恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp01-1	2018-05-22 10:14:23	2018-05-22 10:16:41	138 秒

魔盾分数

6.9

危险的

文件详细信息

文件名	(5).exe
文件大小	10290 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	850f69ea60c71bc63c4fe79cf68bf90d
SHA1	4cf5d21234edad85e24eeaf2ed352378200bccfb
SHA256	837f31dc08a476979239cf5e50e82a3eaa96a1f64aa9a85dce34eec67c5a84c1
SHA512	cbf0c9d8a395dd81d097105fe9f7886c81ab1d9a049b7b183edf6c9767382d194f9e3a9c1ba6c8bdd39630d4e4b28f6213ac916e4d52cb5a9ef084c4ebfc0ab0
CRC32	E215CCB1
Ssdeep	192:Sj4GzzQnPzpgni/2/HVwWhd6GqFw4Ko9hRqMJh3ysURYbtE:SjnzQ2i/2/HV9vqF7Ko9hRqMJh3yZRUm
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0040115b
声明校验值	0x00000000
实际校验值	0x00009943
最低操作系统版本要求	4.0
编译时间	2018-05-04 22:46:50
载入哈希	46da2c05a88f27563daf71b6cedae19b

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000010a6	0x00001200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.52
.rdata	0x00003000	0x0000051e	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.24
.data	0x00004000	0x00003a26	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.38

覆盖

偏移量	0x00002400
大小	0x00000432

导入

库: user32.dll:

• 0x403068 wsprintfA

• 0x40306c TranslateMessage

• 0x403070 SetTimer

• 0x403074 CreateWindowExA

• 0x403078 LoadIconA

• 0x40307c LoadCursorA

• 0x403080 GetSystemMetrics

• 0x403084 GetMessageA

• 0x403088 DispatchMessageA

• 0x40308c DefWindowProcA

• 0x403090 RegisterClassExA

库: wininet.dll:

• 0x403098 InternetReadFile

• 0x40309c InternetOpenUrlA

• 0x4030a0 InternetOpenA

• 0x4030a4 InternetCloseHandle

库: kernel32.dll:

• 0x403008 lstrcpynA

• 0x40300c lstrcpyA

• 0x403010 lstrcmpA

• 0x403014 lstrcatA

• 0x403018 WaitForSingleObject

• 0x40301c Sleep

• 0x403020 lstrlenA

• 0x403024 RtlZeroMemory

• 0x403028 LoadLibraryA

• 0x40302c GetVersionExA

• 0x403030 GetTickCount

• 0x403034 GetProcAddress

• 0x403038 GetModuleHandleA

• 0x40303c SetFileAttributesA

• 0x403040 GetSystemInfo

• 0x403044 CopyFileA

• 0x403048 CreateProcessA

• 0x40304c ExitProcess

• 0x403050 GetCommandLineA

• 0x403054 GetModuleFileNameA

库: advapi32.dll:

• 0x403000 GetUserNameA

库: shell32.dll:

• 0x40305c SHGetFolderPathW

• 0x403060 SHGetFolderPathA

库: ws2_32.dll:

