分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp03-2 2017-12-15 11:32:43 2017-12-15 11:35:07 144 秒

魔盾分数

10.0

Sharik病毒

文件详细信息

文件名 4.exe
文件大小 215040 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1c8bc73dcd85cb6bdece3c05e74a1887
SHA1 05c6dd41dec0fb4eca39a32970e341b96b53c4af
SHA256 291ed3b7c84c59637a0ee2c4b51b7c46695cbe97d0c40c5881e6ffb1c08e3f89
SHA512 c3d57a2711da38272832310a9da326149ee1ade93cad4203ca4ae4ed64406a8ebc2f93871ee0d982336b3e91dc448e90e7e33c6beaa039b4d00216a3581d9338
CRC32 294E131E
Ssdeep 3072:j/Xb8YZDjwbseaXdQbMUPbUJl/9siaYNBGrxK0itljcs:j/Xb8YZDjBXdQAUbGnaG0E0iTP
Yara 登录查看Yara规则
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
139.59.208.246 新加坡
172.231.74.187 美国
202.89.233.100 中国
202.89.233.101 中国
23.198.128.9 美国
47.88.216.71 加拿大
65.54.226.150 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.bing.com A 202.89.233.101
CNAME cn.cn-0001.cn-msedge.net
CNAME cn-0001.cn-msedge.net
A 202.89.233.100
cn.bing.com CNAME cn-bing-com.cn.a-0001.a-msedge.net
go.microsoft.com CNAME go.microsoft.com.edgekey.net
CNAME e11290.dspg.akamaiedge.net
A 172.231.74.187
msdn.microsoft.com A 65.54.226.150
CNAME msdn.microsoft.akadns.net
support.microsoft.com CNAME e3843.g.akamaiedge.net
CNAME ev.support.microsoft.com.edgekey.net
A 23.198.128.9

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00407b5e
声明校验值 0x0003e49d
实际校验值 0x0004449d
最低操作系统版本要求 5.1
PDB路径 C:\Simulation\HashtagO.pdb
编译时间 2015-01-20 00:44:13
载入哈希 3facaeea87d5a2bb0a0aa7e756b1728d
图标
图标精确哈希值 92b41776b582644438095f04c113e59d
图标相似性哈希值 c4371c12668f99cf2b2726140ec97ac6

版本信息

LegalCopyright
CompanyName
LegalTrademarks
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00011099 0x00011200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.54
.rdata 0x00013000 0x00004fd2 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.17
.data 0x00018000 0x00001f7c 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.75
.rsrc 0x0001a000 0x0001fe3c 0x0001d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.28

