比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2023-06-07 22:28:47 2023-06-07 22:29:25 38 秒

魔盾分数

4.825

可疑的

文件详细信息

文件名 Diswater.exe
文件大小 2066768 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 04340835c59a7ed913b2e432a64fbc7b
SHA1 1572c0c40a9f4cb21834bf5cfeeba6139092126e
SHA256 b578edbd97db3d31db4717035c137c8f85cf0d7692e12bfea268e7741b322864
SHA512 7fa6af71a33f8f36c2027cf6dfb2efd779ed7649d532fe7f4508210d6add19a486ff95fb382add6cfabfd041f212105427c436d4bde03404c213000386b3a5ee
CRC32 5507CCEE
Ssdeep 49152:SPQC0PSBsvDIkz4mZf32MPloDyWuKpYl52ayOPy7NridNeTTExbFZ:0QCSSCDpz4GxPzli77Nrq1
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0041f7cb
声明校验值 0x001f9f58
实际校验值 0x001f9f58
最低操作系统版本要求 5.1
编译时间 2022-11-07 19:29:43
载入哈希 51955a2c8f4808327f51ed3ff99dca1c
图标
图标精确哈希值 b269b2bb7ef448b4420bc5e179a723e0
图标相似性哈希值 430548e201c4d4e39e2e14e276c68d45

版本信息

LegalCopyright
InternalName
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
None Fri Nov 11 10:39:59 2022
证书链 Certificate Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Certificate Chain 2
发行给 DigiCert Trusted Root G4
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 075959 2031
SHA1 哈希 a99d5b79e9f1cda59cdab6373169d5353f5874c6
证书链 Certificate Chain 3
发行给 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
发行人 DigiCert Trusted Root G4
有效期 Tue Apr 29 075959 2036
SHA1 哈希 7b0f360b775f76c94a12ca48445aa2d2a875701c
证书链 Certificate Chain 4
发行给 Shanghai XuSong investment partnership Enterprise(Limited)
发行人 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
有效期 Fri Aug 04 075959 2023
SHA1 哈希 e7f6494bc93f818173d18f2fff60e5064df65346
证书链 Timestamp Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Timestamp Chain 2
发行给 DigiCert Trusted Root G4
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 075959 2031
SHA1 哈希 a99d5b79e9f1cda59cdab6373169d5353f5874c6
证书链 Timestamp Chain 3
发行给 DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
发行人 DigiCert Trusted Root G4
有效期 Mon Mar 23 075959 2037
SHA1 哈希 b6c8af834d4e53b673c76872aa8c950c7c54df5f
证书链 Timestamp Chain 4
发行给 DigiCert Timestamp 2022 - 2
发行人 DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
有效期 Tue Nov 22 075959 2033
SHA1 哈希 f387224d8633829235a994bcbd8f96e9fe1c7c73

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0016edb1 0x0016ee00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.59
.rdata 0x00170000 0x00064980 0x00064a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.94
.data 0x001d5000 0x000118f4 0x0000b600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.19
.gfids 0x001e7000 0x000001b4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.54
.tls 0x001e8000 0x00000009 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.02
.rsrc 0x001e9000 0x00004300 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.21
.reloc 0x001ee000 0x00012444 0x00012600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.63

覆盖

偏移量 0x001f6000
大小 0x00002950

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x001ea950 0x000025a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.06 dBase IV DBT of `.DBF, block length 18432, next free block index 40
RT_ICON 0x001ea950 0x000025a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.06 dBase IV DBT of `.DBF, block length 18432, next free block index 40
RT_ICON 0x001ea950 0x000025a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.06 dBase IV DBT of `.DBF, block length 18432, next free block index 40
RT_GROUP_ICON 0x001ecef8 0x00000030 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.46 MS Windows icon resource - 3 icons, 16x16
RT_VERSION 0x001e91c0 0x0000027c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_MANIFEST 0x001ecf28 0x00000258 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.06 XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
RT_MANIFEST 0x001ecf28 0x00000258 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.06 XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators

导入

库: KERNEL32.dll:
0x570094 IsDebuggerPresent
0x570098 GetStartupInfoW
0x5700a0 GetCurrentProcessId
0x5700a4 GetCurrentThreadId
0x5700ac InitializeSListHead
0x5700b0 GetFileSize
0x5700b4 WriteFile
0x5700b8 ReadFile
0x5700bc FindClose
0x5700c0 lstrcpyW
0x5700c4 GetTempPathW
0x5700c8 CreateFileW
0x5700cc GetFileAttributesW
0x5700d4 DeleteFileW
0x5700d8 FindFirstFileW
0x5700dc FindNextFileW
0x5700e0 CopyFileW
0x5700e4 MoveFileExW
0x5700e8 GetTickCount
0x5700ec DecodePointer
0x5700f0 HeapReAlloc
0x5700f4 HeapSize
0x5700f8 RaiseException
0x5700fc GetLastError
0x570104 MultiByteToWideChar
0x570108 WideCharToMultiByte
0x57010c CreateDirectoryW
0x570114 GetSystemInfo
0x570118 ReleaseMutex
0x57011c CreateMutexW
0x570124 GetLongPathNameW
0x570128 GlobalAlloc
0x57012c GlobalFree
0x570130 OpenProcess
0x570134 GetExitCodeProcess
0x570138 CreateProcessW
0x570140 Process32FirstW
0x570144 Process32NextW
0x570148 DeviceIoControl
0x57014c OutputDebugStringA
0x570150 SetPriorityClass
0x570154 EncodePointer
0x570158 RtlUnwind
0x57015c TlsAlloc
0x570160 TlsGetValue
0x570164 TlsSetValue
0x570168 TlsFree
0x57016c LoadLibraryExW
0x570170 ExitProcess
0x570174 GetModuleHandleExW
0x570178 TerminateProcess
0x57017c GetStdHandle
0x570180 GetACP
0x570184 GetStringTypeW
0x570188 CompareStringW
0x57018c LCMapStringW
0x570190 GetLocaleInfoW
0x570194 IsValidLocale
0x570198 GetUserDefaultLCID
0x57019c EnumSystemLocalesW
0x5701a0 GetFileType
0x5701a4 GetConsoleMode
0x5701a8 ReadConsoleW
0x5701ac SetFilePointerEx
0x5701b0 FindFirstFileExW
0x5701b4 IsValidCodePage
0x5701b8 GetOEMCP
0x5701bc GetCPInfo
0x5701c0 GetCommandLineA
0x5701c4 GetCommandLineW
0x5701d8 OutputDebugStringW
0x5701dc SetStdHandle
0x5701e0 GetConsoleCP
0x5701e8 FlushFileBuffers
0x5701ec WriteConsoleW
0x5701f0 SetEndOfFile
0x5701f8 GetModuleFileNameW
0x5701fc GetSystemDirectoryW
0x570200 LoadLibraryW
0x570204 CreateEventW
0x57020c Sleep
0x570210 GetCurrentProcess
0x57021c GetModuleHandleW
0x570220 SetConsoleMode
0x570224 ReadConsoleInputA
0x570228 WaitForSingleObject
0x57022c SetEvent
0x570240 CreateThread
0x570244 OpenFileMappingW
0x570248 UnmapViewOfFile
0x57024c FlushViewOfFile
0x570250 MapViewOfFile
0x570254 CloseHandle
0x570258 IsBadReadPtr
0x57025c LoadLibraryA
0x570260 GlobalMemoryStatus
0x57026c GetSystemTime
0x570270 GetNativeSystemInfo
0x570274 SetLastError
0x570278 GetProcessHeap
0x57027c HeapFree
0x570280 GetVersionExW
0x570284 HeapAlloc
0x570288 VirtualProtect
0x57028c VirtualFree
0x570290 VirtualAlloc
0x570294 GetProcAddress
0x570298 FreeLibrary
0x5702a0 GetFullPathNameW
0x5702ac GetDriveTypeW
0x5702b4 ExitThread
0x5702b8 PeekNamedPipe
0x5702c4 VerifyVersionInfoA
0x5702c8 GetSystemDirectoryA
0x5702cc GetModuleHandleA
0x5702d0 VerSetConditionMask
0x5702d4 SleepEx
0x5702dc FormatMessageA
库: ADVAPI32.dll:
0x570000 CryptEnumProvidersA
0x570004 CryptGetUserKey
0x570008 CryptExportKey
0x57000c CryptDecrypt
0x570010 CryptCreateHash
0x570014 CryptDestroyHash
0x570018 CryptSignHashA
0x57001c DuplicateTokenEx
0x570028 RegOpenKeyW
0x57002c RegEnumKeyW
0x570030 RegCreateKeyExW
0x570034 RegQueryValueExW
0x570038 OpenProcessToken
0x570040 RevertToSelf
0x57004c ReportEventA
0x570054 CryptReleaseContext
0x570058 CryptDestroyKey
0x57005c CryptSetHashParam
0x570060 RegCloseKey
0x570064 RegOpenKeyExW
0x570068 CryptGetProvParam
库: SHELL32.dll:
0x5702e8 SHGetFolderPathW
库: SHLWAPI.dll:
0x5702f4 PathIsDirectoryW
0x5702f8 PathFileExistsW
库: USER32.dll:
0x570300 MessageBoxA
0x57030c LoadStringW
0x570310 wsprintfW
库: ole32.dll:
0x570400 CoCreateInstance
0x570404 CoUninitialize
0x570408 CoInitialize
库: CRYPT32.dll:
0x57007c CertOpenStore
0x570080 CertCloseStore
库: WININET.dll:
0x570318 InternetCloseHandle
0x570320 InternetReadFile
0x570324 InternetOpenUrlW
0x570328 InternetSetOptionW
0x57032c InternetOpenW
0x570330 HttpQueryInfoW
库: WLDAP32.dll:
0x570338 None
0x57033c None
0x570340 None
0x570344 None
0x570348 None
0x57034c None
0x570350 None
0x570354 None
0x570358 None
0x57035c None
0x570360 None
0x570364 None
0x570368 None
0x57036c None
0x570370 None
0x570374 None
0x570378 None
库: WS2_32.dll:
0x570380 htonl
0x570384 gethostbyname
0x570388 getservbyname
0x57038c htons
0x570390 getsockopt
0x570394 shutdown
0x570398 getpeername
0x57039c connect
0x5703a0 closesocket
0x5703a4 bind
0x5703a8 send
0x5703ac recv
0x5703b0 WSASetLastError
0x5703b4 select
0x5703b8 __WSAFDIsSet
0x5703bc socket
0x5703c0 WSAGetLastError
0x5703c4 ntohs
0x5703c8 setsockopt
0x5703cc WSAIoctl
0x5703d0 WSAStartup
0x5703d4 WSACleanup
0x5703d8 getaddrinfo
0x5703dc freeaddrinfo
0x5703e0 accept
0x5703e4 listen
0x5703e8 recvfrom
0x5703ec sendto
0x5703f0 ioctlsocket
0x5703f4 gethostname
0x5703f8 getsockname
.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
<'u#Wj
<"u#Wj
没有防病毒引擎扫描信息!

