比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp01-2 2017-12-15 11:08:01 2017-12-15 11:10:18 137 秒

魔盾分数

5.1

可疑的

文件详细信息

文件名 unpack_recycler.exe_
文件大小 106496 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 395215cc0b2b268e79105531bc8cc760
SHA1 5c23b52ef289dba53a4d23ae72e2ccf32adb87d1
SHA256 c68113bd7eb18b8d3351b3960e007a83a64a365b496747bea9ea5b554251fc37
SHA512 30f231117c860a08b53b561920cc424211055a7e758f7027e796ce76d6ca4cb03d6cafc8153a689b00ed5c33d871952fa2ce315bea514f09f657760486f12237
CRC32 C567B89D
Ssdeep 1536:N1usIC3wZvCNomEMstGaIaWhaznAbLs4PE/Q7IP7aS/wWo/GqkaO67Him4ZW+g:Dush3cv2ojMO8szALs4sOkYR43g
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00403c81
声明校验值 0x001346fe
实际校验值 0x0002397c
最低操作系统版本要求 4.0
编译时间 1972-12-25 13:33:23
载入哈希 9165ea3e914e03bda3346f13edbd6ccd
图标
图标精确哈希值 3fac314695184b546842efbb6babc4d9
图标相似性哈希值 83be7baeee9d10e23086447dcea1db66

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000051ec 0x000051ec IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.70
.rdata 0x00007000 0x00000a4a 0x00000a4a IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.04
.data 0x00008000 0x00001f58 0x00001f58 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.91
.data 0x0000a000 0x0000d000 0x0000d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.58
.rsrc 0x00017000 0x000024f0 0x000024f0 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.46
.idata2 0x0001a000 0x00001000 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.38

覆盖

偏移量 0x00019c00
大小 0x00000400

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00018608 0x00000ea8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.29 data
RT_ICON 0x00018608 0x00000ea8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.29 data
RT_ICON 0x00018608 0x00000ea8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.29 data
RT_ICON 0x00018608 0x00000ea8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.29 data
RT_GROUP_ICON 0x000194b0 0x0000003e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 MS Windows icon resource - 4 icons, 16x16

