恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2024-04-25 23:35:00	2024-04-25 23:35:36	36 秒

魔盾分数

0.4

正常的

文件详细信息

文件名	TheoraLib.dll
文件大小	319488 字节
文件类型	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	da84e68153d99f070afce4d9306d0e28
SHA1	d2ba8c4fdf792e0095d76ac3bebc201dc7351155
SHA256	1c0aa6a34a181bd3c9af99ac1655174c5533f84486968ff1aef9e3ee62891932
SHA512	8465f2e98fa471cc2847ff0d36dff65171d35fb32ea9f69617ed8749502569187afca2e62d98f416c7a0ef2be7d0885d6f1f288cb78fccd9e335c56322d521a6
CRC32	1CAAEDDC
Ssdeep	3072:1LYm9WPuwFORc8OqkGnFKgru8THDNRzEH8JoEmd55uaPMR0Ix5sAg0FujXj1tgF8:1uugXL6KgruORozyDR0K5sAObkvY
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x10000000
入口地址	0x1001e71e
声明校验值	0x00000000
实际校验值	0x0004e9df
最低操作系统版本要求	4.0
编译时间	2011-09-29 12:46:48
载入哈希	7d70d2f15cfe840b4874191b0f81fb49
导出DLL库名称	TheoraLib.dll

版本信息

Translation
LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0002de34	0x0002e000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.79
.rdata	0x0002f000	0x0001903a	0x0001a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.28
.data	0x00049000	0x000033d8	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.89
.rsrc	0x0004d000	0x00000410	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.74
.reloc	0x0004e000	0x00001f60	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.59

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x0004d0a0	0x00000318	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.38	data
RT_MANIFEST	0x0004d3b8	0x00000056	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.66	ASCII text, with CRLF line terminators

导入

库: KERNEL32.dll:

