比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2024-04-18 10:41:48 2024-04-18 10:44:03 135 秒

魔盾分数

8.688

危险的

文件详细信息

文件名 KYTOOL-KEYGEN-2018.1.exe
文件大小 232448 字节
文件类型 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 2714214e6261a1987c9eaf6f85dd3cea
SHA1 9d325ace77e0becb8ea442e7d6d7e029d5ccf3ed
SHA256 d7addd2dcf280ab74e956eb01da3f67f76a358a3cd94c19b457ede97c64cb1c0
SHA512 35f443a0ff649c3499a9da1e85f4fe470419b9a2ccb9746662744f7547f999e19b3bee2a81338861e68a77ed97ce4bae9e062516598a0ac7918c369554230993
CRC32 7358B019
Ssdeep 3072:QUl1viuP5Ly7d8s0I0cRF/higwjlQAmKnrEmal2UsabPUkMc7ueBfgwamVR7XPSu:Q21a6u7db0bIrmvrEY6F77udeVZaI
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00439d56
声明校验值 0x00000000
实际校验值 0x00040ee9
最低操作系统版本要求 4.0
PDB路径 E:\tmp\CM\52\614963\KYTOOL-KEYGEN-2018.1\KYTOOL-KEYGEN-2018.1\bin\x86\Release\Secured\KYTOOL-KEYGEN-2018.1.pdb
编译时间 2018-08-06 14:07:42
载入哈希 f34d5f2d4577ed6d9ceec516c1f5a744

版本信息

Translation
LegalCopyright
Assembly Version
InternalName
FileVersion
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00002000 0x00037e20 0x00038000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.23
.rsrc 0x0003a000 0x00000608 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.50
.reloc 0x0003c000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x0003a0a0 0x0000037c LANG_NEUTRAL SUBLANG_NEUTRAL 3.38 data
RT_MANIFEST 0x0003a41c 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

导入

库: mscoree.dll:
0x402000 _CorExeMain

装载信息

名称 KYTOOL-KEYGEN-2018.1
版本 1.0.0.0

装载参考

名称 版本
mscorlib 4.0.0.0
System.Windows.Forms 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0
FINALFANTASYXIV 6.4.0.31

自定义属性

类型 名称
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.0.0
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 1b3a8fa9-f31e-482b-a64b-9596c41780
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xc2\xa9 20
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute KYTOOL-KEYGEN-2018
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute KYTOOL-KEYGEN-2018

