分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp01-1 | 2018-05-22 11:20:58 | 2018-05-22 11:23:16 | 138 秒 |
魔盾分数
1.15
正常的
文件详细信息
| 文件名 | (4).exe |
|---|---|
| 文件大小 | 197682 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 45024f9da3c07af8c4c26e0e0f62018a |
| SHA1 | 4bbcaaf949148d265ce3296b07600fd344dccb5e |
| SHA256 | f996341aa4c2922f6d0ca1283218b053ae6093700b009c4e513ebb971b342248 |
| SHA512 | 4532bd280838448389a6e9370fff9e10db1cecb0c8ab69852c448ae1d8981a726427e99999dbb16c49133e1c508c882f898432dfeb5a033b537cf68494d7db7f |
| CRC32 | D48E0721 |
| Ssdeep | 3072:Eqkkr3Owrt4DtSOnmS0yolSVtlL780kUY15e5D/x:Egn48XjSVr380AG |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x10000000 |
|---|---|
| 入口地址 | 0x10015d44 |
| 声明校验值 | 0x0003585b |
| 实际校验值 | 0x00036a14 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2016-09-17 10:10:05 |
| 载入哈希 | 44b279bbda1558424b378a71a2ed8452 |
| 导出DLL库名称 | 6d9e70.dll |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00021c1c | 0x00021e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.63 |
| .rdata | 0x00023000 | 0x000098c1 | 0x00009a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.59 |
| .data | 0x0002d000 | 0x00010120 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.82 |
| .rsrc | 0x0003e000 | 0x000001b4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.12 |
| .reloc | 0x0003f000 | 0x00001d4c | 0x00001e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.55 |
覆盖
| 偏移量 | 0x00030000 |
| 大小 | 0x00000432 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x0003e058 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.80 | ASCII text, with CRLF line terminators |
导入
库: KERNEL32.dll:
• 0x1002309c OpenProcess
• 0x100230a0 VirtualAllocEx
• 0x100230a4 WriteProcessMemory
• 0x100230a8 FreeLibrary
• 0x100230ac VirtualFree
• 0x100230b0 Thread32First
• 0x100230b4 Thread32Next
• 0x100230b8 SetLastError
• 0x100230bc VirtualAlloc
• 0x100230c0 LoadLibraryA
• 0x100230c4 OpenThread
• 0x100230c8 CreateToolhelp32Snapshot
• 0x100230cc SuspendThread
• 0x100230d0 ResumeThread
• 0x100230d4 PeekNamedPipe
• 0x100230d8 WaitNamedPipeA
• 0x100230dc SetNamedPipeHandleState
• 0x100230e0 LocalAlloc
• 0x100230e4 LocalFree
• 0x100230e8 GetComputerNameA
• 0x100230ec Process32First
• 0x100230f0 TerminateProcess
• 0x100230f4 Process32Next
• 0x100230f8 ProcessIdToSessionId
• 0x100230fc GetFileAttributesA
• 0x10023100 GetLogicalDrives
• 0x10023104 SystemTimeToTzSpecificLocalTime
• 0x10023108 GetFullPathNameA
• 0x1002310c CreateThread
• 0x10023110 GetVersionExA
• 0x10023114 GetModuleHandleA
• 0x10023118 CreateNamedPipeA
• 0x1002311c GetProcAddress
• 0x10023120 ReadFile
• 0x10023124 GetCurrentThread
• 0x10023128 ConnectNamedPipe
• 0x1002312c GetCurrentProcess
• 0x10023130 CloseHandle
• 0x10023134 GetFileTime
• 0x10023138 GetCurrentDirectoryA
• 0x1002313c CreatePipe
• 0x10023140 GetCurrentDirectoryW
• 0x10023144 GetLastError
• 0x10023148 GetWindowsDirectoryA
