分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2024-04-25 18:18:52 | 2024-04-25 18:19:50 | 58 秒 |
魔盾分数
5.775
可疑的
文件详细信息
| 文件名 | 查询电脑端001.exe |
|---|---|
| 文件大小 | 670208 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 362b61ee9adc0f7c8583ebf06d20a0e8 |
| SHA1 | 5699171720e84738fcd3968639490a628fb9979d |
| SHA256 | 947d371313978526863fec807e991bf4b31a7f1f1d8d081769068ffe27ee899b |
| SHA512 | edbb111f4d09460ba594fec65cc98c3cc34724e87e548713844670df959d643509a68e419adbc018f6df4ca0e210746f09ac6c6433cdcf91bd91b2dbc4fab6cd |
| CRC32 | 39D8CE3E |
| Ssdeep | 3072:91I2NxfpUdddddwddR4ccaZbuJjjUouU9LIe3HsS3r7L5s55ROhFYyFtj:1fnqjKU9LjHsS3r7u55RO/YyFt |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 183.66.100.32 | 中国 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| jkjkdll3-1323575486.cos.ap-chengdu.myqcloud.com | 未知 |
A 183.66.100.32 CNAME cd.file.myqcloud.com A 183.66.100.19 |
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00434a4e |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x000acc94 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2072-08-28 11:05:22 |
| 载入哈希 | f34d5f2d4577ed6d9ceec516c1f5a744 |
| 图标 |  |
| 图标精确哈希值 | 11d725c5772cd0d0425f76bddad3a344 |
| 图标相似性哈希值 | 5f52dcee58fa8c0f73f7151bb8eb066a |
版本信息
| Translation | |
|---|---|
| LegalCopyright | |
| Assembly Version | |
| InternalName | |
| FileVersion | |
| CompanyName | |
| LegalTrademarks | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00002000 | 0x00032a54 | 0x00032c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 2.78 |
| .rsrc | 0x00036000 | 0x00070858 | 0x00070a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.69 |
| .reloc | 0x000a8000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.10 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000a5e18 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.77 | GLS_BINARY_LSB_FIRST |
| RT_GROUP_ICON | 0x000a6290 | 0x00000092 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.10 | MS Windows icon resource - 10 icons, 256x256 |
| RT_VERSION | 0x000a6334 | 0x00000324 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.27 | data |
| RT_MANIFEST | 0x000a6668 | 0x000001ea | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.00 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
导入
库: mscoree.dll:
• 0x402000 _CorExeMain
装载信息
| 名称 | APP |
|---|---|
| 版本 | 6.0.0.0 |
装载参考
| 名称 | 版本 |
|---|---|
| mscorlib | 4.0.0.0 |
| System | 4.0.0.0 |
| System.Drawing | 4.0.0.0 |
| System.Windows.Forms | 4.0.0.0 |
| System.Management.Automation | 3.0.0.0 |
自定义属性
| 类型 | 名称 | 值 |
|---|---|---|
| Assembly | [mscorlib]System.Reflection.AssemblyTitleAttribute | TKRevi |
| Assembly | [mscorlib]System.Reflection.AssemblyDescriptionAttribute | TKRevi |
| Assembly | [mscorlib]System.Reflection.AssemblyCompanyAttribute | TKRevi |
| Assembly | [mscorlib]System.Reflection.AssemblyProductAttribute | TKRevi |
| Assembly | [mscorlib]System.Reflection.AssemblyCopyrightAttribute | TKRevi |
| Assembly | [mscorlib]System.Reflection.AssemblyTrademarkAttribute | TKRevi |
| Assembly | [mscorlib]System.Runtime.InteropServices.GuidAttribute | d33062c9-bea7-4656-b395-77b7014fb2 |
| Assembly | [mscorlib]System.Reflection.AssemblyFileVersionAttribute | 6.0.0 |
类型参考
| 装载 | 类型名称 |
|---|---|
| System | System.CodeDom.Compiler.GeneratedCodeAttribute |