导入

库: kernel32.dll:
0x407000 GetProcAddress
0x407004 LoadLibraryA
0x407008 CloseHandle
0x40700c WriteFile
0x407010 CreateDirectoryA
0x407014 GetTempPathA
0x407018 ReadFile
0x40701c SetFilePointer
0x407020 CreateFileA
0x407024 GetModuleFileNameA
0x407028 GetStringTypeA
0x40702c LCMapStringW
0x407030 LCMapStringA
0x407034 HeapAlloc
0x407038 HeapFree
0x40703c GetModuleHandleA
0x407040 GetStartupInfoA
0x407044 GetCommandLineA
0x407048 GetVersion
0x40704c ExitProcess
0x407050 HeapDestroy
0x407054 HeapCreate
0x407058 VirtualFree
0x40705c VirtualAlloc
0x407060 HeapReAlloc
0x407064 TerminateProcess
0x407068 GetCurrentProcess
0x407078 WideCharToMultiByte
0x407084 SetHandleCount
0x407088 GetStdHandle
0x40708c GetFileType
0x407090 RtlUnwind
0x407094 GetCPInfo
0x407098 GetACP
0x40709c GetOEMCP
0x4070a0 MultiByteToWideChar
0x4070a4 GetStringTypeW
库: user32.dll:
0x4070ac MessageBoxA
0x4070b0 wsprintfA
.text
.rdata
.data
.data
.rsrc
@.idata2
u hxr@
DSUVWh
SVWUj
[Sh,v@
"WWSh(v@
^Vh,v@
PVh(v@
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetProcAddress
LoadLibraryA
CloseHandle
WriteFile
CreateDirectoryA
GetTempPathA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
KERNEL32.dll
MessageBoxA
wsprintfA
USER32.dll
HeapAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Error
Failed to read data from the file!
Failed to read file or invalid data in file!
Invalid data in the file!
The interface of kernel library is invalid!
The kernel library is invalid!
GetNewSock
Failed to load kernel library!
Not found the kernel library!
krnln.fne
krnln.fnr
Failed to decompress data!
Insufficient memory!
E_N%X
Can't retrieve the temporary directory!
Can't open file!
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
invalid distance code
invalid literal/length code
1.1.3
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
const
u(/ku()#-,~o.(~,,/\u-1)}(#pu. )-),|#fu^kZpm_hl
\\g>BB6
-4(M-RN-/#M
EEP'++~
pwk1x62prf1
)<),'5-<;A;g
??J!%%x
x s9z>:xzn9
0C03.<4CBHBn
W@|-|
f.|.d
-T6T+
:@N=BAE
^asscfr^
PdZhZXYP
BMLJGLH
&5&-&%
UNtlrkZMibTbHyWKMSyLUgqUWw
fRGszqutAB
a\Z[cZ
4G4\4;2H24!
@3&30-19&
L?2?<9=E2
+:+2+*
wOiz`
@P@ (#G(/,)./zuS
5Hp !np$pwwps~/5HoylxxzNg=gwwps~/4M130ww0Hg=gwwps~/5HoylxxzNg<gwwps~/4Z130vo0H<gwwps~/5Hyp{z/hy!]z !Lf
M`)89')<)00),7GM`(2%113f U 00),7GLeIKH00H` U 00),7GM`(2%113f T 00),7GLrIKH/(H`T 00),7GM`2)43G!29u389d~
@z.zC
SHGetSpecialFolderPathA
OpenEventA
CreateEventA
SetWindowLongA
GetTempPathA
RtlMoveMemory
CallWindowProcA
@reloc1
33333
oz{||||||||||||||||||||||||||y3
owuxxxxxxxxxxxxxxxxxxxxxxxxxxy3
oopqrrrrrrrrrrrrrrrrrrrrrrrrrr<n3
kklmEEEEEEEEEEEEEEEEEEEEEEEEEE<n3
fiiiiiiiiiiiiiiiiiiiiiiiiii<jU
fAAAAAAAAAAAAAAAAAAAAAAAAAA<gh3
dAAAAAAAAAAAAAAAAAAAAAAAAAA<eK3
kernel32.dll
GetProcAddress
LoadLibraryA
CloseHandle
WriteFile
CreateDirectoryA
GetTempPathA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
GetStringTypeA
LCMapStringW
LCMapStringA
HeapAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
GetStringTypeW
user32.dll
MessageBoxA
wsprintfA
abcde
没有防病毒引擎扫描信息!

进程树

unpack_recycler.exe_, PID: 1700, 上一级进程 PID: 856
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 12.11 seconds )

  • 8.162 Suricata
  • 1.682 VirusTotal
  • 0.852 TargetInfo
  • 0.463 Static
  • 0.357 peid
  • 0.238 Debug
  • 0.236 NetworkAnalysis
  • 0.084 BehaviorAnalysis
  • 0.022 AnalysisInfo
  • 0.009 Strings
  • 0.005 Memory

Signatures ( 0.129 seconds )

  • 0.022 antiav_detectreg
  • 0.011 md_url_bl
  • 0.009 infostealer_ftp
  • 0.006 persistence_autorun
  • 0.006 antiav_detectfile
  • 0.006 infostealer_im
  • 0.005 antianalysis_detectreg
  • 0.005 md_domain_bl
  • 0.005 ransomware_files
  • 0.004 infostealer_bitcoin
  • 0.004 md_bad_drop
  • 0.004 ransomware_extensions
  • 0.003 stealth_timeout
  • 0.003 disables_browser_warn
  • 0.003 infostealer_mail
  • 0.002 rat_nanocore
  • 0.002 tinba_behavior
  • 0.002 api_spamming
  • 0.002 betabot_behavior
  • 0.002 decoy_document
  • 0.002 cerber_behavior
  • 0.002 antivm_vbox_files
  • 0.002 geodo_banking_trojan
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 shifu_behavior
  • 0.001 ursnif_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt
  • 0.001 stealth_hide_notifications

Reporting ( 0.612 seconds )

  • 0.529 ReportHTMLSummary
  • 0.083 Malheur
Task ID 122589
Mongo ID 5a333d27bb7d5720df128f9b
Cuckoo release 1.4-Maldun