分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp02-1 | 2024-04-28 22:24:40 | 2024-04-28 22:26:59 | 139 秒 |
魔盾分数
10.0
危险的
文件详细信息
| 文件名 | 4.25客户端.exe |
|---|---|
| 文件大小 | 15824995 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 32eda8312d12e99c139b8645af429082 |
| SHA1 | ea8d1ea1f5efa469a802c1d5c736708d439b730f |
| SHA256 | 74d3f257776f9704855dc1e0f36e3e074fc38b4d3beb08246f5144f7e3a7d0e2 |
| SHA512 | a2362c227c7aba4d49fb1796871a05e21fa57d2f238d483a19a398baeb732307d8f5b2d2aabc900d4ca71892ca431bf738e2b5e7be35c934be44d5ea6f9b3253 |
| CRC32 | 59FA4513 |
| Ssdeep | 393216:7KHzyhEFaOddBww6L92ALlfhjhxwojq4M4RX1WW/rlYjlwx6VevO0NZ:7KHz+EFaOddGxLsAJfBh24MAYkcVVevL |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 103.8.220.72 | 中国 | |
| 否 | 112.192.19.239 | 中国 | |
| 否 | 180.101.50.188 | 中国 | |
| 是 | 192.6.1.6 | 美国 | |
| 否 | 8.210.154.70 | 美国 | |
| 否 | 81.70.124.99 | 荷兰 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| ipc.exejm.com | A 112.192.19.239 | |
| bbs.125.la | A 103.8.220.72 | |
| www.baidu.com |
CNAME www.a.shifen.com A 180.101.50.188 A 180.101.50.242 |
|
| www.chinapyg.com | A 8.210.154.70 | |
| www.douban.com | 未知 |
CNAME forward.douban.com A 81.70.124.99 A 140.143.177.206 CNAME tc.forward.douban.com A 120.53.130.158 |
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x01edd88c |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00f19560 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2023-07-31 09:46:01 |
| 载入哈希 | f5151e63f951542420f03e2fa50c82d8 |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00113dd2 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x00115000 | 0x007b9bde | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x008cf000 | 0x0007294a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x00942000 | 0x006584b1 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .vmp1 | 0x00f9b000 | 0x00b48e60 | 0x00b49000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 8.00 |
| .reloc | 0x01ae4000 | 0x00000120 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.51 |
| .rsrc | 0x01ae5000 | 0x000018b1 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.60 |
覆盖
| 偏移量 | 0x00b4d000 |
| 大小 | 0x003ca863 |
导入
库: iphlpapi.dll:
• 0x139d000 GetAdaptersInfo
库: WINMM.dll:
• 0x139d008 midiStreamOut
库: WS2_32.dll:
• 0x139d010 socket
库: RASAPI32.dll:
• 0x139d018 RasGetConnectStatusA
库: USER32.dll:
• 0x139d02c SetScrollRange
库: GDI32.dll:
• 0x139d034 GetViewportExtEx
库: WINSPOOL.DRV:
• 0x139d03c OpenPrinterA
库: ADVAPI32.dll:
• 0x139d044 RegOpenKeyExA
库: SHELL32.dll:
• 0x139d04c SHGetSpecialFolderPathA
库: ole32.dll:
• 0x139d054 CLSIDFromProgID
库: OLEAUT32.dll:
• 0x139d05c VariantChangeType
库: COMCTL32.dll:
• 0x139d064 None
库: WININET.dll:
• 0x139d06c InternetCloseHandle
库: comdlg32.dll:
• 0x139d074 ChooseColorA
库: WTSAPI32.dll:
• 0x139d07c WTSSendMessageW
库: KERNEL32.dll:
• 0x139d084 GetCurrentProcess
库: USER32.dll:
• 0x139d08c CharUpperBuffW
库: ADVAPI32.dll:
• 0x139d094 RegQueryValueExA
库: KERNEL32.dll:
• 0x139d09c LocalAlloc
• 0x139d0a0 GetCurrentProcess
• 0x139d0a4 GetCurrentThread
• 0x139d0a8 LocalFree
• 0x139d0ac GetModuleFileNameW
• 0x139d0b0 GetProcessAffinityMask
• 0x139d0b4 SetProcessAffinityMask
• 0x139d0b8 SetThreadAffinityMask
• 0x139d0bc Sleep