| System | System.ComponentModel.Container |
| System | System.ComponentModel.EditorBrowsableAttribute |
| System | System.ComponentModel.EditorBrowsableState |
| System | System.ComponentModel.IContainer |
| System | System.Configuration.ApplicationSettingsBase |
| System | System.Configuration.SettingsBase |
| System | System.Diagnostics.Process |
| System | System.Diagnostics.ProcessStartInfo |
| System | System.Net.WebClient |
| System.Drawing | System.Drawing.Icon |
| System.Drawing | System.Drawing.Size |
| System.Drawing | System.Drawing.SizeF |
| System.Management.Automation | System.Management.Automation.PSObject |
| System.Management.Automation | System.Management.Automation.Runspaces.CommandCollection |
| System.Management.Automation | System.Management.Automation.Runspaces.Pipeline |
| System.Management.Automation | System.Management.Automation.Runspaces.Runspace |
| System.Management.Automation | System.Management.Automation.Runspaces.RunspaceFactory |
| System.Windows.Forms | System.Windows.Forms.Application |
| System.Windows.Forms | System.Windows.Forms.AutoScaleMode |
| System.Windows.Forms | System.Windows.Forms.ContainerControl |
| System.Windows.Forms | System.Windows.Forms.ContextMenuStrip |
| System.Windows.Forms | System.Windows.Forms.Control |
| System.Windows.Forms | System.Windows.Forms.Form |
| mscorlib | System.Byte |
| mscorlib | System.Collections.Generic.IEnumerator`1 |
| mscorlib | System.Collections.IEnumerator |
| mscorlib | System.Collections.ObjectModel.Collection`1 |
| mscorlib | System.Console |
| mscorlib | System.Convert |
| mscorlib | System.Diagnostics.DebuggableAttribute |
| mscorlib | System.Diagnostics.DebuggableAttribute/DebuggingModes |
| mscorlib | System.Diagnostics.DebuggerNonUserCodeAttribute |
| mscorlib | System.Environment |
| mscorlib | System.EventArgs |
| mscorlib | System.EventHandler |
| mscorlib | System.Exception |
| mscorlib | System.Globalization.CultureInfo |
| mscorlib | System.IDisposable |
| mscorlib | System.IO.Directory |
| mscorlib | System.IO.DirectoryInfo |
| mscorlib | System.IO.File |
| mscorlib | System.IO.Stream |
| mscorlib | System.Object |
| mscorlib | System.OperatingSystem |
| mscorlib | System.Reflection.Assembly |
| mscorlib | System.Reflection.AssemblyCompanyAttribute |
| mscorlib | System.Reflection.AssemblyConfigurationAttribute |
| mscorlib | System.Reflection.AssemblyCopyrightAttribute |
| mscorlib | System.Reflection.AssemblyDescriptionAttribute |
| mscorlib | System.Reflection.AssemblyFileVersionAttribute |
| mscorlib | System.Reflection.AssemblyProductAttribute |
| mscorlib | System.Reflection.AssemblyTitleAttribute |
| mscorlib | System.Reflection.AssemblyTrademarkAttribute |
| mscorlib | System.Resources.ResourceManager |
| mscorlib | System.Runtime.CompilerServices.CompilationRelaxationsAttribute |
| mscorlib | System.Runtime.CompilerServices.CompilerGeneratedAttribute |
| mscorlib | System.Runtime.CompilerServices.RuntimeCompatibilityAttribute |
| mscorlib | System.Runtime.InteropServices.ComVisibleAttribute |
| mscorlib | System.Runtime.InteropServices.GuidAttribute |
| mscorlib | System.Runtime.Versioning.TargetFrameworkAttribute |
| mscorlib | System.RuntimeTypeHandle |
| mscorlib | System.STAThreadAttribute |
| mscorlib | System.Security.Principal.WindowsBuiltInRole |
