分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2024-11-30 17:07:52 2024-11-30 17:08:27 35 秒

魔盾分数

3.4

可疑的

文件详细信息

文件名 qq65775411.exe
文件大小 153088 字节
文件类型 PE32+ executable (console) x86-64, for MS Windows
MD5 e223ddd950de72aa5ca25d9587a91c8d
SHA1 d27f68471fe1cd3d2068621518b25e39ef8ed682
SHA256 5eec63b19e51d6aa1b5fbd82b253e4b2018765f09001e409097129f2fb232361
SHA512 da662c84423bee7ec22bba36a81173b2622f4fd76b94b937c442a2eef2a17c9681b8c021cd46eb3d7d74b82b5c1acdda6387cc47da6884f0849a3b00702917da
CRC32 DAFE6C0C
Ssdeep 1536:raHt5ox+hY5nKdy8XFxLnKBN3ZEUsSfv:GN5c+JY83LnKBN3Z6w
Yara 登录查看Yara规则
找不到该样本 提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x1400116b3
声明校验值 0x00000000
实际校验值 0x0003336d
最低操作系统版本要求 6.0
PDB路径 C:\Users\Administrator\Desktop\Project1\x64\Debug\Project1.pdb
编译时间 2024-11-24 23:36:27
载入哈希 f3ec2f92eb4b5ac69bed2951017f487d

PEiD 规则

[u'Microsoft Visual C++ V8.0 (Debug)']

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.textbss 0x00001000 0x00010000 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.text 0x00011000 0x0001636b 0x00016400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 4.16
.rdata 0x00028000 0x0000717c 0x00007200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.98
.data 0x00030000 0x00000f70 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.22
.pdata 0x00031000 0x00002ea4 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.50
.idata 0x00034000 0x00003108 0x00003200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.30
.msvcjmc 0x00038000 0x00000229 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.80
.00cfg 0x00039000 0x00000175 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.48
.rsrc 0x0003a000 0x0000043c 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.14
.reloc 0x0003b000 0x00000464 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 1.83

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x0003a170 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 XML 1.0 document text

导入

库: KERNEL32.dll:
0x140034070 FreeLibrary
0x140034078 GetModuleFileNameA
0x140034080 GetLastError
0x140034088 GetTempPathA
0x140034090 VirtualQuery
0x140034098 GetProcessHeap
0x1400340a0 HeapFree
0x1400340a8 HeapAlloc
0x1400340b0 GetModuleHandleW
0x1400340b8 GetStartupInfoW
0x1400340c0 InitializeSListHead
0x1400340c8 GetSystemTimeAsFileTime
0x1400340d0 GetCurrentProcessId
0x1400340d8 QueryPerformanceCounter
0x1400340e8 TerminateProcess
0x1400340f0 GetCurrentProcess
0x140034100 UnhandledExceptionFilter
0x140034108 RtlVirtualUnwind
0x140034110 RtlLookupFunctionEntry
0x140034118 RtlCaptureContext
0x140034120 WideCharToMultiByte
0x140034128 MultiByteToWideChar
0x140034130 RaiseException
0x140034138 IsDebuggerPresent
0x140034140 GetCurrentThreadId
0x140034148 GetProcAddress
库: ADVAPI32.dll:
0x140034000 RegOpenKeyExW
0x140034008 RegDeleteKeyW
0x140034010 RegCloseKey
库: SHELL32.dll:
0x140034500 ShellExecuteA
库: MSVCP140D.dll:
0x140034370 ?_Xbad_alloc@std@@YAXXZ
0x140034408 ??0_Lockit@std@@QEAA@H@Z
0x140034410 ??1_Lockit@std@@QEAA@XZ
库: VCRUNTIME140D.dll:
0x140034570 __current_exception
0x140034578 __vcrt_GetModuleHandleW
0x140034580 __vcrt_LoadLibraryExW
0x140034590 __C_specific_handler
0x140034598 __std_exception_destroy
0x1400345a0 __std_exception_copy
0x1400345a8 memmove
0x1400345b0 memcpy
0x1400345b8 memcmp
0x1400345c8 _CxxThrowException
库: VCRUNTIME140_1D.dll:
0x140034638 __CxxFrameHandler4
库: ucrtbased.dll:
0x140034698 _set_app_type
0x1400346a0 __setusermatherr
0x1400346a8 _configure_narrow_argv
0x1400346c0 _initterm
0x1400346c8 _initterm_e
0x1400346d0 exit
0x1400346d8 _exit
0x1400346e0 _set_fmode
0x1400346e8 __p___argc
0x1400346f0 __p___argv
0x1400346f8 _cexit
0x140034700 _c_exit
0x140034710 _configthreadlocale
0x140034718 _set_new_mode
0x140034720 __p__commode
0x140034728 _seh_filter_dll
0x140034730 _initialize_onexit_table
0x140034740 _execute_onexit_table
0x140034748 _crt_atexit
0x140034750 _crt_at_quick_exit
0x140034758 strcpy_s
0x140034760 _seh_filter_exe
0x140034768 terminate
0x140034770 _wmakepath_s
0x140034778 _wsplitpath_s
0x140034780 wcscpy_s
0x140034788 _CrtDbgReportW
0x140034790 _callnewh
0x140034798 _malloc_dbg
0x1400347a0 _free_dbg
0x1400347a8 _unlock_file
0x1400347b0 _lock_file
0x1400347b8 ungetc
0x1400347c0 setvbuf
0x1400347c8 fwrite
0x1400347d0 _fseeki64
0x1400347d8 fsetpos
0x1400347e0 fread
0x1400347e8 fputc
0x1400347f0 fgetpos
0x1400347f8 fgetc
0x140034800 fflush
0x140034808 fclose
0x140034818 strlen
0x140034820 strcat_s
0x140034828 wcslen
0x140034830 _invalid_parameter
0x140034840 malloc
0x140034848 _CrtDbgReport