• 0x139d0c0 ExitProcess
• 0x139d0c4 GetLastError
• 0x139d0c8 FreeLibrary
• 0x139d0cc LoadLibraryA
• 0x139d0d0 GetModuleHandleA
• 0x139d0d4 GetProcAddress
库: ADVAPI32.dll:
• 0x139d0dc OpenSCManagerW
• 0x139d0e0 EnumServicesStatusExW
• 0x139d0e4 OpenServiceW
• 0x139d0e8 QueryServiceConfigW
• 0x139d0ec CloseServiceHandle
.text
`.rdata
@.data
.vmp0
`.vmp1
`.reloc
@.rsrc
OLEAUT32.dll
?P'H8
KERNEL32.dll
GDI32.dll
ExitProcess
0}f/}
SHGetSpecialFolderPathA
midiStreamOut
COMCTL32.dll
WINMM.dll
GetViewportExtEx
GetVersion
OpenSCManagerW
GetLastError
RegOpenKeyExA
WINSPOOL.DRV
kUSER32.dll
5lwr7?S;
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 103.8.220.72 | 中国 | |
| 否 | 112.192.19.239 | 中国 | |
| 否 | 180.101.50.188 | 中国 | |
| 是 | 192.6.1.6 | 美国 | |
| 否 | 8.210.154.70 | 美国 | |
| 否 | 81.70.124.99 | 荷兰 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49162 | 103.8.220.72 bbs.125.la | 443 |
| 192.168.122.201 | 49161 | 112.192.19.239 ipc.exejm.com | 6003 |
| 192.168.122.201 | 49170 | 112.192.19.239 ipc.exejm.com | 6002 |
| 192.168.122.201 | 49171 | 112.192.19.239 ipc.exejm.com | 6002 |
| 192.168.122.201 | 49165 | 180.101.50.188 www.baidu.com | 443 |
| 192.168.122.201 | 49157 | 23.219.78.212 | 80 |
| 192.168.122.201 | 49167 | 8.210.154.70 www.chinapyg.com | 80 |
| 192.168.122.201 | 49168 | 8.210.154.70 www.chinapyg.com | 443 |
| 192.168.122.201 | 49169 | 81.70.124.99 www.douban.com | 443 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 51304 | 192.168.122.1 | 53 |
| 192.168.122.201 | 53118 | 192.168.122.1 | 53 |
| 192.168.122.201 | 57526 | 192.168.122.1 | 53 |
| 192.168.122.201 | 60155 | 192.168.122.1 | 53 |
| 192.168.122.201 | 63246 | 192.168.122.1 | 53 |
| 192.168.122.201 | 63472 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| ipc.exejm.com | A 112.192.19.239 | |
| bbs.125.la | A 103.8.220.72 | |
| www.baidu.com |
CNAME www.a.shifen.com A 180.101.50.188 A 180.101.50.242 |
|
| www.chinapyg.com | A 8.210.154.70 | |
| www.douban.com | 未知 |
CNAME forward.douban.com A 81.70.124.99 A 140.143.177.206 CNAME tc.forward.douban.com A 120.53.130.158 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49162 | 103.8.220.72 bbs.125.la | 443 |
| 192.168.122.201 | 49161 | 112.192.19.239 ipc.exejm.com | 6003 |
| 192.168.122.201 | 49170 | 112.192.19.239 ipc.exejm.com | 6002 |
| 192.168.122.201 | 49171 | 112.192.19.239 ipc.exejm.com | 6002 |
| 192.168.122.201 | 49165 | 180.101.50.188 www.baidu.com | 443 |
| 192.168.122.201 | 49157 | 23.219.78.212 | 80 |
| 192.168.122.201 | 49167 | 8.210.154.70 www.chinapyg.com | 80 |
| 192.168.122.201 | 49168 | 8.210.154.70 www.chinapyg.com | 443 |
| 192.168.122.201 | 49169 | 81.70.124.99 www.douban.com | 443 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 51304 | 192.168.122.1 | 53 |
| 192.168.122.201 | 53118 | 192.168.122.1 | 53 |
| 192.168.122.201 | 57526 | 192.168.122.1 | 53 |
| 192.168.122.201 | 60155 | 192.168.122.1 | 53 |
| 192.168.122.201 | 63246 | 192.168.122.1 | 53 |
| 192.168.122.201 | 63472 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
| URL专业沙箱检测 -> http://www.chinapyg.com/ | GET / HTTP/1.1 Accept: */* Referer: http://www.chinapyg.com/ Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: www.chinapyg.com Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
