分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2023-01-27 10:24:10 | 2023-01-27 10:26:26 | 136 秒 |
魔盾分数
1.75
正常的
文件详细信息
| 文件名 | EMP.dll |
|---|---|
| 文件大小 | 2295592 字节 |
| 文件类型 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| MD5 | eae8841b013df0ac6cd916e042bb26a3 |
| SHA1 | f051a47b2ccb6b9e721e62e7028856cbe97dcea3 |
| SHA256 | 327c7bc7d0430ded2ccdc434ccd524ee9e51f60565939a412b1d5124fa91e383 |
| SHA512 | b99947ad13ea237b764fcb40438d21e9201295f448c36735b457fea08f884d406e842a07786a28b84862167073760a0d1bcc0be0bea79bbca30671e8a0728d01 |
| CRC32 | 356BFBBF |
| Ssdeep | 49152:Kk0/luC5/+HBQIBV331oXeRMq0Cl2piXtF1k:Elu+Av6OoidF1k |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x13000000 |
|---|---|
| 入口地址 | 0x13001334 |
| 声明校验值 | 0x0023c895 |
| 实际校验值 | 0x0023c895 |
| 最低操作系统版本要求 | 6.0 |
| 编译时间 | 2020-07-18 21:47:30 |
| 载入哈希 | fc7124d57387852c0a6a634e9130bf57 |
| 导出DLL库名称 | PDX_Denuvo.dll |
微软证书验证 (Sign Tool)
| SHA1 | 时间戳 | 有效性 | 错误 |
|---|---|---|---|
| c85ab5164eb48aeec89f12493e404def28557df5 | None | WinVerifyTrust returned error 0x800B0101 |
| 证书链 | Certificate Chain 1 |
| 发行给 | VeriSign Class 3 Public Primary Certification Authority - G5 |
| 发行人 | VeriSign Class 3 Public Primary Certification Authority - G5 |
| 有效期 | Thu Jul 17 075959 2036 |
| SHA1 哈希 | 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5 |
| 证书链 | Certificate Chain 2 |
| 发行给 | VeriSign Class 3 Code Signing 2010 CA |
| 发行人 | VeriSign Class 3 Public Primary Certification Authority - G5 |
| 有效期 | Sat Feb 08 075959 2020 |
| SHA1 哈希 | 495847a93187cfb8c71f840cb7b41497ad95c64f |
| 证书链 | Certificate Chain 3 |
| 发行给 | Shenzhen Luyoudashi Technology Co., Ltd. |
| 发行人 | VeriSign Class 3 Code Signing 2010 CA |
| 有效期 | Thu May 07 075959 2015 |
| SHA1 哈希 | d715230b535c8937b469632ec6158761fd18ad21 |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00001000 | 0x00000e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.41 |
| .rdata | 0x00002000 | 0x00001000 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.60 |
| .data | 0x00003000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.45 |
| .pdata | 0x00004000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.14 |
| .EMP0 | 0x00005000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.55 |
| .data2 | 0x00006000 | 0x00017000 | 0x00017000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.88 |
| .EMP | 0x0001d000 | 0x00033000 | 0x00033000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.55 |