.textbss
.text
`.rdata
@.data
.pdata
@.idata
.00cfg
@.rsrc
@.reloc
D$0H%
_Lock
_Alloc_max
_Masked
filePath
batchPath
batchFile
_Dest
_Dest
_Count_s
_Available
_Fileposition
_Dest
fileContent
_UFirst
_ULast
filePath
expectedContent
_Lock
_Psave
_Psave_guard
_Proxy
_New_capacity
_New_ptr
_New_capacity
_New_ptr
_Proxy
_Guard
_New_capacity
_New_ptr
Unknown exception
bad array new length
invalid argument
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xmemory
string too long
bad cast
delete_self.bat
del "
if exist "
C:\Windows\SysWOW64\TieBao.txt
www.94p.cn
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xstring
front() called on empty string
null pointer cannot point to a block of non-zero size
invalid string position
istreambuf_iterator is not incrementable
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\iterator
istreambuf_iterator is not dereferenceable
D:\a\_work\1\s\src\vctools\crt\github\stl\src\locale0.cpp
bad allocation
Stack around the variable '
' was corrupted.
The variable '
' is being used without being initialized.
Unknown Filename
Unknown Module Name
Run-Time Check Failure #%d - %s
Stack corrupted near unknown variable
%.2X
Data: <
Allocation number within this function:
Size:
Address: 0x
Stack area around _alloca memory reserved by this function is corrupted
%s%s%p%s%zd%s%d%s%s%s%s%s
A variable is being used without being initialized.
Stack pointer corruption
Cast to smaller type causing loss of data
Stack memory corruption
Local variable used before initialization
Stack around _alloca corrupted
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
PDBOpenValidate5
C:\Users\Administrator\Desktop\Project1\x64\Debug\Project1.pdb
.?AVexception@std@@
.?AVbad_array_new_length@std@@
.?AVbad_alloc@std@@
.?AVbad_cast@std@@
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ifstream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AVios_base@std@@
.?AV?$_Iosb@H@std@@
.?AV?$basic_ofstream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AVtype_info@@
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xmemory
"invalid argument"
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
AntiCheatExpert
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xstring
"front() called on empty string"
"null pointer cannot point to a block of non-zero size"
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\iterator
"istreambuf_iterator is not incrementable"
"istreambuf_iterator is not dereferenceable"
Unable to display RTC Message.
Run-Time Check Failure #%d - %s
bin\amd64\MSPDB140.DLL
VCRUNTIME140D.dll
api-ms-win-core-registry-l1-1-0.dll
advapi32.dll
SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC
ProductDir
MSPDB140
MSPDB140
没有防病毒引擎扫描信息!

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49157 23.212.62.85 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49157 23.212.62.85 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 15.922 seconds )

  • 13.449 Suricata
  • 0.948 NetworkAnalysis
  • 0.682 Static
  • 0.471 peid
  • 0.337 TargetInfo
  • 0.018 AnalysisInfo
  • 0.013 Strings
  • 0.002 BehaviorAnalysis
  • 0.002 Memory

Signatures ( 1.581 seconds )

  • 1.488 proprietary_url_bl
  • 0.013 antiav_detectreg
  • 0.011 proprietary_domain_bl
  • 0.006 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_im
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 antianalysis_detectreg
  • 0.003 disables_browser_warn
  • 0.003 infostealer_bitcoin
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antivm_vbox_files
  • 0.002 bot_drive2
  • 0.002 browser_security
  • 0.002 infostealer_mail
  • 0.002 proprietary_bad_drop
  • 0.001 betabot_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_anomaly_mismatch_mime_extension
  • 0.001 network_cnc_http
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.599 seconds )

  • 0.59 ReportHTMLSummary
  • 0.009 Malheur
Task ID 764172
Mongo ID 674ad6287e769a640242eb13
Cuckoo release 1.4-Maldun