类型参考

装载 类型名称
FINALFANTASYXIV VMRuntime.Libraries.CSVMRuntime
System System.CodeDom.Compiler.GeneratedCodeAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
System System.ComponentModel.IContainer
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
System System.IO.Compression.CompressionMode
System System.IO.Compression.GZipStream
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.Control
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.Form
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.TextBox
mscorlib System.AppDomain
mscorlib System.Array
mscorlib System.AsyncCallback
mscorlib System.Attribute
mscorlib System.BitConverter
mscorlib System.Byte
mscorlib System.Char
mscorlib System.Char
mscorlib System.Collections.Hashtable
mscorlib System.Convert
mscorlib System.Convert
mscorlib System.Delegate
mscorlib System.Delegate
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Diagnostics.StackFrame
mscorlib System.Diagnostics.StackTrace
mscorlib System.Environment
mscorlib System.EventArgs
mscorlib System.EventHandler
mscorlib System.Exception
mscorlib System.Globalization.CultureInfo
mscorlib System.IAsyncResult
mscorlib System.IDisposable
mscorlib System.IDisposable
mscorlib System.IO.BinaryReader
mscorlib System.IO.Directory
mscorlib System.IO.DirectoryInfo
mscorlib System.IO.File
mscorlib System.IO.FileStream
mscorlib System.IO.MemoryStream
mscorlib System.IO.Path
mscorlib System.IO.Stream
mscorlib System.IntPtr
mscorlib System.Math
mscorlib System.ModuleHandle
mscorlib System.MulticastDelegate
mscorlib System.Object
mscorlib System.Object
mscorlib System.Object
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Reflection.BindingFlags
mscorlib System.Reflection.Emit.DynamicMethod
mscorlib System.Reflection.Emit.ILGenerator
mscorlib System.Reflection.Emit.OpCode
mscorlib System.Reflection.Emit.OpCodes
mscorlib System.Reflection.FieldInfo
mscorlib System.Reflection.MemberInfo
mscorlib System.Reflection.MethodBase
mscorlib System.Reflection.MethodBase
mscorlib System.Reflection.MethodInfo
mscorlib System.Reflection.Module
mscorlib System.Reflection.ObfuscationAttribute
mscorlib System.Reflection.ObfuscationAttribute
mscorlib System.Reflection.ParameterInfo
mscorlib System.Reflection.PropertyInfo
mscorlib System.ResolveEventArgs
mscorlib System.ResolveEventHandler
mscorlib System.Resources.ResourceManager
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Runtime.InteropServices.Marshal
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.RuntimeFieldHandle
mscorlib System.RuntimeMethodHandle
mscorlib System.RuntimeMethodHandle
mscorlib System.RuntimeTypeHandle
mscorlib System.RuntimeTypeHandle
mscorlib System.RuntimeTypeHandle
mscorlib System.STAThreadAttribute
mscorlib System.Security.AccessControl.AccessControlType
mscorlib System.Security.AccessControl.FileSecurity
mscorlib System.Security.AccessControl.FileSystemAccessRule
mscorlib System.Security.AccessControl.FileSystemRights
mscorlib System.Security.AccessControl.FileSystemSecurity
mscorlib System.Security.Cryptography.CryptoStream
mscorlib System.Security.Cryptography.CryptoStreamMode
mscorlib System.Security.Cryptography.DESCryptoServiceProvider
mscorlib System.Security.Cryptography.HashAlgorithm
mscorlib System.Security.Cryptography.ICryptoTransform
mscorlib System.Security.Cryptography.MD5
mscorlib System.Security.Cryptography.MD5CryptoServiceProvider
mscorlib System.Security.Cryptography.SymmetricAlgorithm
mscorlib System.Security.Principal.IdentityReference
mscorlib System.Security.Principal.SecurityIdentifier
mscorlib System.Security.Principal.WindowsIdentity
mscorlib System.Security.Principal.WindowsImpersonationContext
mscorlib System.Security.SecuritySafeCriticalAttribute
mscorlib System.String
mscorlib System.String
mscorlib System.String
mscorlib System.Text.Encoding
mscorlib System.Text.StringBuilder
mscorlib System.Threading.Monitor
mscorlib System.Threading.Monitor
mscorlib System.Type
mscorlib System.Type
mscorlib System.Type
mscorlib System.ValueType
mscorlib System.Version
.text
`.rsrc
@.reloc
v4.0.30319
#Strings
#GUID
#Blob
KYTOOL-KEYGEN-2018.1.exe
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
DebuggableAttribute
System.Diagnostics
DebuggingModes
AssemblyTitleAttribute
System.Reflection
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
Object
System
EventArgs
System.Security.Cryptography
STAThreadAttribute
DebuggerNonUserCodeAttribute
