分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
---|---|---|---|---|
文件 (Windows) | win7-sp1-x64-shaapp02-1 | 2024-04-28 22:24:40 | 2024-04-28 22:26:59 | 139 秒 |
文件名 | 4.25客户端.exe |
---|---|
文件大小 | 15824995 字节 |
文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 32eda8312d12e99c139b8645af429082 |
SHA1 | ea8d1ea1f5efa469a802c1d5c736708d439b730f |
SHA256 | 74d3f257776f9704855dc1e0f36e3e074fc38b4d3beb08246f5144f7e3a7d0e2 |
SHA512 | a2362c227c7aba4d49fb1796871a05e21fa57d2f238d483a19a398baeb732307d8f5b2d2aabc900d4ca71892ca431bf738e2b5e7be35c934be44d5ea6f9b3253 |
CRC32 | 59FA4513 |
Ssdeep | 393216:7KHzyhEFaOddBww6L92ALlfhjhxwojq4M4RX1WW/rlYjlwx6VevO0NZ:7KHz+EFaOddGxLsAJfBh24MAYkcVVevL |
Yara | 登录查看Yara规则 |
找不到该样本 提交误报 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 103.8.220.72 | 中国 | |
否 | 112.192.19.239 | 中国 | |
否 | 180.101.50.188 | 中国 | |
是 | 192.6.1.6 | 美国 | |
否 | 8.210.154.70 | 美国 | |
否 | 81.70.124.99 | 荷兰 |
域名 | 安全评级 | 响应 |
---|---|---|
ipc.exejm.com | A 112.192.19.239 | |
bbs.125.la | A 103.8.220.72 | |
www.baidu.com |
CNAME www.a.shifen.com A 180.101.50.188 A 180.101.50.242 |
|
www.chinapyg.com | A 8.210.154.70 | |
www.douban.com | 未知 |
CNAME forward.douban.com A 81.70.124.99 A 140.143.177.206 CNAME tc.forward.douban.com A 120.53.130.158 |
初始地址 | 0x00400000 |
---|---|
入口地址 | 0x01edd88c |
声明校验值 | 0x00000000 |
实际校验值 | 0x00f19560 |
最低操作系统版本要求 | 5.0 |
编译时间 | 2023-07-31 09:46:01 |
载入哈希 | f5151e63f951542420f03e2fa50c82d8 |
LegalCopyright | |
---|---|
FileVersion | |
CompanyName | |
Comments | |
ProductName | |
ProductVersion | |
FileDescription | |
Translation |
名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00113dd2 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
.rdata | 0x00115000 | 0x007b9bde | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
.data | 0x008cf000 | 0x0007294a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
.vmp0 | 0x00942000 | 0x006584b1 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
.vmp1 | 0x00f9b000 | 0x00b48e60 | 0x00b49000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 8.00 |
.reloc | 0x01ae4000 | 0x00000120 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.51 |
.rsrc | 0x01ae5000 | 0x000018b1 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.60 |
偏移量 | 0x00b4d000 |
大小 | 0x003ca863 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 103.8.220.72 | 中国 | |
否 | 112.192.19.239 | 中国 | |
否 | 180.101.50.188 | 中国 | |
是 | 192.6.1.6 | 美国 | |
否 | 8.210.154.70 | 美国 | |
否 | 81.70.124.99 | 荷兰 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49162 | 103.8.220.72 bbs.125.la | 443 |
192.168.122.201 | 49161 | 112.192.19.239 ipc.exejm.com | 6003 |
192.168.122.201 | 49170 | 112.192.19.239 ipc.exejm.com | 6002 |
192.168.122.201 | 49171 | 112.192.19.239 ipc.exejm.com | 6002 |
192.168.122.201 | 49165 | 180.101.50.188 www.baidu.com | 443 |
192.168.122.201 | 49157 | 23.219.78.212 | 80 |
192.168.122.201 | 49167 | 8.210.154.70 www.chinapyg.com | 80 |
192.168.122.201 | 49168 | 8.210.154.70 www.chinapyg.com | 443 |