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG 0x0001e7f4 0x0000039d LANG_ENGLISH SUBLANG_ENGLISH_US 7.68 PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RCDATA 0x000243a4 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.72 data
RT_CURSOR 0x00025f54 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 data
RT_CURSOR 0x00025f54 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 data
RT_CURSOR 0x00025f54 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 data
RT_CURSOR 0x00025f54 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 data
RT_CURSOR 0x00025f54 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 data
RT_CURSOR 0x00025f54 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_BITMAP 0x000293c4 0x00000088 LANG_ENGLISH SUBLANG_ENGLISH_US 3.41 data
RT_ICON 0x000350a4 0x00000988 LANG_ENGLISH SUBLANG_ENGLISH_US 5.68 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x000350a4 0x00000988 LANG_ENGLISH SUBLANG_ENGLISH_US 5.68 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x000350a4 0x00000988 LANG_ENGLISH SUBLANG_ENGLISH_US 5.68 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x000350a4 0x00000988 LANG_ENGLISH SUBLANG_ENGLISH_US 5.68 dBase III DBT, version number 0, next free block index 40
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_DIALOG 0x000364fc 0x00000214 LANG_ENGLISH SUBLANG_ENGLISH_US 3.26 data
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000367c4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_ICON 0x000367d8 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 MS Windows icon resource - 4 icons, 72x72
RT_VERSION 0x00036818 0x00000360 LANG_ENGLISH SUBLANG_ENGLISH_US 3.46 data
RT_MANIFEST 0x00036b78 0x000002c1 LANG_ENGLISH SUBLANG_ENGLISH_US 5.03 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库: KERNEL32.dll:
0x413060 HeapSize
0x413064 IsValidCodePage
0x413068 GetOEMCP
0x41306c GetACP
0x413070 GetCPInfo
0x413074 RtlUnwind
0x41307c GetCurrentProcessId
0x413080 GetTickCount
0x413088 GetFileType
0x41308c SetHandleCount
0x413094 WideCharToMultiByte
0x413098 HeapReAlloc
0x4130a0 GetCurrentThreadId
0x4130a8 TlsFree
0x4130ac TlsSetValue
0x4130b0 TlsGetValue
0x4130b4 TlsAlloc
0x4130b8 Sleep
0x4130bc TerminateProcess
0x4130c0 IsDebuggerPresent
0x4130cc LoadLibraryW
0x4130d4 LCMapStringW
0x4130d8 GetStringTypeW
0x4130dc lstrcpyA
0x4130e0 GetModuleHandleA
0x4130e4 EnumDateFormatsA
0x4130e8 GetModuleFileNameA
0x4130ec LoadLibraryA
0x4130f0 GetProcAddress
0x4130f4 SetLastError
0x4130f8 GetLastError
0x4130fc MultiByteToWideChar
0x413104 MulDiv
0x413108 GetLocaleInfoW
0x413110 GetUserDefaultLCID
0x413114 HeapAlloc
0x41311c VirtualQuery
0x41312c EncodePointer
0x413130 HeapCreate
0x413134 GetModuleFileNameW
0x413138 GetStdHandle
0x41313c WriteFile
0x413140 HeapFree
0x413144 RaiseException
0x413148 GetStartupInfoW
0x41314c HeapSetInformation
0x413150 GetCommandLineA
0x413154 FreeLibrary
0x413158 FindResourceExW
0x41315c GetCurrentProcess
0x413160 lstrlenA
0x413164 DecodePointer
0x413168 ExitProcess
0x41316c GetModuleHandleW
库: USER32.dll:
0x41319c GetIconInfo
0x4131a0 MoveWindow
0x4131a4 GetClassLongA
0x4131a8 GetDialogBaseUnits
0x4131ac DestroyIcon
0x4131b0 GetDlgItemTextA
0x4131b4 LoadImageA
0x4131b8 SetWindowTextA
0x4131bc GetSystemMetrics
0x4131c0 IsWindow
0x4131c4 DestroyWindow
0x4131c8 GetSystemMenu
0x4131cc HideCaret
0x4131d0 GetWindowRect
0x4131d4 FillRect
0x4131d8 DrawTextA
0x4131dc LoadStringA
0x4131e0 IsDlgButtonChecked
0x4131e4 AttachThreadInput
0x4131e8 LoadIconA
0x4131ec DrawIcon
0x4131f0 GetClientRect
0x4131f4 SendMessageA
0x4131f8 GetFocus
0x4131fc GetDC
0x413200 DrawFocusRect
0x413204 GetForegroundWindow
0x413208 DrawStateA
0x41320c SetRect
0x413210 CreateWindowExA
0x413214 EnableMenuItem
0x413218 MonitorFromWindow
0x41321c SetClassLongA
0x413220 GetDlgItem
0x413224 ShowWindow
0x413228 SetMenu
库: GDI32.dll:
0x41301c DeleteDC
0x413020 GetDeviceCaps
0x413024 CreateFontIndirectA
0x413028 SetBrushOrgEx
0x41302c GetDIBits
0x413030 CreateDCA
0x413034 DeleteObject
0x413038 SelectObject
0x41303c CreateCompatibleDC
0x413040 SetMapMode
0x413048 Chord
0x41304c GetPixel
0x413054 TextOutA
0x413058 BitBlt
库: ADVAPI32.dll:
0x413000 RegOpenKeyExA
0x413004 RegCloseKey
0x413008 RegQueryValueExW
库: SHELL32.dll:
0x413184 SHGetFileInfoA
0x413188 SHBrowseForFolderA
库: ODBC32.dll:
0x41317c None
库: WININET.dll:
0x413240 FtpCommandW
库: USERENV.dll:
库: MSIMG32.dll:
0x413174 AlphaBlend
库: COMCTL32.dll:
0x413010 None
0x413014 ImageList_Create
库: Secur32.dll:

