406090 RtlUnwind

• 0x406094 GetCPInfo

• 0x406098 GetACP

• 0x40609c GetOEMCP

• 0x4060a0 MultiByteToWideChar

• 0x4060a4 GetStringTypeW

库: USER32.dll:

• 0x4060ac MessageBoxA

• 0x4060b0 wsprintfA

.text
`.rdata
@.data
.data
.rsrc
u hxb@
YYh p@
DSUVWh
SVWUj
[Sh,f@
"WWSh(f@
^Vh,f@
PVh(f@
runtime error 
Microsoft Visual C++ Runtime Library
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetProcAddress
LoadLibraryA
CloseHandle
WriteFile
CreateDirectoryA
GetTempPathA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
KERNEL32.dll
MessageBoxA
wsprintfA
USER32.dll
HeapAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Error
Failed to read data from the file!
Failed to read file or invalid data in file!
Invalid data in the file!
The interface of kernel library is invalid!
The kernel library is invalid!
GetNewSock
Failed to load kernel library!
Not found the kernel library!
krnln.fne
krnln.fnr
Failed to decompress data!
Insufficient memory!
E_N%X
Can't retrieve the temporary directory!
Can't open file!
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
invalid distance code
invalid literal/length code
1.1.3
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
const
7Y:Y:M
;A5A5
http://www.qdhongyushun.com/kuplay/930/16184/
c:\16.exe
c:\18.exe
c:\15.exe
http://www.90se.top/qldy.txt
c:\112.exe
c:\11.exe
c:\14.exe
c:\13.exe
c:\12.exe
c:\17.exe
ce911d9cd4f98311a6ad63aa7c1ff0bd
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
piTXtXML:com.adobe.xmp
tEXtSoftware
piTXtXML:com.adobe.xmp
a510a091b885c6493fb9bd7f36cd1283
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
piTXtXML:com.adobe.xmp
tEXtSoftware
piTXtXML:com.adobe.xmp
a510a091b885c6493fb9bd7f36cd1283
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
piTXtXML:com.adobe.xmp
tEXtSoftware
piTXtXML:com.adobe.xmp
a510a091b885c6493fb9bd7f36cd1283
tEXtSoftware
qiTXtXML:com.adobe.xmp
tEXtSoftware
qiTXtXML:com.adobe.xmp

没有防病毒引擎扫描信息!

进程树

TX________________________1.4.exe id: 2636

搜索
TX________________________1.4.exe (2636)

TX________________________1.4.exe, PID: 2636, 上一级进程 PID: 2300

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	154.195.83.13	未知

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	154.195.83.13 www.90se.top	80
192.168.122.201	49160	23.62.236.162	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	57526	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
www.90se.top	未知	A 154.195.83.13

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	154.195.83.13 www.90se.top	80
192.168.122.201	49160	23.62.236.162	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	57526	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://www.90se.top/qldy.txt	GET /qldy.txt HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: / Host: www.90se.top Cache-Control: no-cache

URI

HTTP数据

URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://www.90se.top/qldy.txt

GET /qldy.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: www.90se.top
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2023-01-26 20:15:12.355419+0800	192.168.122.201	57526	192.168.122.1	53	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
2023-01-26 20:15:12.577404+0800	192.168.122.201	49161	154.195.83.13	80	TCP	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 31.248 seconds )

11.931 NetworkAnalysis
10.504 Suricata
4.865 Static
2.289 VirusTotal
0.766 TargetInfo
0.447 BehaviorAnalysis
0.329 peid
0.097 Strings
0.012 AnalysisInfo
0.006 config_decoder
0.002 Memory

Signatures ( 43.222 seconds )

41.651 network_http
1.381 md_url_bl
0.025 api_spamming
0.02 stealth_timeout
0.019 stealth_decoy_document
0.016 antiav_detectreg
0.011 injection_createremotethread
0.01 md_domain_bl
0.007 injection_runpe
0.007 infostealer_ftp
0.006 antiav_detectfile
0.005 anomaly_persistence_autorun
0.005 infostealer_im
0.005 ransomware_files
0.004 geodo_banking_trojan
0.004 infostealer_bitcoin
0.004 ransomware_extensions
0.003 antianalysis_detectreg
0.003 antivm_vbox_files
0.003 infostealer_mail
0.002 tinba_behavior
0.002 mimics_filetime
0.002 antidbg_windows
0.002 disables_browser_warn
0.002 network_torgateway
0.001 antiemu_wine_func
0.001 bootkit
0.001 rat_nanocore
0.001 antiav_avast_libs
0.001 stealth_file
0.001 betabot_behavior
0.001 reads_self
0.001 antisandbox_sunbelt_libs
0.001 kibex_behavior
0.001 antivm_generic_disk
0.001 infostealer_browser_password
0.001 cerber_behavior
0.001 virus
0.001 kovter_behavior
0.001 hancitor_behavior
0.001 antivm_parallels_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http

Reporting ( 0.556 seconds )

0.555 ReportHTMLSummary
0.001 Malheur


Task ID	717068
Mongo ID	63d26f93dc327bb8473260d2
Cuckoo release	1.4-Maldun