| mscorlib | System.Security.Principal.WindowsIdentity |
| mscorlib | System.Security.Principal.WindowsPrincipal |
| mscorlib | System.String |
| mscorlib | System.Text.Encoding |
| mscorlib | System.Text.StringBuilder |
| mscorlib | System.Threading.Thread |
| mscorlib | System.Type |
| mscorlib | System.Version |
.text
`.rsrc
@.reloc
v4.0.30319
#Strings
#GUID
#Blob
Collection`1
IEnumerator`1
Form1
contextMenuStrip1
WindowsFormsApp1
get_IconGroup32512
get_ag123
get_UTF8
<Module>
SizeF
System.IO
mscorlib
set_Verb
System.Collections.Generic
Thread
Form1_Load
add_Load
Synchronized
CreateRunspace
defaultInstance
set_AutoScaleMode
Base64Decode
get_Message
Invoke
IDisposable
RuntimeTypeHandle
GetTypeFromHandle
DownloadFile
IsInRole
WindowsBuiltInRole
Console
set_Name
set_FileName
AppendLine
WriteLine
CreatePipeline
get_Culture
set_Culture
resourceCulture
ApplicationSettingsBase
Close
Dispose
EditorBrowsableState
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
value
APP.exe
set_Size
set_ClientSize
System.Threading
Encoding
System.Runtime.Versioning
FromBase64String
ToString
GetString
disposing
System.Drawing
get_ExecutablePath
get_Length
System.Security.Principal
WindowsPrincipal
System.Collections.ObjectModel
System.ComponentModel
ContainerControl
GetManifestResourceStream
Program
OperatingSystem
resourceMan
RestartAsAdmin
get_OSVersion
get_Version
Application
System.Management.Automation
System.Configuration
System.Globalization
System.Reflection
CommandCollection
Exception
CultureInfo
ProcessStartInfo
DirectoryInfo
Sleep
ContextMenuStrip
StringBuilder
sender
get_ResourceManager
EventHandler
System.CodeDom.Compiler
IContainer
ExtractAndRunFlashPlayer
get_Major
get_Minor
IEnumerator
GetEnumerator
IsAdministrator
.ctor
.cctor
System.Diagnostics
get_Commands
System.Management.Automation.Runspaces
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
WindowsFormsApp1.Form1.resources
Windows.Properties.Resources.resources
DebuggingModes
Windows.Properties
EnableVisualStyles
WriteAllBytes
Settings
EventArgs
System.Windows.Forms
set_AutoScaleDimensions
System.Collections
Process
components
Concat
PSObject
GetObject
System.Net
get_Default
SetCompatibleTextRenderingDefault
WebClient
Environment
InitializeComponent
get_Current
GetCurrent
AddScript
RunScript
script
Start
Convert
SuspendLayout
ResumeLayout
MoveNext
System.Text
set_Text
set_MinimizeBox
set_MaximizeBox
set_ControlBox
get_Assembly
RunspaceFactory
CreateDirectory
WindowsIdentity
TKReview
$d33062c9-bea7-4656-b395-77b7014fb2a6
6.0.0.0
17.0.0.0
17.9.0.0
height
runas
IconGroup32512
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 183.66.100.32 | 中国 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49161 | 183.66.100.32 jkjkdll3-1323575486.cos.ap-chengdu.myqcloud.com | 443 |
| 192.168.122.201 | 49160 | 23.15.196.139 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59906 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| jkjkdll3-1323575486.cos.ap-chengdu.myqcloud.com | 未知 |
A 183.66.100.32 CNAME cd.file.myqcloud.com A 183.66.100.19 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49161 | 183.66.100.32 jkjkdll3-1323575486.cos.ap-chengdu.myqcloud.com | 443 |
| 192.168.122.201 | 49160 | 23.15.196.139 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59906 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