• 0x4030ac WSASocketA

• 0x4030b0 WSAStartup

• 0x4030b4 connect

• 0x4030b8 gethostbyname

• 0x4030bc htons

.text
`.rdata
@.data
u9hxE@
CreateWindowExA
DefWindowProcA
DispatchMessageA
GetMessageA
GetSystemMetrics
LoadCursorA
LoadIconA
RegisterClassExA
SetTimer
TranslateMessage
wsprintfA
user32.dll
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
wininet.dll
CopyFileA
CreateProcessA
ExitProcess
GetCommandLineA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetSystemInfo
GetTickCount
GetVersionExA
LoadLibraryA
RtlZeroMemory
SetFileAttributesA
Sleep
WaitForSingleObject
lstrcatA
lstrcmpA
lstrcpyA
lstrcpynA
lstrlenA
kernel32.dll
GetUserNameA
advapi32.dll
SHGetFolderPathA
SHGetFolderPathW
shell32.dll
WSASocketA
WSAStartup
connect
gethostbyname
htons
ws2_32.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
SimpleWinClass
Our First Window
svchost.exe
Download
UserName
nome=
nenhum
kernel32.dll
GetNativeSystemInfo
Microsoft 
Windows 10
, 64-bit
, 32-bit
Windows Vista 
Windows Server 2008
Windows 7 
Windows Server 2008 R2
GetProductInfo
Ultimate Edition
Professional
Home Premium Edition
Home Basic Edition
Enterprise Edition
Business Edition
Starter Edition
Cluster Server Edition
Datacenter Edition
Datacenter Edition (core installation)
Enterprise Edition
Enterprise Edition (core installation)
Enterprise Edition for Itanium-based Systems
Small Business Server
Small Business Server Premium Edition
Standard Edition
Standard Edition (core installation)
Web Server Edition
, 64-bit
, 32-bit
Windows Server 2003 R2, 
Windows Storage Server 2003
Windows XP Professional x64 Edition
Windows Server 2003, 
Datacenter Edition for Itanium-based Systems
Enterprise Edition for Itanium-based Systems
Datacenter x64 Edition
Enterprise x64 Edition
Standard x64 Edition
Compute Cluster Edition
Datacenter Edition
Enterprise Edition
Web Edition
Standard Edition
Windows XP 
Home Edition
Professional
Windows 2000 
Professional
Datacenter Server
Advanced Server
Server
Windows NT 4.0
 (build %d)
This program does not support Windows versions less than Windows NT 4.0

没有防病毒引擎扫描信息!

进程树

_5_.exe id: 1808

搜索
_5_.exe (1808)

_5_.exe, PID: 1808, 上一级进程 PID: 1872

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	svchost.exe
相关文件	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
文件大小	10290 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	850f69ea60c71bc63c4fe79cf68bf90d
SHA1	4cf5d21234edad85e24eeaf2ed352378200bccfb
SHA256	837f31dc08a476979239cf5e50e82a3eaa96a1f64aa9a85dce34eec67c5a84c1
CRC32	E215CCB1
Ssdeep	192:Sj4GzzQnPzpgni/2/HVwWhd6GqFw4Ko9hRqMJh3ysURYbtE:SjnzQ2i/2/HV9vqF7Ko9hRqMJh3yZRUm
	下载提交魔盾安全分析

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 21.276 seconds )

11.206 VirusTotal
7.413 Suricata
0.775 BehaviorAnalysis
0.703 TargetInfo
0.338 Static
0.333 NetworkAnalysis
0.315 peid
0.185 AnalysisInfo
0.003 Dropped
0.002 Debug
0.002 Memory
0.001 Strings

Signatures ( 0.972 seconds )

0.322 antiav_detectreg
0.109 infostealer_ftp
0.073 antianalysis_detectreg
0.061 infostealer_im
0.034 infostealer_mail
0.031 stealth_timeout
0.03 antivm_generic_scsi
0.02 api_spamming
0.02 decoy_document
0.018 recon_fingerprint
0.016 kibex_behavior
0.016 antivm_parallels_keys
0.016 antivm_xen_keys
0.016 darkcomet_regkeys
0.012 geodo_banking_trojan
0.012 md_url_bl
0.011 betabot_behavior
0.011 stealth_file
0.01 antivm_generic_diskreg
0.009 antisandbox_productid
0.006 antiav_detectfile
0.006 packer_armadillo_regkey
0.006 recon_programs
0.005 antivm_generic_services
0.005 antivm_xen_keys
0.005 antivm_hyperv_keys
0.005 antivm_vbox_acpi
0.005 antivm_vbox_keys
0.005 antivm_vmware_keys
0.005 antivm_vpc_keys
0.005 bypass_firewall
0.005 ransomware_files
0.004 persistence_autorun
0.004 antivm_generic_bios
0.004 antivm_generic_cpu
0.004 antivm_generic_system
0.004 infostealer_bitcoin
0.004 md_bad_drop
0.004 md_domain_bl
0.004 ransomware_extensions
0.003 reads_self
0.003 mimics_filetime
0.003 antivm_generic_disk
0.002 bootkit
0.002 tinba_behavior
0.002 virus
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.001 antiemu_wine_func
0.001 rat_nanocore
0.001 hancitor_behavior
0.001 infostealer_browser
0.001 infostealer_browser_password
0.001 cerber_behavior
0.001 bot_drive
0.001 bot_drive2
0.001 modify_proxy
0.001 browser_security
0.001 modify_uac_prompt

Reporting ( 0.612 seconds )

0.537 ReportHTMLSummary
0.075 Malheur


Task ID	162420
Mongo ID	5b037da3bb7d574501ff42fa
Cuckoo release	1.4-Maldun