192.168.122.201 | 49169 | 81.70.124.99 www.douban.com | 443 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 51304 | 192.168.122.1 | 53 |
192.168.122.201 | 53118 | 192.168.122.1 | 53 |
192.168.122.201 | 57526 | 192.168.122.1 | 53 |
192.168.122.201 | 60155 | 192.168.122.1 | 53 |
192.168.122.201 | 63246 | 192.168.122.1 | 53 |
192.168.122.201 | 63472 | 192.168.122.1 | 53 |
域名 | 安全评级 | 响应 |
---|---|---|
ipc.exejm.com | A 112.192.19.239 | |
bbs.125.la | A 103.8.220.72 | |
www.baidu.com |
CNAME www.a.shifen.com A 180.101.50.188 A 180.101.50.242 |
|
www.chinapyg.com | A 8.210.154.70 | |
www.douban.com | 未知 |
CNAME forward.douban.com A 81.70.124.99 A 140.143.177.206 CNAME tc.forward.douban.com A 120.53.130.158 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49162 | 103.8.220.72 bbs.125.la | 443 |
192.168.122.201 | 49161 | 112.192.19.239 ipc.exejm.com | 6003 |
192.168.122.201 | 49170 | 112.192.19.239 ipc.exejm.com | 6002 |
192.168.122.201 | 49171 | 112.192.19.239 ipc.exejm.com | 6002 |
192.168.122.201 | 49165 | 180.101.50.188 www.baidu.com | 443 |
192.168.122.201 | 49157 | 23.219.78.212 | 80 |
192.168.122.201 | 49167 | 8.210.154.70 www.chinapyg.com | 80 |
192.168.122.201 | 49168 | 8.210.154.70 www.chinapyg.com | 443 |
192.168.122.201 | 49169 | 81.70.124.99 www.douban.com | 443 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 51304 | 192.168.122.1 | 53 |
192.168.122.201 | 53118 | 192.168.122.1 | 53 |
192.168.122.201 | 57526 | 192.168.122.1 | 53 |
192.168.122.201 | 60155 | 192.168.122.1 | 53 |
192.168.122.201 | 63246 | 192.168.122.1 | 53 |
192.168.122.201 | 63472 | 192.168.122.1 | 53 |
URI | HTTP数据 |
---|---|
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
URL专业沙箱检测 -> http://www.chinapyg.com/ | GET / HTTP/1.1 Accept: */* Referer: http://www.chinapyg.com/ Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: www.chinapyg.com Cache-Control: no-cache |
无SMTP流量.
无IRC请求.
无ICMP流量.
无 CIF 结果
无警报
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Version | Issuer | Subject | Fingerprint |
---|---|---|---|---|---|---|---|---|
2024-04-28 22:25:42.088353+0800 | 192.168.122.201 | 49165 | 180.101.50.188 | 443 | TLS 1.2 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com | 97:42:d5:98:27:d6:22:88:cf:59:c3:ff:75:86:8d:d5:d3:12:a0:af |
2024-04-28 22:25:20.666503+0800 | 192.168.122.201 | 49162 | 103.8.220.72 | 443 | TLS 1.2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G2 | CN=bbs.125.la | 6e:fb:8b:4a:e0:d5:d4:eb:96:8b:3c:b2:c4:db:51:c4:ea:a5:bb:0d |
2024-04-28 22:25:42.959040+0800 | 192.168.122.201 | 49169 | 81.70.124.99 | 443 | TLS 1.2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1 | C=CN, ST=Beijing, O=Beijing Douwang Technology Co. Ltd., CN=*.douban.com | 19:02:6e:57:27:dc:02:31:4c:77:f0:cb:5d:88:c9:4f:73:64:5c:5c |
2024-04-28 22:25:42.661464+0800 | 192.168.122.201 | 49168 | 8.210.154.70 | 443 | TLS 1.2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G1 | CN=chinapyg.com | 35:91:09:ea:4f:d8:af:36:4a:04:92:0a:04:02:46:f2:fc:19:c9:f9 |
No Suricata HTTP
HTML 总结报告 (需15-60分钟同步) |
下载 |
---|
Task ID | 744433 |
---|---|
Mongo ID | 662e5d38dc327b46be811303 |
Cuckoo release | 1.4-Maldun |