恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp03-1	2018-05-05 01:58:22	2018-05-05 02:00:48	146 秒

魔盾分数

2.65

可疑的

文件详细信息

文件名	变声器.exe
文件大小	378880 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	66ac853f832b8de12eaf0af313e37cf9
SHA1	50567960e51b57c631b2051af8bd0e6e2fd8fe3e
SHA256	b01f6a69ea592850476cdbe318e00480ed919233748462a0702cf433fd6f081d
SHA512	d94b05fd8496546f0bd139185ba3662d3a535f8ec6bb2170537ea911c6fa66d32be42c6b4ff68279cd39fe301cf57f182f027f8ccc5cec7b9a237b68069416ed
CRC32	F870E4EC
Ssdeep	6144:GQYMCCqcMIzy6hBjxhqqCVlpPuRaQ7YRZh+r8yaxZ5EQN:ZYcqcMIzXoNxuYQ7OZh+YbxZD
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级
是	101.110.118.27	中国
否	104.18.25.243	美国
否	117.18.232.200	亚洲太平洋地区
否	117.18.237.29	亚洲太平洋地区
否	122.224.45.50	中国
否	23.2.16.104	美国
是	43.241.50.232	中国
否	65.55.186.115	美国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
localhost.ptlogin2.qq.com	A 127.0.0.1
www.microsoft.com	CNAME e13678.ca.s.tl88.net A 122.224.45.50 CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net
data.tvdownload.microsoft.com	A 65.55.186.115 CNAME data.tvdownload.windowsmedia.com.akadns.net
ocsp.msocsp.com	A 104.18.25.243 CNAME hostedocsp.globalsign.com CNAME ocsp.globalsign.cloud A 104.18.24.243
mscrl.microsoft.com	CNAME certrevoc.vo.msecnd.net CNAME cs9.wpc.v0cdn.net A 117.18.232.200
cdn.epg.tvdownload.microsoft.com	A 23.2.16.81 CNAME cdn.epg.tvdownload.windowsmedia.com.akadns.net A 23.2.16.104 CNAME a1683.d.akamai.net CNAME cdn.epg.tvdownload.microsoft.com.edgesuite.net
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x004d4200
声明校验值	0x00000000
实际校验值	0x00068f67
最低操作系统版本要求	4.0
编译时间	2018-05-01 10:18:54
载入哈希	4a25031d833e21a4a78639e2a2d1c276
图标
图标精确哈希值	1ec40ed4ddb8dfa8855f91972a166dbd
图标相似性哈希值	2707a62b93a2752121e055cb858f119a

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
UPX0	0x00001000	0x00088000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00089000	0x0004c000	0x0004b400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.93
.rsrc	0x000d5000	0x00011000	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.85

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x000bf488	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.20	data
TEXTINCLUDE	0x000bf488	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.20	data
TEXTINCLUDE	0x000bf488	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.20	data
RT_CURSOR	0x000bf978	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.82	data
RT_CURSOR	0x000bf978	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.82	data
RT_CURSOR	0x000bf978	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.82	data
RT_CURSOR	0x000bf978	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.82	data
RT_ICON	0x000d5468	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.79	data
RT_ICON	0x000d5468	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.79	data
RT_ICON	0x000d5468	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.79	data
RT_DIALOG	0x000d1180	0x000000b2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.75	data
RT_DIALOG	0x000d1180	0x000000b2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.75	data
RT_DIALOG	0x000d1180	0x000000b2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.75	data
RT_DIALOG	0x000d1180	0x000000b2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.75	data
RT_DIALOG	0x000d1180	0x000000b2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.75	data
RT_GROUP_CURSOR	0x000d125c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.97	data
RT_GROUP_CURSOR	0x000d125c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.97	data
RT_GROUP_CURSOR	0x000d125c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.97	data
RT_GROUP_ICON	0x000e5c94	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.16	MS Windows icon resource - 1 icon, 128x128

导入

库: KERNEL32.DLL:

• 0x4e5dac LoadLibraryA

• 0x4e5db0 GetProcAddress

• 0x4e5db4 VirtualProtect

• 0x4e5db8 VirtualAlloc

• 0x4e5dbc VirtualFree

• 0x4e5dc0 ExitProcess

库: ADVAPI32.dll:

• 0x4e5dc8 RegCloseKey

库: COMCTL32.dll:

• 0x4e5dd0 None

库: comdlg32.dll:

• 0x4e5dd8 ChooseColorA

库: GDI32.dll:

• 0x4e5de0 EndDoc

库: ole32.dll:

• 0x4e5de8 OleRun

库: OLEAUT32.dll:

• 0x4e5df0 VariantInit

库: SHELL32.dll:

• 0x4e5df8 ShellExecuteA

库: USER32.dll:

• 0x4e5e00 GetDC

库: WINMM.dll:

• 0x4e5e08 waveOutOpen

库: WINSPOOL.DRV:

• 0x4e5e10 ClosePrinter

库: WS2_32.dll:

• 0x4e5e18 inet_addr

.rsrc
9F2!^MB-
@^Q;:
@^[D.
%SHK=
I#]Ww
5l\UWSSHh
.*pc5
+*8{Jh
$XUSH
24<*!
Q=tsb

没有防病毒引擎扫描信息!