• 0x1002f000 GetLastError

• 0x1002f004 HeapReAlloc

• 0x1002f008 HeapAlloc

• 0x1002f00c HeapFree

• 0x1002f010 GetCurrentThreadId

• 0x1002f014 GetCommandLineA

• 0x1002f018 GetVersionExA

• 0x1002f01c GetProcessHeap

• 0x1002f020 GetProcAddress

• 0x1002f024 GetModuleHandleA

• 0x1002f028 ExitProcess

• 0x1002f02c DeleteCriticalSection

• 0x1002f030 LeaveCriticalSection

• 0x1002f034 EnterCriticalSection

• 0x1002f038 HeapDestroy

• 0x1002f03c HeapCreate

• 0x1002f040 VirtualFree

• 0x1002f044 VirtualAlloc

• 0x1002f048 HeapSize

• 0x1002f04c TerminateProcess

• 0x1002f050 GetCurrentProcess

• 0x1002f054 UnhandledExceptionFilter

• 0x1002f058 SetUnhandledExceptionFilter

• 0x1002f05c IsDebuggerPresent

• 0x1002f060 RaiseException

• 0x1002f064 SetFilePointer

• 0x1002f068 MultiByteToWideChar

• 0x1002f06c SetHandleCount

• 0x1002f070 GetStdHandle

• 0x1002f074 GetFileType

• 0x1002f078 GetStartupInfoA

• 0x1002f07c CloseHandle

• 0x1002f080 WriteFile

• 0x1002f084 GetModuleFileNameA

• 0x1002f088 TlsGetValue

• 0x1002f08c TlsAlloc

• 0x1002f090 TlsSetValue

• 0x1002f094 TlsFree

• 0x1002f098 InterlockedIncrement

• 0x1002f09c SetLastError

• 0x1002f0a0 InterlockedDecrement

• 0x1002f0a4 Sleep

• 0x1002f0a8 FreeEnvironmentStringsA

• 0x1002f0ac GetEnvironmentStrings

• 0x1002f0b0 FreeEnvironmentStringsW

• 0x1002f0b4 WideCharToMultiByte

• 0x1002f0b8 GetEnvironmentStringsW

• 0x1002f0bc QueryPerformanceCounter

• 0x1002f0c0 GetTickCount

• 0x1002f0c4 GetCurrentProcessId

• 0x1002f0c8 GetSystemTimeAsFileTime

• 0x1002f0cc GetCPInfo

• 0x1002f0d0 GetACP

• 0x1002f0d4 GetOEMCP

• 0x1002f0d8 IsValidCodePage

• 0x1002f0dc LCMapStringA

• 0x1002f0e0 LCMapStringW

• 0x1002f0e4 LoadLibraryA

• 0x1002f0e8 InitializeCriticalSection

• 0x1002f0ec RtlUnwind

• 0x1002f0f0 SetStdHandle

• 0x1002f0f4 GetConsoleCP

• 0x1002f0f8 GetConsoleMode

• 0x1002f0fc FlushFileBuffers

• 0x1002f100 GetStringTypeA

• 0x1002f104 GetStringTypeW

• 0x1002f108 GetLocaleInfoA

• 0x1002f10c WriteConsoleA

• 0x1002f110 GetConsoleOutputCP

• 0x1002f114 WriteConsoleW

• 0x1002f118 CreateFileA

导出

序列	地址	名称
1	0x10003920	theoralib_m_comment
2	0x10003790	theoralib_m_create
3	0x10003890	theoralib_m_decodeframe
4	0x10003870	theoralib_m_exists
5	0x100037f0	theoralib_m_free
6	0x10003910	theoralib_m_info
7	0x10003830	theoralib_m_init
8	0x10003840	theoralib_m_load
9	0x100038e0	theoralib_m_nowframe
10	0x100038d0	theoralib_m_setdecodemode
11	0x100038b0	theoralib_m_setvrevers
12	0x100038f0	theoralib_m_totalframe
13	0x10003900	theoralib_m_totaltime
14	0x10003a80	theoralib_w_comment
15	0x10003930	theoralib_w_create
16	0x10003a20	theoralib_w_decodesample
17	0x10003a00	theoralib_w_exists
18	0x10003990	theoralib_w_free
19	0x10003a70	theoralib_w_info
20	0x100039d0	theoralib_w_init
21	0x100039e0	theoralib_w_load
22	0x10003a40	theoralib_w_nowsample
23	0x10003a50	theoralib_w_totalsample
24	0x10003a60	theoralib_w_totaltime

.text
`.rdata
@.data
.rsrc
@.reloc
x<jhj
x<jhj
D$(@q
^[jpj
t$(Wj

没有防病毒引擎扫描信息!

进程树

rundll32.exe id: 2488

搜索
rundll32.exe (2488)

rundll32.exe, PID: 2488, 上一级进程 PID: 2252

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	104.96.163.78	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	104.96.163.78	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 18.902 seconds )

11.11 Suricata
4.385 VirusTotal
2.158 NetworkAnalysis
0.58 Static
0.322 TargetInfo
0.303 peid
0.02 BehaviorAnalysis
0.011 AnalysisInfo
0.011 Strings
0.002 Memory

Signatures ( 1.413 seconds )

1.335 proprietary_url_bl
0.012 antiav_detectreg
0.009 proprietary_domain_bl
0.005 anomaly_persistence_autorun
0.005 antiav_detectfile
0.005 infostealer_ftp
0.004 geodo_banking_trojan
0.004 ransomware_extensions
0.004 ransomware_files
0.003 infostealer_bitcoin
0.003 infostealer_im
0.003 network_http
0.002 tinba_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.001 rat_nanocore
0.001 api_spamming
0.001 betabot_behavior
0.001 cerber_behavior
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http

Reporting ( 0.53 seconds )

0.48 ReportHTMLSummary
0.05 Malheur


Task ID	744321
Mongo ID	662a78687e769a5b68bf30ff
Cuckoo release	1.4-Maldun