比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2023-01-27 11:49:59 2023-01-27 11:52:20 141 秒

魔盾分数

5.0

可疑的

文件详细信息

文件名 QQ.exe
文件大小 23808000 字节
文件类型 PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 125b0e4e5213c7b71df722f3f96e09f4
SHA1 745b325f250702c8e88f35c195da631aafabaa39
SHA256 fefc37db8f8b5c2b032a9951d4dc33a2add95bf4f82d18b7d50f6dbeea95b80c
SHA512 beee99f1d0532fa41242323076fd6d09228915b4cd9d8724c04cca1e63827b7944d44c539bc90e8dc7c1c0a25316ad8fe189c096c9f6deb75faedc7e403faf24
CRC32 68BECE39
Ssdeep 393216:qpti/HDMdyKBW/dzOAy1raoyjfGUn9ugz67oh7Iu2r5gtGhDdzh+CyyPp3X:9/HYQdyAIvMxQ86ynkJzUCjPp3X
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
88.198.21.111 德国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
winscp.net 未知 A 88.198.21.111

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x140000000
声明校验值 0x00000000
实际校验值 0x016c020d
最低操作系统版本要求 4.0
编译时间 2048-09-24 18:39:04
图标
图标精确哈希值 9319c373ff4be4aeed6e05d7efd55f50
图标相似性哈希值 dd69c937f9b885a92d2e355cad1f5ed6

版本信息

Translation
LegalCopyright
Assembly Version
InternalName
FileVersion
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00002000 0x00df2eb7 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.zxT 0x00df6000 0x00e14290 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.R}a 0x01c0c000 0x016b1ed8 0x016b2000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 8.00
.rsrc 0x032be000 0x00002230 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.30

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x032be100 0x000010a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.07 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON 0x032bf1b8 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 1.78 MS Windows icon resource - 1 icon, 32x32
RT_VERSION 0x032bf1dc 0x00000334 LANG_NEUTRAL SUBLANG_NEUTRAL 3.52 data
RT_MANIFEST 0x032bf520 0x00000d09 LANG_NEUTRAL SUBLANG_NEUTRAL 5.88 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

装载信息

名称 QQAssist
版本 1.0.0.0

装载参考

名称 版本
mscorlib 4.0.0.0
System 4.0.0.0
System.Windows.Forms 4.0.0.0
System.Drawing 4.0.0.0
System.Core 4.0.0.0
7E7D6AA0 0.0.0.0

自定义属性

类型 名称
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute QQAssi
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute QQAssi
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute \xe5\xa4\x8d\xe5\x88\xb6\xe7\xb2\x98\xe8\xb4\xb4\xe5\xa5\x97\xe5\xa8\x83\xe4\xb8\x8d\xe8\xb4\x9f\xe8\xb4\xa3\xe4\xbb\xbb\xe5\x85\xac\xe5
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute QQAssi
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute \xe7\x9b\x97\xe7
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute \xe8\xb4\xb4\xe6
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute e7268722-fcce-4817-9b78-ea02c0685a
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.195.1