进程树

_________.exe id: 2104

搜索
_________.exe (2104)

_________.exe, PID: 2104, 上一级进程 PID: 284

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级
是	101.110.118.27	中国
否	104.18.25.243	美国
否	117.18.232.200	亚洲太平洋地区
否	117.18.237.29	亚洲太平洋地区
否	122.224.45.50	中国
否	23.2.16.104	美国
是	43.241.50.232	中国
否	65.55.186.115	美国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49168	101.110.118.27	80
192.168.122.201	49165	104.18.25.243 ocsp.msocsp.com	80
192.168.122.201	49166	117.18.232.200 mscrl.microsoft.com	80
192.168.122.201	49162	122.224.45.50 www.microsoft.com	80
192.168.122.201	49170	122.224.45.50 www.microsoft.com	80
192.168.122.201	49177	23.2.16.104 cdn.epg.tvdownload.microsoft.com	80
192.168.122.201	49160	43.241.50.232	1001
192.168.122.201	49164	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49169	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49171	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49172	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49173	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49174	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49175	65.55.186.115 data.tvdownload.microsoft.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53297	192.168.122.1	53
192.168.122.201	54844	192.168.122.1	53
192.168.122.201	54903	192.168.122.1	53
192.168.122.201	58406	192.168.122.1	53
192.168.122.201	59793	192.168.122.1	53
192.168.122.201	60316	192.168.122.1	53
192.168.122.201	60407	192.168.122.1	53
192.168.122.201	64169	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
localhost.ptlogin2.qq.com	A 127.0.0.1
www.microsoft.com	CNAME e13678.ca.s.tl88.net A 122.224.45.50 CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net
data.tvdownload.microsoft.com	A 65.55.186.115 CNAME data.tvdownload.windowsmedia.com.akadns.net
ocsp.msocsp.com	A 104.18.25.243 CNAME hostedocsp.globalsign.com CNAME ocsp.globalsign.cloud A 104.18.24.243
mscrl.microsoft.com	CNAME certrevoc.vo.msecnd.net CNAME cs9.wpc.v0cdn.net A 117.18.232.200
cdn.epg.tvdownload.microsoft.com	A 23.2.16.81 CNAME cdn.epg.tvdownload.windowsmedia.com.akadns.net A 23.2.16.104 CNAME a1683.d.akamai.net CNAME cdn.epg.tvdownload.microsoft.com.edgesuite.net
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49168	101.110.118.27	80
192.168.122.201	49165	104.18.25.243 ocsp.msocsp.com	80
192.168.122.201	49166	117.18.232.200 mscrl.microsoft.com	80
192.168.122.201	49162	122.224.45.50 www.microsoft.com	80
192.168.122.201	49170	122.224.45.50 www.microsoft.com	80
192.168.122.201	49177	23.2.16.104 cdn.epg.tvdownload.microsoft.com	80
192.168.122.201	49160	43.241.50.232	1001
192.168.122.201	49164	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49169	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49171	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49172	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49173	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49174	65.55.186.115 data.tvdownload.microsoft.com	443
192.168.122.201	49175	65.55.186.115 data.tvdownload.microsoft.com	443