| .data3 | 0x00050000 | 0x00099000 | 0x00099000 | IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.18 |
| .EMP1 | 0x000e9000 | 0x00149b68 | 0x00149c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.20 |
| .reloc | 0x00233000 | 0x000000b4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 1.65 |
| .rsrc | 0x00234000 | 0x000000e9 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.53 |
覆盖
| 偏移量 | 0x0022f400 |
| 大小 | 0x00001328 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x00234058 | 0x00000091 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.89 | XML 1.0 document text |
导入
库: KERNEL32.dll:
• 0x13002000 IsDebuggerPresent
• 0x13002008 GetCurrentProcessId
• 0x13002010 GetCurrentThreadId
• 0x13002018 GetSystemTimeAsFileTime
• 0x13002020 InitializeSListHead
• 0x13002028 IsProcessorFeaturePresent
• 0x13002030 LoadLibraryA
• 0x13002038 UnhandledExceptionFilter
• 0x13002040 GetProcAddress
• 0x13002048 RtlVirtualUnwind
• 0x13002050 RtlLookupFunctionEntry
• 0x13002058 RtlCaptureContext
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x13001010 | EMP |
.text
`.rdata
@.data
.pdata
@.EMP0
@.data2
.data3
.EMP1
h.reloc
@.rsrc
PDX_Denuvo.dll
__C_specific_handler
__std_type_info_destroy_list
memset
VCRUNTIME140.dll
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_execute_onexit_table
_cexit
api-ms-win-crt-runtime-l1-1-0.dll
GetProcAddress
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
LoadLibraryA
IsProcessorFeaturePresent
KERNEL32.dll
kernel32.dll
GetModuleHandleA
VirtualProtect
AddVectoredExceptionHandler
VirtualAlloc
CreateThread
ResumeThread
OpenThread
SetThreadContext
GetThreadContext
CloseHandle
CreateFileA
ReadFile
WriteFile
Sleep
ExitProcess
GetModuleFileNameW
CreateFileW
GetFileSize
ReadFile
shlwapi.dll
PathFileExistsW
shell32.dll
SHGetFolderPathA
kernel32.dll
CreateDirectoryA
user32.dll
MessageBoxA
meoutA
msvcrt.dll
_itoa
_itoa
kernel32.dll
CreateProcessA
GetModuleFileNameA
AllocConsole
athFil
SetConsoleTitleA
CreateConsoleScreenBuffer
WriteConsoleA
SetConsoleMode
GetStdHandle
DeleteFileA
FreeConsole
ntdll.dll
ZwReadFile
eadEx
kernel32.dll
GetWindowsDirectoryW
GetVolumeInformationW
GetComputerNameW
VirtualFree
ntdll.dll
NtTerminateProcess
Freeze
kernel32.dll
wine_get_unix_file_name
ntdll.dll
RtlImageNtHeaderEx
steam_api64.dll
Is9NT
IsUplay
IsImptBL
ReadFile
CreateFileW
GetFileSize
IsRunning
LastSC
english
kernelbase.dll
CreateThread
ReadFile
WriteFile
CloseHandle
Steam