.text
`.rdata
@.data
.rsrc
T$`Rh
D$|h@RA
D$|h@RA
D$dh@RA
D$dh@RA
j h nA
jXh@nA
YQPVh
Wh@=A
SVWUj
j,h8rA
Unknown exception
CorExitProcess
bad allocation
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
DISPLAY
FLASH
kernel32
STATIC
Arial
Building Fundamentals Cross Exported
shell
\Windows
DISPLAY
invalid map/set<T> iterator
map/set<T> too long
e+000
floor
exp10
?acos
log10
bad exception
_nextafter
_logb
frexp
_hypot
_cabs
ldexp
atan2
1#QNAN
1#INF
1#IND
1#SNAN
C:\Simulation\HashtagO.pdb
lstrlenA
FindResourceExW
FreeLibrary
HeapAlloc
GetUserDefaultLCID
GetSystemDefaultLCID
GetLocaleInfoW
Sleep
MulDiv
MultiByteToWideChar
GetLastError
SetLastError
GetProcAddress
LoadLibraryA
GetModuleFileNameA
EnumDateFormatsA
GetModuleHandleA
lstrcpyA
KERNEL32.dll
MoveWindow
GetClassLongA
GetDialogBaseUnits
DestroyIcon
GetDlgItemTextA
LoadImageA
SetWindowTextA
GetSystemMetrics
IsWindow
IsDlgButtonChecked
SetMenu
ShowWindow
GetDlgItem
SetClassLongA
MonitorFromWindow
EnableMenuItem
CreateWindowExA
SetRect
DrawStateA
GetForegroundWindow
DrawFocusRect
GetDC
GetIconInfo
SendMessageA
GetClientRect
DrawIcon
LoadIconA
AttachThreadInput
GetFocus
LoadStringA
DrawTextA
FillRect
GetWindowRect
HideCaret
GetSystemMenu
DestroyWindow
USER32.dll
TextOutA
CreateDiscardableBitmap
GetPixel
Chord
CreateCompatibleBitmap
SetMapMode
CreateCompatibleDC
SelectObject
DeleteObject
CreateDCA
GetDIBits
SetBrushOrgEx
CreateFontIndirectA
GetDeviceCaps
DeleteDC
BitBlt
GDI32.dll
RegQueryValueExW
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
SHBrowseForFolderA
SHGetFileInfoA
SHELL32.dll
ODBC32.dll
FtpCommandW
InternetGetLastResponseInfoW
WININET.dll
RegisterGPNotification
ProcessGroupPolicyCompleted
USERENV.dll
AlphaBlend
MSIMG32.dll
ImageList_Create
COMCTL32.dll
EnumerateSecurityPackagesA
QuerySecurityPackageInfoA
Secur32.dll
GetModuleHandleW
ExitProcess
DecodePointer
GetCommandLineA
HeapSetInformation
GetStartupInfoW
RaiseException
HeapFree
WriteFile
GetStdHandle
GetModuleFileNameW
HeapCreate
EncodePointer
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
HeapReAlloc
IsProcessorFeaturePresent
LCMapStringW
GetStringTypeW
VirtualQuery
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVexception@std@@
textmode
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
OiCCPPhotoshop ICC profile
0IWfH
cHRM
OiCCPPhotoshop ICC profile
0IWfH
cHRM
Hv4MV
2@5AU
mscoree.dll
runtime error
AMicrosoft Visual C++ Runtime Library
<program name unknown>
Program:
KERNEL32.DLL
WUSER32.DLL
AHH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Group
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20171214
MicroWorld-eScan Trojan.GenericKD.12674758 20171214
nProtect 未发现病毒 20171214
CMC 未发现病毒 20171214
CAT-QuickHeal Backdoor.Androm 20171214
ALYac 未发现病毒 20171214
Cylance Unsafe 20171214
Zillya 未发现病毒 20171214
TheHacker 未发现病毒 20171210
K7GW Trojan-Downloader ( 004f875e1 ) 20171214
K7AntiVirus Trojan-Downloader ( 004f875e1 ) 20171214
TrendMicro TROJ_GEN.R00EC0WLE17 20171214
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9996 20171212
F-Prot 未发现病毒 20171214
Symantec Trojan.Gen 20171214
TotalDefense 未发现病毒 20171214
TrendMicro-HouseCall TROJ_GEN.R00EC0WLE17 20171214
Avast FileRepMalware 20171214
ClamAV Win.Trojan.Agent-6399167-0 20171214
Kaspersky Backdoor.Win32.Androm.osiq 20171214
BitDefender Trojan.GenericKD.12674758 20171214
NANO-Antivirus 未发现病毒 20171214
ViRobot 未发现病毒 20171214
AegisLab Backdoor.W32.Androm!c 20171214
Rising 未发现病毒 20171214
Ad-Aware Trojan.GenericKD.12674758 20171214
Sophos Mal/Generic-S 20171214
Comodo 未发现病毒 20171214
F-Secure Trojan.GenericKD.12674758 20171214
DrWeb Trojan.DownLoader26.793 20171214
VIPRE 未发现病毒 20171214
Invincea heuristic 20170914
McAfee-GW-Edition Artemis 20171214
Emsisoft Trojan.GenericKD.12674758 (B) 20171214
Ikarus Trojan-Downloader.Win32.Zurgop 20171214
Cyren W32/Trojan.PEQT-6726 20171214
Jiangmin 未发现病毒 20171214
Webroot W32.Trojan.Gen 20171214
Avira TR/Crypt.Xpack.mgkwj 20171214
Fortinet W32/Zurgop.CO!tr.dldr 20171214
Antiy-AVL 未发现病毒 20171214
Kingsoft 未发现病毒 20171214
Endgame malicious (high confidence) 20171130
Arcabit Trojan.Generic.DC166C6 20171214
SUPERAntiSpyware 未发现病毒 20171214
ZoneAlarm Backdoor.Win32.Androm.osiq 20171214
Avast-Mobile 未发现病毒 20171214
Microsoft TrojanDownloader:Win32/Dofoil.AC 20171214
AhnLab-V3 Win-Trojan/Sagecrypt.Gen 20171214
McAfee Artemis!1C8BC73DCD85 20171214
AVware Trojan.Win32.Generic!BT 20171214
MAX malware (ai score=100) 20171214
VBA32 未发现病毒 20171214
Malwarebytes Trojan.SmokeLoader 20171214
WhiteArmor 未发现病毒 20171204
Panda Trj/CI.A 20171214
Zoner 未发现病毒 20171214
ESET-NOD32 Win32/TrojanDownloader.Zurgop.CO 20171214
Tencent Suspicious.Heuristic.Gen.b.0 20171214
Yandex 未发现病毒 20171214
SentinelOne static engine - malicious 20171207
eGambit 未发现病毒 20171214
GData Trojan.GenericKD.12674758 20171214
AVG FileRepMalware 20171214
Cybereason 未发现病毒 20171103
Paloalto generic.ml 20171214
CrowdStrike malicious_confidence_90% (W) 20171016
Qihoo-360 Trojan.Generic 20171214