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53297	192.168.122.1	53
192.168.122.201	54844	192.168.122.1	53
192.168.122.201	54903	192.168.122.1	53
192.168.122.201	58406	192.168.122.1	53
192.168.122.201	59793	192.168.122.1	53
192.168.122.201	60316	192.168.122.1	53
192.168.122.201	60407	192.168.122.1	53
192.168.122.201	64169	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://www.microsoft.com/	GET / HTTP/1.1 Host: www.microsoft.com Connection: Close
URL专业沙箱检测 -> http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQphfxhPb4vsBIPXkIOTJ7D1Z79fAQUCP4ln3TqhwTCvLuOqDhfM8bRbGUCEy0AAO%2FxE5PyQlBerOAAAAAA7%2FE%3D	GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQphfxhPb4vsBIPXkIOTJ7D1Z79fAQUCP4ln3TqhwTCvLuOqDhfM8bRbGUCEy0AAO%2FxE5PyQlBerOAAAAAA7%2FE%3D HTTP/1.1 Cache-Control: max-age = 10800 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 06 Dec 2017 07:11:24 GMT If-None-Match: "a602f001a25d1ece86269d16668acccb0791bbc6" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.msocsp.com
URL专业沙箱检测 -> http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQphfxhPb4vsBIPXkIOTJ7D1Z79fAQUCP4ln3TqhwTCvLuOqDhfM8bRbGUCEy0AAO%2FxE5PyQlBerOAAAAAA7%2FE%3D	GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQphfxhPb4vsBIPXkIOTJ7D1Z79fAQUCP4ln3TqhwTCvLuOqDhfM8bRbGUCEy0AAO%2FxE5PyQlBerOAAAAAA7%2FE%3D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.msocsp.com
URL专业沙箱检测 -> http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl	GET /pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: mscrl.microsoft.com
URL专业沙箱检测 -> http://101.110.118.27/mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl	GET /mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: 101.110.118.27
URL专业沙箱检测 -> http://cdn.epg.tvdownload.microsoft.com/broadbanddata/Prod/1/805332787786/cn/ALL/131/null-cn_null_131_BBPkg.enc	HEAD /broadbanddata/Prod/1/805332787786/cn/ALL/131/null-cn_null_131_BBPkg.enc HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 Host: cdn.epg.tvdownload.microsoft.com
URL专业沙箱检测 -> http://cdn.epg.tvdownload.microsoft.com/broadbanddata/Prod/1/805332787786/cn/ALL/131/null-cn_null_131_BBPkg.enc	GET /broadbanddata/Prod/1/805332787786/cn/ALL/131/null-cn_null_131_BBPkg.enc HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Thu, 09 Jul 2015 23:37:37 GMT User-Agent: Microsoft BITS/7.5 Host: cdn.epg.tvdownload.microsoft.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2018-05-05 01:58:50.651302+0800	122.224.45.50	80	192.168.122.201	49162	TCP	2012692	ET POLICY Microsoft user-agent automated process response to automated request	A Network Trojan was detected
2018-05-05 01:58:56.477084+0800	122.224.45.50	80	192.168.122.201	49170	TCP	2012692	ET POLICY Microsoft user-agent automated process response to automated request	A Network Trojan was detected

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2018-05-05 01:58:52.353203+0800	192.168.122.201	49164	65.55.186.115	443	TLSv1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=data.tvdownload.microsoft.com	a1:ca:16:54:fb:ba:28:d9:f4:a0:c3:b7:5b:b4:f5:2b:63:27:87:e5
2018-05-05 01:58:58.097028+0800	192.168.122.201	49172	65.55.186.115	443	TLSv1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=data.tvdownload.microsoft.com	a1:ca:16:54:fb:ba:28:d9:f4:a0:c3:b7:5b:b4:f5:2b:63:27:87:e5
2018-05-05 01:59:00.441157+0800	192.168.122.201	49174	65.55.186.115	443	TLSv1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=data.tvdownload.microsoft.com	a1:ca:16:54:fb:ba:28:d9:f4:a0:c3:b7:5b:b4:f5:2b:63:27:87:e5
2018-05-05 01:59:01.806774+0800	192.168.122.201	49175	65.55.186.115	443	TLSv1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=data.tvdownload.microsoft.com	a1:ca:16:54:fb:ba:28:d9:f4:a0:c3:b7:5b:b4:f5:2b:63:27:87:e5

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 33.27 seconds )

11.357 NetworkAnalysis
11.032 VirusTotal
8.207 Suricata
1.021 TargetInfo
0.719 Static
0.326 peid
0.279 AnalysisInfo
0.275 BehaviorAnalysis
0.04 Debug
0.011 Strings
0.003 Memory

Signatures ( 1.811 seconds )

1.542 md_url_bl
0.08 md_bad_drop
0.037 md_domain_bl
0.014 antiav_detectreg
0.011 stealth_timeout
0.01 api_spamming
0.008 decoy_document
0.006 antiemu_wine_func
0.006 persistence_autorun
0.006 antiav_detectfile
0.006 infostealer_ftp
0.005 infostealer_browser_password
0.005 kovter_behavior
0.005 geodo_banking_trojan
0.004 infostealer_browser
0.004 reads_self
0.004 mimics_filetime
0.004 infostealer_bitcoin
0.004 infostealer_im
0.004 ransomware_files
0.003 stealth_file
0.003 antianalysis_detectreg
0.003 disables_browser_warn
0.003 infostealer_mail
0.003 ransomware_extensions
0.002 bootkit
0.002 rat_nanocore
0.002 tinba_behavior
0.002 antivm_vbox_files
0.002 browser_security
0.002 network_http
0.002 network_torgateway
0.001 antivm_generic_services
0.001 betabot_behavior
0.001 antivm_vbox_libs
0.001 ipc_namedpipe
0.001 dyre_behavior
0.001 kibex_behavior
0.001 antivm_generic_scsi
0.001 antivm_generic_disk
0.001 cerber_behavior
0.001 virus
0.001 antivm_parallels_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 modify_proxy
0.001 maldun_blacklist

Reporting ( 0.896 seconds )

0.509 ReportHTMLSummary
0.387 Malheur


Task ID	156236
Mongo ID	5aec9ff6a093ef799512efac
Cuckoo release	1.4-Maldun