类型参考

装载 类型名称
System System.CodeDom.Compiler.GeneratedCodeAttribute
System System.Collections.Specialized.NameValueCollection
System System.ComponentModel.Component
System System.ComponentModel.ComponentResourceManager
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
System System.ComponentModel.IContainer
System System.ComponentModel.ISupportInitialize
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
System System.Diagnostics.Process
System System.Diagnostics.ProcessModule
System System.Diagnostics.ProcessModuleCollection
System System.Diagnostics.ProcessStartInfo
System System.Net.CredentialCache
System System.Net.ICredentials
System System.Net.WebHeaderCollection
System System.Net.WebRequest
System System.Net.WebResponse
System System.Text.RegularExpressions.Group
System System.Text.RegularExpressions.Match
System System.Text.RegularExpressions.Regex
System System.Timers.ElapsedEventArgs
System System.Timers.ElapsedEventHandler
System System.Timers.Timer
System.Core System.Security.Cryptography.SHA256CryptoServiceProvider
System.Drawing System.Drawing.Color
System.Drawing System.Drawing.ContentAlignment
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Drawing System.Drawing.Icon
System.Drawing System.Drawing.Image
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.BorderStyle
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Windows.Forms System.Windows.Forms.CheckBox
System.Windows.Forms System.Windows.Forms.Clipboard
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.ComboBox/ObjectCollection
System.Windows.Forms System.Windows.Forms.ComboBoxStyle
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.Control
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.FlatStyle
System.Windows.Forms System.Windows.Forms.Form
System.Windows.Forms System.Windows.Forms.FormBorderStyle
System.Windows.Forms System.Windows.Forms.FormClosingEventArgs
System.Windows.Forms System.Windows.Forms.FormClosingEventHandler
System.Windows.Forms System.Windows.Forms.FormStartPosition
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.HorizontalAlignment
System.Windows.Forms System.Windows.Forms.IWin32Window
System.Windows.Forms System.Windows.Forms.ImageLayout
System.Windows.Forms System.Windows.Forms.KeyEventArgs
System.Windows.Forms System.Windows.Forms.KeyEventHandler
System.Windows.Forms System.Windows.Forms.KeyPressEventArgs
System.Windows.Forms System.Windows.Forms.KeyPressEventHandler
System.Windows.Forms System.Windows.Forms.Keys
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.ListControl
System.Windows.Forms System.Windows.Forms.Message
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
System.Windows.Forms System.Windows.Forms.MessageBoxDefaultButton
System.Windows.Forms System.Windows.Forms.MessageBoxIcon
System.Windows.Forms System.Windows.Forms.MessageBoxOptions
System.Windows.Forms System.Windows.Forms.MouseEventArgs
System.Windows.Forms System.Windows.Forms.MouseEventHandler
System.Windows.Forms System.Windows.Forms.PictureBox
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.TextBox
System.Windows.Forms System.Windows.Forms.TextBoxBase
mscorlib System.Array
mscorlib System.AsyncCallback
mscorlib System.Base64FormattingOptions
mscorlib System.BitConverter
mscorlib System.Boolean
mscorlib System.Byte
mscorlib System.Char
mscorlib System.Collections.Generic.List`1
mscorlib System.Collections.Hashtable
mscorlib System.Collections.IEnumerator
mscorlib System.Collections.ReadOnlyCollectionBase
mscorlib System.Convert
mscorlib System.DateTime
mscorlib System.Delegate
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Double
mscorlib System.Enum
mscorlib System.Environment
mscorlib System.Environment/SpecialFolder
mscorlib System.EventArgs
mscorlib System.EventHandler
mscorlib System.Exception
mscorlib System.FlagsAttribute
mscorlib System.Globalization.CultureInfo
mscorlib System.IAsyncResult
mscorlib System.IDisposable
mscorlib System.IO.File
mscorlib System.IO.FileInfo
mscorlib System.IO.FileMode
mscorlib System.IO.FileStream
mscorlib System.IO.MemoryStream
mscorlib System.IO.Stream
mscorlib System.IO.StreamReader
mscorlib System.IO.StreamWriter
mscorlib System.IO.TextReader
mscorlib System.IO.TextWriter
mscorlib System.Int32
mscorlib System.Int64
mscorlib System.IntPtr
mscorlib System.MulticastDelegate
mscorlib System.Object
mscorlib System.Predicate`1
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Runtime.CompilerServices.IsVolatile
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Runtime.InteropServices.Marshal
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.RuntimeFieldHandle
mscorlib System.RuntimeTypeHandle
mscorlib System.SByte
mscorlib System.STAThreadAttribute
mscorlib System.Security.Cryptography.AsymmetricAlgorithm
mscorlib System.Security.Cryptography.AsymmetricSignatureDeformatter
mscorlib System.Security.Cryptography.AsymmetricSignatureFormatter
mscorlib System.Security.Cryptography.HashAlgorithm
mscorlib System.Security.Cryptography.MD5
mscorlib System.Security.Cryptography.RSACryptoServiceProvider
mscorlib System.Security.Cryptography.RSAPKCS1SignatureDeformatter
mscorlib System.Security.Cryptography.RSAPKCS1SignatureFormatter
mscorlib System.String
mscorlib System.StringSplitOptions
mscorlib System.Text.Encoding
mscorlib System.Text.StringBuilder
mscorlib System.Threading.Interlocked
mscorlib System.Threading.ThreadPool
mscorlib System.Threading.WaitCallback
mscorlib System.TimeSpan
mscorlib System.Type
mscorlib System.UInt16
mscorlib System.UInt32
mscorlib System.UInt64
mscorlib System.UIntPtr
mscorlib System.ValueType
.text
`.zxT
`.R}a
`.rsrc
vrjn$
BMSR[R
~ g@<
y+X9:
lU'QC
)g?90
没有防病毒引擎扫描信息!