进程树


4.exe, PID: 2004, 上一级进程 PID: 272
explorer.exe, PID: 1140, 上一级进程 PID: 2004
explorer.exe, PID: 2248, 上一级进程 PID: 1140
explorer.exe, PID: 2340, 上一级进程 PID: 1140

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
139.59.208.246 新加坡
172.231.74.187 美国
202.89.233.100 中国
202.89.233.101 中国
23.198.128.9 美国
47.88.216.71 加拿大
65.54.226.150 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 51760 139.59.208.246 53
192.168.122.202 52828 139.59.208.246 53
192.168.122.202 49166 172.231.74.187 go.microsoft.com 80
192.168.122.202 49164 202.89.233.100 www.bing.com 80
192.168.122.202 49165 202.89.233.101 www.bing.com 80
192.168.122.202 49168 23.198.128.9 support.microsoft.com 80
192.168.122.202 49169 23.198.128.9 support.microsoft.com 443
192.168.122.202 51761 47.88.216.71 80
192.168.122.202 52829 47.88.216.71 80
192.168.122.202 49167 65.54.226.150 msdn.microsoft.com 80
192.168.122.202 49170 65.54.226.150 msdn.microsoft.com 80
192.168.122.202 51762 65.54.226.150 msdn.microsoft.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 49866 192.168.122.1 53
192.168.122.202 51722 192.168.122.1 53
192.168.122.202 56444 192.168.122.1 53
192.168.122.202 63596 192.168.122.1 53
192.168.122.202 63623 192.168.122.1 53
192.168.122.202 64002 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.bing.com A 202.89.233.101
CNAME cn.cn-0001.cn-msedge.net
CNAME cn-0001.cn-msedge.net
A 202.89.233.100
cn.bing.com CNAME cn-bing-com.cn.a-0001.a-msedge.net
go.microsoft.com CNAME go.microsoft.com.edgekey.net
CNAME e11290.dspg.akamaiedge.net
A 172.231.74.187
msdn.microsoft.com A 65.54.226.150
CNAME msdn.microsoft.akadns.net
support.microsoft.com CNAME e3843.g.akamaiedge.net
CNAME ev.support.microsoft.com.edgekey.net
A 23.198.128.9