kernel32.dll
ntdll.dll
kernelbase.dll
SGVer
CalcK
Minor
XYZ[\]^_
(+)*,m./
03124u67
8;9:<}>?
#!"e$&'
(+)*m,./
0312u467
8;9:}<>?
shell32.dll
SHGetFolderPathA
table
overlap
@CABEDFG
XYZ[\]^_
HIJKLMNO
PQRSTUVW
hijklmno
pqrstuvw
@CABEDFG
HIJKLMNO
PQRSTUVW
XYZ[\]^_
`abcdefg
hijklmno
pqrstuvw
CADRLkKecxxd_VwdxgKh4sYCoeJm7TbdRVU8dzlDNZ8T6Ykc9xHog7A13-44b4DTshUA1iPFhEmYfx3ImwHplUDEz6LmiWrUN_D7cGmmEyYa_nznptzrDKb8CFAhjErO7Qaz7x2B1uptGZ3dKXnlr4u2t0a-mVp-et5uKBDk_AF5auEnzq3VzmdXCo_u8WO5pY24mFZy5cOICT7nNuiOjWOokS0WAaKvthevNcNtaxjrfiitJGKXFjoUqHudoCqKPjJKcRkbFOE8s2dg03l3Bf-J7eCw3KH1NCYdNfTYi3Cnqu49tW-YHjSxBKKV9SKtucBUfhD5nxIQ-OCeybedeHEAgM0LDOEiup2V6NHoFlEpMxsDeD-oKrAt24x5aG4Gw2RVKegwlqV4q7yA_c_V8daiUZRemowRDoa_Kw3B1-3vLnAUhegN3ZI2RZS5sASuYwAZAebh-vsaW8I9Xtf6NYUM9qqETvAFW7YD9V8lPgRHYHx4Gf_9xb5-ffffL7gNUCTB79CVdNiVvrX1ekseHRZRwEO5rsXy8bn7iglnhbT2KFYoJzn-tXc6Vfcc6-HJ6XU_x6eCdpAQBvRj1QFzHvNvwpAfXtoH435g44rlLxA8JCtY65Q2xVU_6GdqxXwAki8QcAKB5dBjaw5sILcX0bFUoca6Ul1Acqk5nskQv_yIerMH45EoeYoXfaPEEJwZ-FRYjxj0uUFHUSdDz_VzV0NCx4QU_k6OPIwRXGAc-UHsFaM3uSY_SYrciY5_Yl7Ed490Dtp4PNy-_F0AKgJcOUTKryqqcanfYkdADGKUh3IYb0PG5pcvTC8FlPI3W7n144EbOMdeisj3AKJxkMCbUr94UFQ1N7ZImCdD0pI0PGdNHEnTuHDC22eo9vjlk4GHNFjlla6ssKbUGq1g_fbO6-6jP3DB15bSn9RIQeEuACT5svXKD1jMKpIrcV_0vqwglHm7fvzcHCRxwRbGXKQBiT24MRBeZFDnNpi6GuoghxljDIUoMRaPwBDgwPt6qSOfWHL-n01l5yvpcesY4w0Bo4tksyBzDfIcOBshKNGf3DEKobR8tQRbDNLl848CrRm-DScYu_toAHB6bKMPV-aPkjimC1sz9zb9XgvWYLaEGVEDyYnIW2wSOHenga8uUAa7X3_qkg0KDYosNK8UESC3kR-bCUdJAyAiMVg6K0RR3UCPifXUP3pd0VVP6aPRA0lYL2-YV4jWRUDZ_66LE8hDweTnhu6ELU6pKcV2gJ_UCf6DGMF-8hhYwRBmu9o837uac50GzLJW0TBjVg5B6jM-bkxe7GcG8MmaCK99eDR4LpjzGo29rT1DYN5bE7Vz0DJ6JU02go1sGcmPzMtGzkts33Vl-4v8oyYZP8A9rILQQJQbhWd8SBSYd4Eugp_tLKCOlHAfmXiHS2rB6fYPIH5lxkvVxqCm7VzqH9w2h3bkHVtBou8D4xYZI8zO7rmG7_1tz_Un4ZCepYG55WGEvSJyLjKcqbI87YfhbjaxikOhZEcpaXCcnr8nu3hb7935Af4uOe-pMH5efcpoHhIPHjR2MJz9VA8e7BfGNT41kWL8pViq75EeYJbj6thVnOquVvoMFHgEs9eVe9VruEMxXhg9pOTlWuTnYwuIzZMxpKVrMkVuomcEztQb28_Wk1Mre4meLWCdjyjNHLdWcPs9HkV2BLo2cBuRAGyV1r5_lIawSCsBsFc7AGXy9N2F6HBLuoMUD3uSKBkUgkrB0ZzGLAHvmqLK1BsdUcF52yFmgoMY4-q4dwilrKgvMzSKFdhuiT2R6eu0q4xJWv2oPxz2L7df5w-KerGjeyfs18Ws-OBMnLpiXrrICsDpGhdOPrZ1YRtA2K2pi82m4l_8v-dr5OXyJSZvq7BhZGf2MGQVw7E_DFQDNPblTd7pIdnqiGT5DrBEQ_or9A8N3yOk4bBA3sl8BlzMyqg1PZIEIZ-WyLcHhxSr0_DvpDkXftT_4gh6qbV4x6wwWOkaSG5HZ50BKjH-6fusCzeSxshlJqGSHj7V5wbd83-mESzbKFWZxvsDzGbR1ingSslKWngMs1PEfOVWR-F3xKg7-vNKAn-TTFpHwM6vZJm3sO4eqPFSgIlf6aJyqdeJ8M7xBWTqkJIf6DccJPKohcjMYCoSfgNzsWk0foWWmRGqH01HT7duM7ByNKoumDRMVLmV9l35QG25Akfzmsl9XgM58V9msjzY9FukibDJ3RdEaJKyCLu-O2YtmWaLWgoh5BsftfURPMZ9CpsiQUQAO2l-4dyc1Pze9rvS_XdW2B6YFMNpL2tBSz1l9ozxN0TmkpYuIVw-UT0Bhr9Hd4aF-vGOnhD5epGj12fOumG94UqIfCICJJcwj22KaGUhSks9wN19Xgk53PIJ4a198Kkr6r-MBVFvkEycXShMsH8UyCoqvOtk0ftUkI1pelwM_oKD4iAomwxHOb9OjO2W6W09b8m-7I_xmaDIjRbs05UIw9pbiMbcF39A69KX4VAW2BuS9Z804uH96orb7chzRgv9uUo3lkONrfHusrMHbWQnNadaTE9sXRWxbsPFgpVRaEq-GibFPBxUVQaXW3rXwwRme5h6n137a1ejMS6FaqkrmgOS1zrIycz0HEI_H57rVrP6ZsMv1PW74Ga5lNpv3njaIebdFjAGYVmnL7aIrya0JnqZo5z-truraYRobWGlQqxnD7ySL9XI9FHCPUsQR9-tU3NQhkiqfC4HIODo8dodvRvXSHQ8wSCQkI0DCPRXZ4sOxCBIlOwF4KNGjj0keeippkHFlWNUFtlCWgoRW76R5aK7rg==
ntredir
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 96.16.55.43 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 96.16.55.43 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 20.184 seconds )
- 11.972 Suricata
- 3.778 VirusTotal
- 1.75 NetworkAnalysis
- 1.515 Static
- 0.607 TargetInfo
- 0.326 peid
- 0.206 BehaviorAnalysis
- 0.013 AnalysisInfo
- 0.01 Strings
- 0.005 config_decoder
- 0.002 Memory
Signatures ( 1.533 seconds )
- 1.343 md_url_bl
- 0.02 antiav_detectfile
- 0.016 antiav_detectreg
- 0.014 infostealer_bitcoin
- 0.012 infostealer_ftp
- 0.01 api_spamming
- 0.009 anomaly_persistence_autorun
- 0.009 md_domain_bl
- 0.008 maldun_anomaly_massive_file_ops
- 0.008 stealth_timeout
- 0.008 antivm_vbox_files
- 0.008 infostealer_im
- 0.007 stealth_decoy_document
- 0.005 infostealer_mail
- 0.004 geodo_banking_trojan
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 tinba_behavior
- 0.003 antianalysis_detectreg
- 0.003 antidbg_devices
- 0.003 network_http
- 0.002 network_tor
- 0.002 antivm_vbox_libs
- 0.002 betabot_behavior
- 0.002 disables_browser_warn
- 0.002 rat_pcclient
- 0.001 hawkeye_behavior
- 0.001 rat_nanocore
- 0.001 injection_createremotethread
- 0.001 kazybot_behavior
- 0.001 kibex_behavior
- 0.001 shifu_behavior
- 0.001 exec_crash
- 0.001 cerber_behavior
- 0.001 kovter_behavior
- 0.001 sniffer_winpcap
- 0.001 antianalysis_detectfile
- 0.001 antivm_parallels_keys
- 0.001 antivm_vmware_files
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 codelux_behavior
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 malicous_targeted_flame
- 0.001 md_bad_drop
- 0.001 network_cnc_http
Reporting ( 0.51 seconds )
- 0.508 ReportHTMLSummary
- 0.002 Malheur
| Task ID | 717077 |
|---|---|
| Mongo ID | 63d336747e769a7a56f3f909 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号