• 0x1002314c SetCurrentDirectoryA
• 0x10023150 FlushFileBuffers
• 0x10023154 DisconnectNamedPipe
• 0x10023158 GetEnvironmentVariableA
• 0x1002315c CreateProcessA
• 0x10023160 WriteFile
• 0x10023164 SetFileTime
• 0x10023168 WaitForSingleObject
• 0x1002316c CreateFileA
• 0x10023170 GetCurrentProcessId
• 0x10023174 GetLocalTime
• 0x10023178 Sleep
• 0x1002317c SetEndOfFile
• 0x10023180 VirtualQuery
• 0x10023184 GetModuleFileNameW
• 0x10023188 GetProcessHeap
• 0x1002318c SetStdHandle
• 0x10023190 WriteConsoleW
• 0x10023194 GetConsoleOutputCP
• 0x10023198 WriteConsoleA
• 0x1002319c GetTickCount
• 0x100231a0 GetStringTypeW
• 0x100231a4 GetStringTypeA
• 0x100231a8 LCMapStringW
• 0x100231ac LCMapStringA
• 0x100231b0 GetLocaleInfoA
• 0x100231b4 HeapSize
• 0x100231b8 DebugBreak
• 0x100231bc RaiseException
• 0x100231c0 QueryPerformanceCounter
• 0x100231c4 GetEnvironmentStringsW
• 0x100231c8 FreeEnvironmentStringsW
• 0x100231cc GetEnvironmentStrings
• 0x100231d0 FreeEnvironmentStringsA
• 0x100231d4 CreateRemoteThread
• 0x100231d8 FindNextFileA
• 0x100231dc FindClose
• 0x100231e0 FindFirstFileA
• 0x100231e4 GetStartupInfoA
• 0x100231e8 FileTimeToSystemTime
• 0x100231ec SetFilePointer
• 0x100231f0 GetFileType
• 0x100231f4 SetHandleCount
• 0x100231f8 GetConsoleMode
• 0x100231fc HeapFree
• 0x10023200 HeapAlloc
• 0x10023204 GetModuleHandleW
• 0x10023208 ExitProcess
• 0x1002320c MultiByteToWideChar
• 0x10023210 DeleteFileA
• 0x10023214 CreateDirectoryA
• 0x10023218 RemoveDirectoryA
• 0x1002321c GetCurrentThreadId
• 0x10023220 GetCommandLineA
• 0x10023224 GetSystemTimeAsFileTime
• 0x10023228 UnhandledExceptionFilter
• 0x1002322c SetUnhandledExceptionFilter
• 0x10023230 IsDebuggerPresent
• 0x10023234 HeapCreate
• 0x10023238 HeapDestroy
• 0x1002323c DeleteCriticalSection
• 0x10023240 LeaveCriticalSection
• 0x10023244 EnterCriticalSection
• 0x10023248 HeapReAlloc
• 0x1002324c GetStdHandle
• 0x10023250 GetModuleFileNameA
• 0x10023254 TlsGetValue
• 0x10023258 TlsAlloc
• 0x1002325c TlsSetValue
• 0x10023260 TlsFree
• 0x10023264 InterlockedIncrement
• 0x10023268 InterlockedDecrement
• 0x1002326c InitializeCriticalSectionAndSpinCount
• 0x10023270 GetCPInfo
• 0x10023274 GetACP
• 0x10023278 GetOEMCP
• 0x1002327c IsValidCodePage
• 0x10023280 RtlUnwind
• 0x10023284 WideCharToMultiByte
• 0x10023288 GetConsoleCP
库: ADVAPI32.dll:
• 0x10023000 CryptGenRandom
• 0x10023004 CryptReleaseContext
• 0x10023008 CryptAcquireContextA
• 0x1002300c LogonUserA
• 0x10023010 CheckTokenMembership
• 0x10023014 FreeSid
• 0x10023018 RevertToSelf
• 0x1002301c AllocateAndInitializeSid
• 0x10023020 DuplicateTokenEx
• 0x10023024 LookupAccountSidA
• 0x10023028 GetTokenInformation
• 0x1002302c SetSecurityDescriptorDacl
• 0x10023030 InitializeSecurityDescriptor
• 0x10023034 GetUserNameA
• 0x10023038 AdjustTokenPrivileges
• 0x1002303c ControlService
• 0x10023040 QueryServiceStatusEx
• 0x10023044 ImpersonateNamedPipeClient
• 0x10023048 ImpersonateLoggedOnUser