进程树

QQ.exe, PID: 2648, 上一级进程 PID: 2288
dwm.exe, PID: 1344, 上一级进程 PID: 764
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
88.198.21.111 德国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 61.213.168.41 80
192.168.122.201 49165 88.198.21.111 winscp.net 443
192.168.122.201 49167 88.198.21.111 winscp.net 80
192.168.122.201 49168 88.198.21.111 winscp.net 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
winscp.net 未知 A 88.198.21.111

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 61.213.168.41 80
192.168.122.201 49165 88.198.21.111 winscp.net 443
192.168.122.201 49167 88.198.21.111 winscp.net 80
192.168.122.201 49168 88.198.21.111 winscp.net 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
URL专业沙箱检测 -> http://winscp.net/eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3 
GET /eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: winscp.net
Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2023-01-27 11:52:15.701035+0800 192.168.122.201 49168 88.198.21.111 443 TLS 1.2 C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1 CN=winscp.net 06:fc:eb:2e:75:90:8f:66:4f:ac:b7:44:1c:53:1b:f9:49:40:32:63
2023-01-27 11:52:03.865232+0800 192.168.122.201 49165 88.198.21.111 443 TLS 1.2 C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1 CN=winscp.net 06:fc:eb:2e:75:90:8f:66:4f:ac:b7:44:1c:53:1b:f9:49:40:32:63

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 46.014 seconds )

  • 13.708 Static
  • 12.252 NetworkAnalysis
  • 10.599 Suricata
  • 4.342 TargetInfo
  • 2.303 VirusTotal
  • 1.743 BehaviorAnalysis
  • 0.532 static_dotnet
  • 0.377 peid
  • 0.132 config_decoder
  • 0.013 Strings
  • 0.011 AnalysisInfo
  • 0.002 Memory

Signatures ( 40.475 seconds )

  • 38.305 network_http
  • 1.36 md_url_bl
  • 0.112 api_spamming
  • 0.083 stealth_decoy_document
  • 0.083 stealth_timeout
  • 0.069 injection_createremotethread
  • 0.046 injection_runpe
  • 0.039 antiav_detectreg
  • 0.021 injection_explorer
  • 0.02 mimics_filetime
  • 0.018 reads_self
  • 0.018 infostealer_ftp
  • 0.017 antivm_generic_disk
  • 0.017 virus
  • 0.016 stealth_file
  • 0.015 vawtrak_behavior
  • 0.015 antiav_detectfile
  • 0.015 md_domain_bl
  • 0.014 bootkit
  • 0.014 hancitor_behavior
  • 0.012 process_interest
  • 0.011 infostealer_im
  • 0.01 antivm_generic_scsi
  • 0.01 infostealer_bitcoin
  • 0.009 kovter_behavior
  • 0.008 antiemu_wine_func
  • 0.008 infostealer_browser_password
  • 0.008 antianalysis_detectreg
  • 0.007 infostealer_mail
  • 0.006 antivm_vbox_files
  • 0.005 anomaly_persistence_autorun
  • 0.005 process_needed
  • 0.005 geodo_banking_trojan
  • 0.004 maldun_anomaly_massive_file_ops
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 antivm_generic_services
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.002 tinba_behavior
  • 0.002 network_tor
  • 0.002 antivm_vbox_libs
  • 0.002 antiav_avast_libs
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 exec_crash
  • 0.002 antidbg_windows
  • 0.002 anormaly_invoke_kills
  • 0.002 antidbg_devices
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.002 rat_pcclient
  • 0.001 hawkeye_behavior
  • 0.001 rat_nanocore
  • 0.001 infostealer_browser
  • 0.001 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.001 antisandbox_sleep
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 shifu_behavior
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antisandbox_productid
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 codelux_behavior
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.554 seconds )

  • 0.55 ReportHTMLSummary
  • 0.004 Malheur
Task ID 717080
Mongo ID 63d34ad97e769a7a58f3d62d
Cuckoo release 1.4-Maldun