进程树

Diswater.exe, PID: 2628, 上一级进程 PID: 2304
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.219.38.64 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.219.38.64 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 22.312 seconds )

  • 10.592 Suricata
  • 3.763 VirusTotal
  • 3.662 NetworkAnalysis
  • 2.696 Static
  • 0.621 TargetInfo
  • 0.595 BehaviorAnalysis
  • 0.355 peid
  • 0.011 Strings
  • 0.01 AnalysisInfo
  • 0.005 config_decoder
  • 0.002 Memory

Signatures ( 1.621 seconds )

  • 1.343 md_url_bl
  • 0.039 api_spamming
  • 0.031 stealth_decoy_document
  • 0.03 stealth_timeout
  • 0.026 antiav_detectreg
  • 0.012 process_interest
  • 0.011 injection_createremotethread
  • 0.011 infostealer_ftp
  • 0.008 md_domain_bl
  • 0.007 antivm_generic_scsi
  • 0.007 vawtrak_behavior
  • 0.007 injection_runpe
  • 0.007 antiav_detectfile
  • 0.006 infostealer_im
  • 0.005 anomaly_persistence_autorun
  • 0.005 process_needed
  • 0.005 antianalysis_detectreg
  • 0.004 antivm_generic_services
  • 0.004 anormaly_invoke_kills
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_mail
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 antivm_vbox_files
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 disables_browser_warn
  • 0.002 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 mimics_filetime
  • 0.001 stealth_file
  • 0.001 maldun_anomaly_massive_file_ops
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 recon_fingerprint

Reporting ( 0.594 seconds )

  • 0.55 ReportHTMLSummary
  • 0.044 Malheur
Task ID 721985
Mongo ID 6480946b7e769a4ec39e3d79
Cuckoo release 1.4-Maldun