恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp03-2	2018-03-23 22:03:57	2018-03-23 22:06:18	141 秒

魔盾分数

2.0

正常的

文件详细信息

文件名	WSReset.exe
文件大小	58368 字节
文件类型	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5	a6316079ae5313d86fef30624dd66d0b
SHA1	326915a083d9edf843cda3cb085f172fc0b7251c
SHA256	7386407e86ca281aa5e9c1be21a8bcc8f34e194445ffe419ffe6df1cebbe34e3
SHA512	e5af8b6a71529ac69e82461b884f428a1f1aacd37ef40d19223a20d2a9cb5ec90c37d3383583961547c33ffaa36fb3e92920573122e4b6960cf5da6330b6ee69
CRC32	5E7DD867
Ssdeep	1536:CcjzRN3vctWda9EQt5RTxJWi1NsbEdDpqmnouy8:C6NfyCaaWzHNsQdDZout
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0041e850
声明校验值	0x00000000
实际校验值	0x00014bd7
最低操作系统版本要求	4.0
编译时间	2017-12-31 04:32:31
载入哈希	a50e815adb2cfe3e58d388c791946db8
图标
图标精确哈希值	271e42efc6122181d4236b0c0fb7f44f
图标相似性哈希值	8689cb1cb86e6f6c41635fe8cc0d83e7

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
UPX0	0x00001000	0x00013000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00014000	0x0000c000	0x0000b400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.98
.rsrc	0x00020000	0x00003000	0x00002e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.83

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x000202b0	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.00	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_GROUP_ICON	0x0002285c	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.92	MS Windows icon resource - 1 icon, 48x48
RT_MANIFEST	0x00022874	0x000002a0	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.09	XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库: COMCTL32.DLL:

• 0x422bdc InitCommonControlsEx

库: GDI32.DLL:

• 0x422be4 GetStockObject

库: KERNEL32.DLL:

• 0x422bec LoadLibraryA

• 0x422bf0 ExitProcess

• 0x422bf4 GetProcAddress

• 0x422bf8 VirtualProtect

库: MSVCRT.dll:

• 0x422c00 free

库: OLE32.DLL:

• 0x422c08 CoInitialize

库: SHELL32.DLL:

• 0x422c10 ShellExecuteExW

库: SHLWAPI.DLL:

• 0x422c18 PathRemoveArgsW

库: USER32.DLL:

• 0x422c20 SetFocus

库: WINMM.DLL:

• 0x422c28 timeBeginPeriod

.rsrc
8[<UX
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> <!-- level can be "asInvoker", "highestAvailable", or "requireAdministrator" --> <v3:requestedExecutionLevel level="requireAdministrator" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly> 
COMCTL32.DLL
GDI32.DLL
KERNEL32.DLL
MSVCRT.dll
OLE32.DLL
SHELL32.DLL
SHLWAPI.DLL
USER32.DLL
WINMM.DLL
InitCommonControlsEx
GetStockObject
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
CoInitialize
ShellExecuteExW
PathRemoveArgsW
SetFocus
timeBeginPeriod

没有防病毒引擎扫描信息!

进程树

WSReset.exe id: 2004
- cmd.exe id: 2032

WSReset.exe, PID: 2004, 上一级进程 PID: 272

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2032, 上一级进程 PID: 2004

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	91B5.bat
相关文件	C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat
文件大小	2661 字节
文件类型	ISO-8859 text, with CRLF line terminators
MD5	de17fcd2d425d17e344060dc63b15c7b
SHA1	4358175866dd4785b434f9bcb0b973c90b28f52f
SHA256	4d42fa3a397a98287ffe852d63a950ff64ca5d79f7c86c4655a1ce71d4ada9ca
CRC32	8851D614
Ssdeep	48:7AOpZGC12wTatIutm6sGpgtmisLL/tftYotAtYTs30223018kjABP79MOwu00K:7AOpt12wTatIutm6sGOtTsL7tftXtAt1
	下载提交魔盾安全分析

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 11.013 seconds )

7.361 Suricata
1.384 VirusTotal
0.7 TargetInfo
0.435 Static
0.32 peid
0.272 BehaviorAnalysis
0.265 AnalysisInfo
0.222 NetworkAnalysis
0.029 Debug
0.013 Dropped
0.01 Strings
0.002 Memory

Signatures ( 0.295 seconds )

0.096 md_bad_drop
0.022 md_url_bl
0.016 antiav_detectreg
0.014 stealth_timeout
0.013 api_spamming
0.012 md_domain_bl
0.01 antiav_detectfile
0.009 decoy_document
0.008 infostealer_ftp
0.008 ransomware_files
0.007 infostealer_bitcoin
0.007 ransomware_extensions
0.006 persistence_autorun
0.005 infostealer_im
0.004 antivm_vbox_files
0.003 antianalysis_detectreg
0.003 disables_browser_warn
0.003 infostealer_mail
0.002 antiemu_wine_func
0.002 rat_nanocore
0.002 tinba_behavior
0.002 reads_self
0.002 mimics_filetime
0.002 stealth_file
0.002 antivm_generic_disk
0.002 infostealer_browser_password
0.002 kovter_behavior
0.002 geodo_banking_trojan
0.002 browser_security
0.002 modify_uac_prompt
0.001 network_tor
0.001 bootkit
0.001 infostealer_browser
0.001 betabot_behavior
0.001 kibex_behavior
0.001 shifu_behavior
0.001 cerber_behavior
0.001 virus
0.001 antianalysis_detectfile
0.001 antidbg_devices
0.001 antivm_parallels_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 modify_proxy
0.001 disables_system_restore
0.001 modify_security_center_warnings
0.001 office_security
0.001 rat_pcclient
0.001 rat_spynet
0.001 recon_fingerprint
0.001 stealth_hiddenreg
0.001 stealth_hide_notifications
0.001 targeted_flame

Reporting ( 0.83 seconds )

0.498 ReportHTMLSummary
0.332 Malheur


Task ID	141237
Mongo ID	5ab509eba093ef2d68bd36db
Cuckoo release	1.4-Maldun