CompilerGeneratedAttribute
ResourceManager
System.Resources
CultureInfo
System.Globalization
String
MD5CryptoServiceProvider
HashAlgorithm
IDisposable
EventHandler
RuntimeTypeHandle
Assembly
Attribute
SecuritySafeCriticalAttribute
System.Security
ValueType
Array
RuntimeFieldHandle
RuntimeHelpers
Hashtable
System.Collections
StringBuilder
System.Text
Convert
Monitor
System.Threading
AppDomain
ResolveEventHandler
ObfuscationAttribute
ResolveEventArgs
PropertyInfo
Stream
System.IO
Environment
Version
BinaryReader
DESCryptoServiceProvider
ICryptoTransform
MemoryStream
CryptoStream
Encoding
SymmetricAlgorithm
CryptoStreamMode
MulticastDelegate
IAsyncResult
AsyncCallback
FileStream
FileSystemAccessRule
System.Security.AccessControl
FileSecurity
WindowsImpersonationContext
System.Security.Principal
IntPtr
DirectoryInfo
Directory
IdentityReference
FileSystemRights
AccessControlType
SecurityIdentifier
FileSystemSecurity
WindowsIdentity
Delegate
Marshal
StackTrace
StackFrame
MethodBase
RuntimeMethodHandle
Module
ModuleHandle
FieldInfo
MethodInfo
ParameterInfo
DynamicMethod
System.Reflection.Emit
ILGenerator
BindingFlags
MemberInfo
BitConverter
OpCodes
OpCode
Exception
System.Windows.Forms
TextBox
Button
Label
Control
ControlCollection
ButtonBase
ContainerControl
AutoScaleMode
Application
IContainer
System.ComponentModel
GeneratedCodeAttribute
System.CodeDom.Compiler
EditorBrowsableState
EditorBrowsableAttribute
ApplicationSettingsBase
System.Configuration
SettingsBase
GZipStream
System.IO.Compression
CompressionMode
Point
System.Drawing
SizeF
CSVMRuntime
VMRuntime.Libraries
<Module>
Form1
KYTOOL_KEYGEN_2018._1
Settings
KYTOOL_KEYGEN_2018._1.Properties
ObfuscatedByAgileDotNetAttribute
SecureTeam.Attributes
<FINALFANTASYXIV>
InitializeDelegate
ExitDelegate
{FE3C441D-DF9D-407b-917D-0B4471A8296C}
defaultInstance
inited
runtimeAssembly
uAAAAA==
KwAAAA==
rQAAAA==
rgAAAA==
rwAAAA==
JQAAAA==
SwAAAA==
JgAAAA==%
swAAAA==
NgAAAA==
NwAAAA==
TgAAAA==
MAAAAA==%
MQAAAA==%
NQAAAA==
NAAAAA==%
DwAAAA==%
UgAAAA==%
MgAAAA==%
JwAAAA==
PwAAAA==
YAAAAA==
VAAAAA==%
SgAAAA==%
UwAAAA==%
YQAAAA==
HQAAAA==
YgAAAA==
HwAAAA==
YwAAAA==
ZAAAAA==
RwAAAA==%
SAAAAA==%
TwAAAA==%
ZQAAAA==
aAAAAA==%
ZgAAAA==
agAAAA==
bQAAAA==%
bgAAAA==%
bwAAAA==%
OgAAAA==
PAAAAA==%
OwAAAA==%
SQAAAA==
TAAAAA==
RAAAAA==%
OQAAAA==
QAAAAA==%
QQAAAA==
QgAAAA==%
UAAAAA==
RQAAAA==%
RgAAAA==%
WAAAAA==
WQAAAA==%
WgAAAA==%
WwAAAA==%
XAAAAA==%
.cctor
.ctor
Dispose
get_Default
LoadLibraryA
GetProcAddress
_Initialize
_Initialize64
_AtExit
_AtExit64
InitializeThroughDelegate
InitializeThroughDelegate64
ExitThroughDelegate
ExitThroughDelegate64
DomainUnload
Initialize
PostInitialize
BeginInvoke
EndInvoke
Invoke
sender
string_0
string_1
disposing
value
resourceStream
proxyDelegateTypeToken
ToString
get_Length
Substring
Concat
Replace
TrimStart
TrimEnd
ToCharArray
get_Chars
Format
Equals
ComputeHash
GetTypeFromHandle
get_Assembly
GetExecutingAssembly
GetManifestResourceStream
LoadFile
InitializeArray
ContainsKey
get_Item
set_Item
Append
ToChar
Enter
ReferenceEquals
get_CurrentDomain
add_ResourceResolve
add_DomainUnload
GetManifestResourceNames
get_Name
GetValue
get_Position
Write
Close
get_Version
get_Major
GetProperty
op_Equality
ReadString
ReadBytes
ReadInt32
get_ASCII
GetBytes
set_Key
set_IV
CreateDecryptor
get_Size
GetTempPath
CreateDirectory
Exists
OpenWrite
GetAccessControl
SetAccessControl
AddAccessRule
Impersonate
GetDelegateForFunctionPointer
get_FrameCount
GetFrame
GetMethod
get_MethodHandle
get_Value
GetFunctionPointer
GetModules
get_ModuleHandle
ResolveTypeHandle
ResolveMethodHandle
GetFields
get_FieldType
SetValue
get_ReturnType
CreateDelegate
get_ParameterType
GetILGenerator
EndsWith
Empty
FromBase64String
ToUInt32
GetMethodFromHandle
get_IsStatic
GetParameters
Ldarg_0
Ldarg_1
Ldarg_2
Ldarg_3
Ldarg_S
Callvirt
set_ClientSize
get_Text
set_Text
SuspendLayout
set_Location
set_Name
set_Size
set_TabIndex
add_Click
set_AutoSize
get_Controls
ResumeLayout
PerformLayout
set_UseVisualStyleBackColor
set_AutoScaleDimensions
set_AutoScaleMode
EnableVisualStyles
SetCompatibleTextRenderingDefault
Synchronized
RunMethod
Default
FINALFANTASYXIV.dll
FINALFANTASYXIV64.dll
kernel32.dll
KYTOOL-KEYGEN-2018.1
mscorlib
FINALFANTASYXIV
_CSVM
{FEA94A50-E5C8-4edd-BE62-F738BC8C043E}
8e724021-1442-479d-9d73-2d9887225b17
eda4b63b-70ce-4cb2-813e-b9f9c1511aa8
4.0.0.0
11.0.0.0
KYTOOL-KEYGEN-2018.1
2018
$1b3a8fa9-f31e-482b-a64b-9596c417809f
1.0.0.0
没有防病毒引擎扫描信息!