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 51760 139.59.208.246 53
192.168.122.202 52828 139.59.208.246 53
192.168.122.202 49166 172.231.74.187 go.microsoft.com 80
192.168.122.202 49164 202.89.233.100 www.bing.com 80
192.168.122.202 49165 202.89.233.101 www.bing.com 80
192.168.122.202 49168 23.198.128.9 support.microsoft.com 80
192.168.122.202 49169 23.198.128.9 support.microsoft.com 443
192.168.122.202 51761 47.88.216.71 80
192.168.122.202 52829 47.88.216.71 80
192.168.122.202 49167 65.54.226.150 msdn.microsoft.com 80
192.168.122.202 49170 65.54.226.150 msdn.microsoft.com 80
192.168.122.202 51762 65.54.226.150 msdn.microsoft.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 49866 192.168.122.1 53
192.168.122.202 51722 192.168.122.1 53
192.168.122.202 56444 192.168.122.1 53
192.168.122.202 63596 192.168.122.1 53
192.168.122.202 63623 192.168.122.1 53
192.168.122.202 64002 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.bing.com/
GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.bing.com

URL专业沙箱检测 -> http://cn.bing.com/
GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: cn.bing.com

URL专业沙箱检测 -> http://go.microsoft.com/fwlink/?LinkId=133405
POST /fwlink/?LinkId=133405 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 42
Host: go.microsoft.com

URL专业沙箱检测 -> http://msdn.microsoft.com/vstudio
GET /vstudio HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: msdn.microsoft.com

URL专业沙箱检测 -> http://go.microsoft.com/fwlink/?LinkId=286133
POST /fwlink/?LinkId=286133 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 42
Host: go.microsoft.com

URL专业沙箱检测 -> http://support.microsoft.com/
GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: support.microsoft.com

URL专业沙箱检测 -> http://go.microsoft.com/fwlink/?LinkId=133405
POST /fwlink/?LinkId=133405 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 79
Host: go.microsoft.com

URL专业沙箱检测 -> http://go.microsoft.com/fwlink/?LinkId=286133
POST /fwlink/?LinkId=286133 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 124
Host: go.microsoft.com

URL专业沙箱检测 -> http://bbank.bit/
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Host: bbank.bit
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 63

URL专业沙箱检测 -> http://go.microsoft.com/fwlink/?LinkId=286133
POST /fwlink/?LinkId=286133 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 138
Host: go.microsoft.com

URL专业沙箱检测 -> http://go.microsoft.com/fwlink/?LinkId=133405
POST /fwlink/?LinkId=133405 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 145
Host: go.microsoft.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2017-12-15 11:33:23.948250+0800 192.168.122.202 49166 172.231.74.187 80 TCP 2022124 ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check A Network Trojan was detected
2017-12-15 11:33:28.753058+0800 192.168.122.202 49166 172.231.74.187 80 TCP 2022124 ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check A Network Trojan was detected
2017-12-15 11:33:34.618636+0800 192.168.122.202 49166 172.231.74.187 80 TCP 2022124 ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check A Network Trojan was detected
2017-12-15 11:33:38.456249+0800 192.168.122.202 49166 172.231.74.187 80 TCP 2022124 ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check A Network Trojan was detected
2017-12-15 11:33:44.072260+0800 192.168.122.202 49166 172.231.74.187 80 TCP 2022124 ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check A Network Trojan was detected
2017-12-15 11:33:52.184246+0800 192.168.122.202 49166 172.231.74.187 80 TCP 2022124 ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check A Network Trojan was detected