• 0x1002304c LookupPrivilegeValueA
• 0x10023050 OpenThreadToken
• 0x10023054 OpenProcessToken
• 0x10023058 OpenServiceA
• 0x1002305c OpenSCManagerA
• 0x10023060 QueryServiceStatus
• 0x10023064 CreateProcessWithTokenW
• 0x10023068 StartServiceA
• 0x1002306c CreateServiceA
• 0x10023070 DeleteService
• 0x10023074 CreateProcessWithLogonW
• 0x10023078 CloseServiceHandle
• 0x1002307c CreateProcessAsUserA
库: WININET.dll:
• 0x100232a0 InternetConnectA
• 0x100232a4 InternetQueryDataAvailable
• 0x100232a8 InternetReadFile
• 0x100232ac InternetSetOptionA
• 0x100232b0 HttpOpenRequestA
• 0x100232b4 HttpSendRequestA
• 0x100232b8 InternetOpenA
• 0x100232bc InternetCloseHandle
• 0x100232c0 InternetQueryOptionA
• 0x100232c4 HttpQueryInfoA
库: WS2_32.dll:
• 0x100232cc ntohs
• 0x100232d0 connect
• 0x100232d4 htons
• 0x100232d8 socket
• 0x100232dc accept
• 0x100232e0 send
• 0x100232e4 gethostname
• 0x100232e8 inet_ntoa
• 0x100232ec WSAStartup
• 0x100232f0 gethostbyname
• 0x100232f4 ntohl
• 0x100232f8 htonl
• 0x100232fc listen
• 0x10023300 __WSAFDIsSet
• 0x10023304 bind
• 0x10023308 recv
• 0x1002330c shutdown
• 0x10023310 WSAGetLastError
• 0x10023314 select
• 0x10023318 ioctlsocket
• 0x1002331c inet_addr
• 0x10023320 closesocket
• 0x10023324 WSACleanup
库: Secur32.dll:
• 0x10023290 LsaCallAuthenticationPackage
• 0x10023294 LsaConnectUntrusted
• 0x10023298 LsaLookupAuthenticationPackage
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x10007f59 | _ReflectiveLoader@4 |
.text
`.rdata
@.data
.rsrc
@.reloc
|SVWh
$SVWh
t|SWh
PRSVWj
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 11.208 seconds )
- 7.602 Suricata
- 1.33 VirusTotal
- 0.92 TargetInfo
- 0.574 Static
- 0.316 peid
- 0.228 NetworkAnalysis
- 0.18 AnalysisInfo
- 0.041 BehaviorAnalysis
- 0.011 Strings
- 0.003 Debug
- 0.003 Memory
Signatures ( 0.119 seconds )
- 0.016 antiav_detectreg
- 0.012 md_url_bl
- 0.008 persistence_autorun
- 0.008 antiav_detectfile
- 0.006 infostealer_ftp
- 0.005 md_domain_bl
- 0.005 ransomware_files
- 0.004 infostealer_bitcoin
- 0.004 infostealer_im
- 0.004 md_bad_drop
- 0.004 ransomware_extensions
- 0.003 tinba_behavior
- 0.003 antianalysis_detectreg
- 0.003 antivm_vbox_files
- 0.003 disables_browser_warn
- 0.003 infostealer_mail
- 0.002 rat_nanocore
- 0.002 betabot_behavior
- 0.002 cerber_behavior
- 0.002 geodo_banking_trojan
- 0.002 browser_security
- 0.001 network_tor
- 0.001 api_spamming
- 0.001 injection_createremotethread
- 0.001 kibex_behavior
- 0.001 shifu_behavior
- 0.001 antivm_generic_disk
- 0.001 ursnif_behavior
- 0.001 decoy_document
- 0.001 stealth_timeout
- 0.001 antianalysis_detectfile
- 0.001 antidbg_devices
- 0.001 antivm_parallels_keys
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 modify_proxy
- 0.001 modify_uac_prompt
Reporting ( 0.755 seconds )
- 0.54 ReportHTMLSummary
- 0.215 Malheur
| Task ID | 162435 |
|---|---|
| Mongo ID | 5b038d31bb7d574500ff41e3 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号