| Timestamp | Source IP | Source Port | Destination IP | Destination Port | Version | Issuer | Subject | Fingerprint |
|---|---|---|---|---|---|---|---|---|
| 2024-04-25 18:19:29.534314+0800 | 192.168.122.201 | 49161 | 183.66.100.32 | 443 | TLS 1.2 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G3 | C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, CN=*.cos.ap-chengdu.myqcloud.com | aa:f6:6a:f6:b5:ea:9f:c6:e8:7b:d5:98:a3:39:06:39:b2:65:c2:7d |
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 31.264 seconds )
- 13.595 NetworkAnalysis
- 11.34 Suricata
- 2.111 AnalysisInfo
- 1.399 BehaviorAnalysis
- 1.302 TargetInfo
- 1.027 Static
- 0.306 peid
- 0.144 static_dotnet
- 0.035 Strings
- 0.004 Memory
- 0.001 config_decoder
Signatures ( 1.934 seconds )
- 1.358 proprietary_url_bl
- 0.07 antiav_detectreg
- 0.06 api_spamming
- 0.05 stealth_decoy_document
- 0.049 stealth_timeout
- 0.03 infostealer_ftp
- 0.018 antiav_detectfile
- 0.017 infostealer_im
- 0.016 antivm_generic_scsi
- 0.014 antianalysis_detectreg
- 0.012 infostealer_bitcoin
- 0.011 antiemu_wine_func
- 0.011 kovter_behavior
- 0.011 infostealer_mail
- 0.011 proprietary_domain_bl
- 0.01 antivm_generic_services
- 0.01 infostealer_browser_password
- 0.008 mimics_filetime
- 0.008 anormaly_invoke_kills
- 0.007 reads_self
- 0.007 antivm_generic_disk
- 0.006 bootkit
- 0.006 stealth_file
- 0.006 anomaly_persistence_autorun
- 0.006 virus
- 0.006 antivm_vbox_files
- 0.006 geodo_banking_trojan
- 0.005 proprietary_anomaly_massive_file_ops
- 0.004 injection_createremotethread
- 0.004 betabot_behavior
- 0.004 kibex_behavior
- 0.004 hancitor_behavior
- 0.004 network_http
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 antivm_vbox_libs
- 0.003 injection_runpe
- 0.003 antivm_parallels_keys
- 0.003 antivm_xen_keys
- 0.003 darkcomet_regkeys
- 0.003 packer_armadillo_regkey
- 0.002 tinba_behavior
- 0.002 hawkeye_behavior
- 0.002 network_tor
- 0.002 rat_nanocore
- 0.002 antiav_avast_libs
- 0.002 infostealer_browser
- 0.002 antisandbox_sunbelt_libs
- 0.002 antisandbox_sboxie_libs
- 0.002 shifu_behavior
- 0.002 exec_crash
- 0.002 antidbg_devices
- 0.002 antivm_generic_diskreg
- 0.002 disables_browser_warn
- 0.002 network_torgateway
- 0.002 rat_pcclient
- 0.001 proprietary_anomaly_write_exe_and_obsfucate_extension
- 0.001 dridex_behavior
- 0.001 antivm_vmware_libs
- 0.001 proprietary_malicious_write_executeable_under_temp_to_regrun
- 0.001 kazybot_behavior
- 0.001 antiav_bitdefender_libs
- 0.001 antidbg_windows
- 0.001 cerber_behavior
- 0.001 bypass_firewall
- 0.001 antianalysis_detectfile
- 0.001 antisandbox_productid
- 0.001 antivm_xen_keys
- 0.001 antivm_hyperv_keys
- 0.001 antivm_vbox_acpi
- 0.001 antivm_vbox_keys
- 0.001 antivm_vmware_files
- 0.001 antivm_vmware_keys
- 0.001 antivm_vpc_keys
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 codelux_behavior
- 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
- 0.001 proprietary_anomaly_invoke_vb_vba
- 0.001 proprietary_bad_drop
- 0.001 network_cnc_http
- 0.001 recon_fingerprint
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.556 seconds )
- 0.484 ReportHTMLSummary
- 0.072 Malheur
| Task ID | 744310 |
|---|---|
| Mongo ID | 662a2e927e769a5b6bbf311c |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号