| Timestamp | Source IP | Source Port | Destination IP | Destination Port | Version | Issuer | Subject | Fingerprint |
|---|---|---|---|---|---|---|---|---|
| 2024-04-28 22:25:42.088353+0800 | 192.168.122.201 | 49165 | 180.101.50.188 | 443 | TLS 1.2 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com | 97:42:d5:98:27:d6:22:88:cf:59:c3:ff:75:86:8d:d5:d3:12:a0:af |
| 2024-04-28 22:25:20.666503+0800 | 192.168.122.201 | 49162 | 103.8.220.72 | 443 | TLS 1.2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G2 | CN=bbs.125.la | 6e:fb:8b:4a:e0:d5:d4:eb:96:8b:3c:b2:c4:db:51:c4:ea:a5:bb:0d |
| 2024-04-28 22:25:42.959040+0800 | 192.168.122.201 | 49169 | 81.70.124.99 | 443 | TLS 1.2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1 | C=CN, ST=Beijing, O=Beijing Douwang Technology Co. Ltd., CN=*.douban.com | 19:02:6e:57:27:dc:02:31:4c:77:f0:cb:5d:88:c9:4f:73:64:5c:5c |
| 2024-04-28 22:25:42.661464+0800 | 192.168.122.201 | 49168 | 8.210.154.70 | 443 | TLS 1.2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G1 | CN=chinapyg.com | 35:91:09:ea:4f:d8:af:36:4a:04:92:0a:04:02:46:f2:fc:19:c9:f9 |
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 74.517 seconds )
- 29.03 Static
- 15.978 NetworkAnalysis
- 11.58 Suricata
- 7.537 VirusTotal
- 4.255 BehaviorAnalysis
- 3.12 TargetInfo
- 2.486 AnalysisInfo
- 0.448 peid
- 0.069 config_decoder
- 0.012 Strings
- 0.002 Memory
Signatures ( 41.238 seconds )
- 38.874 network_http
- 1.363 proprietary_url_bl
- 0.275 api_spamming
- 0.248 stealth_decoy_document
- 0.233 stealth_timeout
- 0.019 antiav_detectreg
- 0.017 hawkeye_behavior
- 0.016 antisandbox_sleep
- 0.016 proprietary_domain_bl
- 0.012 stealth_file
- 0.009 injection_createremotethread
- 0.008 stealth_network
- 0.008 infostealer_ftp
- 0.007 webmail_phish
- 0.006 antiav_detectfile
- 0.005 antivm_vbox_libs
- 0.005 network_execute_http
- 0.005 generic_phish
- 0.005 anomaly_persistence_autorun
- 0.005 injection_runpe
- 0.005 secure_login_phish
- 0.005 infostealer_im
- 0.004 antiemu_wine_func
- 0.004 network_document_http
- 0.004 infostealer_browser_password
- 0.004 kovter_behavior
- 0.004 antianalysis_detectreg
- 0.004 geodo_banking_trojan
- 0.004 infostealer_bitcoin
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 wscript_downloader_http
- 0.003 office_dl_write_exe
- 0.003 injection_explorer
- 0.003 exec_crash
- 0.003 infostealer_mail
- 0.002 tinba_behavior
- 0.002 antiav_avast_libs
- 0.002 mimics_filetime
- 0.002 reads_self
- 0.002 antisandbox_sunbelt_libs
- 0.002 antisandbox_sboxie_libs
- 0.002 antidbg_windows
- 0.002 antivm_vbox_files
- 0.002 bot_drive
- 0.002 disables_browser_warn
- 0.002 network_torgateway
- 0.001 bootkit
- 0.001 rat_nanocore
- 0.001 antivm_vmware_libs
- 0.001 proprietary_anomaly_massive_file_ops
- 0.001 betabot_behavior
- 0.001 antiav_bitdefender_libs
- 0.001 kibex_behavior
- 0.001 antivm_generic_disk
- 0.001 cerber_behavior
- 0.001 virus
- 0.001 hancitor_behavior
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
- 0.001 proprietary_bad_drop
- 0.001 network_cnc_http
Reporting ( 0.484 seconds )
- 0.484 ReportHTMLSummary
| Task ID | 744433 |
|---|---|
| Mongo ID | 662e5d38dc327b46be811303 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号