进程树

KYTOOL-KEYGEN-2018.1.exe, PID: 2648, 上一级进程 PID: 2300
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49158 208.185.115.114 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49158 208.185.115.114 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 24.698 seconds )

  • 11.84 Suricata
  • 10.403 NetworkAnalysis
  • 0.696 Static
  • 0.651 AnalysisInfo
  • 0.381 peid
  • 0.294 TargetInfo
  • 0.24 BehaviorAnalysis
  • 0.18 static_dotnet
  • 0.011 Strings
  • 0.002 Memory

Signatures ( 1.573 seconds )

  • 1.351 proprietary_url_bl
  • 0.02 antiav_detectreg
  • 0.019 infostealer_ftp
  • 0.014 api_spamming
  • 0.012 stealth_decoy_document
  • 0.012 stealth_timeout
  • 0.011 antiav_detectfile
  • 0.011 infostealer_bitcoin
  • 0.009 proprietary_domain_bl
  • 0.008 infostealer_mail
  • 0.007 infostealer_im
  • 0.006 anomaly_persistence_autorun
  • 0.005 antivm_vbox_files
  • 0.005 geodo_banking_trojan
  • 0.004 infostealer_browser_password
  • 0.004 antianalysis_detectreg
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 antiemu_wine_func
  • 0.003 rat_nanocore
  • 0.003 mimics_filetime
  • 0.003 kovter_behavior
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 bootkit
  • 0.002 stealth_file
  • 0.002 injection_createremotethread
  • 0.002 antivm_generic_services
  • 0.002 betabot_behavior
  • 0.002 reads_self
  • 0.002 antivm_generic_disk
  • 0.002 virus
  • 0.002 browser_security
  • 0.002 disables_browser_warn
  • 0.002 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antivm_vbox_libs
  • 0.001 antiav_avast_libs
  • 0.001 proprietary_anomaly_massive_file_ops
  • 0.001 ursnif_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 exec_crash
  • 0.001 anormaly_invoke_kills
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 hancitor_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 codelux_behavior
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient

Reporting ( 0.567 seconds )

  • 0.557 ReportHTMLSummary
  • 0.01 Malheur
Task ID 744070
Mongo ID 6620893b7e769a7c1a16e6e3
Cuckoo release 1.4-Maldun