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2017-12-15 11:33:29.286032+0800 192.168.122.202 49169 23.198.128.9 443 TLSv1 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=support.microsoft.com 80:4d:37:e9:f9:23:3e:ba:d7:5b:e8:af:cc:63:a6:38:b5:1e:69:fa

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 jeetbsrj.exe
相关文件
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe
文件大小 215040 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1c8bc73dcd85cb6bdece3c05e74a1887
SHA1 05c6dd41dec0fb4eca39a32970e341b96b53c4af
SHA256 291ed3b7c84c59637a0ee2c4b51b7c46695cbe97d0c40c5881e6ffb1c08e3f89
CRC32 294E131E
Ssdeep 3072:j/Xb8YZDjwbseaXdQbMUPbUJl/9siaYNBGrxK0itljcs:j/Xb8YZDjBXdQAUbGnaG0E0iTP
下载提交魔盾安全分析
文件名 dviwsasf
相关文件
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf
文件大小 13889 字节
文件类型 data
MD5 e260288041bb406f47075e139a557269
SHA1 03c6783befa9ada27c27c1fdc20131044b6bdd30
SHA256 9578ca3dbfc04c977bb7776f62b866a0f8b310ccfe1f781474ecc6003f5f6caa
CRC32 FB23F8B3
Ssdeep 384:LyYKagaO3yvZ59XzroDMQ5coVZfNNIzc1j3:LqZyvZXoDMQ6oz2c1z
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 31.101 seconds )

  • 10.364 NetworkAnalysis
  • 7.907 BehaviorAnalysis
  • 7.884 Suricata
  • 1.582 Static
  • 1.447 VirusTotal
  • 0.859 peid
  • 0.859 TargetInfo
  • 0.076 AnalysisInfo
  • 0.054 Debug
  • 0.037 Dropped
  • 0.024 Strings
  • 0.004 Memory
  • 0.003 config_decoder
  • 0.001 ProcessMemory

Signatures ( 4.407 seconds )

  • 2.162 md_url_bl
  • 0.506 md_bad_drop
  • 0.303 api_spamming
  • 0.296 stealth_timeout
  • 0.202 process_interest
  • 0.198 decoy_document
  • 0.195 injection_createremotethread
  • 0.128 vawtrak_behavior
  • 0.086 process_needed
  • 0.053 antiav_detectreg
  • 0.023 antisandbox_sleep
  • 0.021 stealth_file
  • 0.021 injection_runpe
  • 0.017 infostealer_ftp
  • 0.013 antivm_generic_disk
  • 0.011 mimics_filetime
  • 0.011 antianalysis_detectreg
  • 0.011 md_domain_bl
  • 0.01 infostealer_im
  • 0.009 reads_self
  • 0.009 virus
  • 0.008 persistence_autorun
  • 0.008 antiav_detectfile
  • 0.008 infostealer_mail
  • 0.007 bootkit
  • 0.007 hancitor_behavior
  • 0.007 antivm_generic_scsi
  • 0.005 geodo_banking_trojan
  • 0.005 ransomware_files
  • 0.004 antivm_generic_services
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.003 antivm_vbox_files
  • 0.003 antivm_xen_keys
  • 0.003 network_torgateway
  • 0.002 antiemu_wine_func
  • 0.002 rat_nanocore
  • 0.002 tinba_behavior
  • 0.002 modifies_desktop_wallpaper
  • 0.002 betabot_behavior
  • 0.002 antivm_vbox_libs
  • 0.002 kibex_behavior
  • 0.002 infostealer_browser_password
  • 0.002 cerber_behavior
  • 0.002 kovter_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 darkcomet_regkeys
  • 0.002 disables_browser_warn
  • 0.002 network_http
  • 0.001 network_tor
  • 0.001 stealth_network
  • 0.001 kazybot_behavior
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 ursnif_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 modify_uac_prompt
  • 0.001 network_cnc_http
  • 0.001 recon_fingerprint

Reporting ( 3.209 seconds )

  • 2.751 Malheur
  • 0.458 ReportHTMLSummary
Task ID 122594
Mongo ID 5a334354a093ef4c8fb59197
Cuckoo release 1.4-Maldun