分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
---|---|---|---|---|
文件 (Windows) | win7-sp1-x64-shaapp01-2 | 2018-07-09 20:21:28 | 2018-07-09 20:23:48 | 140 秒 |
文件名 | 最新的合同.bat |
---|---|
文件大小 | 480 字节 |
文件类型 | Little-endian UTF-16 Unicode text, with no line terminators |
MD5 | 92aa86147a96d93a5584957764fff7f7 |
SHA1 | a7b31ee0db80f4da8e7cfefb607fb10a060b8048 |
SHA256 | 822e358dac14cf6db1506e5c135a95ee4a69e950de6d986f20dda7e3b00cea14 |
SHA512 | 37594220bcb3ed5497fa3491d7a10a8a46c33f762a4b40db3ccd4ee808ea72a7a7a054cc58ca9d9d955e43a70b5fd21789306c41d8ccc27323a68207f00a71b4 |
CRC32 | 1FBA0C0E |
Ssdeep | 12:Q/Eaeb1KVX11P8Jm5lWpWZhQJeH9FPWRqrk20:QCSXLPxqJenOw0 |
Yara | 登录查看Yara规则 |
样本下载 提交误报 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 222.187.232.9 | 中国 | |
否 | 47.75.173.43 | 加拿大 |
域名 | 安全评级 | 响应 |
---|---|---|
www.xiaobaremotecontrol.xyz | A 47.75.173.43 | |
mine.ppxxmr.com | A 222.187.232.9 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 222.187.232.9 | 中国 | |
否 | 47.75.173.43 | 加拿大 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.202 | 49167 | 222.187.232.9 mine.ppxxmr.com | 5555 |
192.168.122.202 | 49164 | 47.75.173.43 www.xiaobaremotecontrol.xyz | 80 |
192.168.122.202 | 49165 | 47.75.173.43 www.xiaobaremotecontrol.xyz | 80 |
192.168.122.202 | 49166 | 47.75.173.43 www.xiaobaremotecontrol.xyz | 8080 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.202 | 52449 | 192.168.122.1 | 53 |
192.168.122.202 | 63580 | 192.168.122.1 | 53 |
域名 | 安全评级 | 响应 |
---|---|---|
www.xiaobaremotecontrol.xyz | A 47.75.173.43 | |
mine.ppxxmr.com | A 222.187.232.9 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.202 | 49167 | 222.187.232.9 mine.ppxxmr.com | 5555 |
192.168.122.202 | 49164 | 47.75.173.43 www.xiaobaremotecontrol.xyz | 80 |
192.168.122.202 | 49165 | 47.75.173.43 www.xiaobaremotecontrol.xyz | 80 |
192.168.122.202 | 49166 | 47.75.173.43 www.xiaobaremotecontrol.xyz | 8080 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.202 | 52449 | 192.168.122.1 | 53 |
192.168.122.202 | 63580 | 192.168.122.1 | 53 |
URI | HTTP数据 |
---|---|
URL专业沙箱检测 -> http://www.xiaobaremotecontrol.xyz/sct/sct_BCX.sct | GET /sct/sct_BCX.sct HTTP/1.1 Accept: */* UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: www.xiaobaremotecontrol.xyz Connection: Keep-Alive |
URL专业沙箱检测 -> http://www.xiaobaremotecontrol.xyz/hta/BCX.hta | GET /hta/BCX.hta HTTP/1.1 Accept: */* Accept-Language: zh-CN UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: www.xiaobaremotecontrol.xyz Connection: Keep-Alive |
URL专业沙箱检测 -> http://www.xiaobaremotecontrol.xyz:8080/SGTool.exe | GET /SGTool.exe HTTP/1.1 Host: www.xiaobaremotecontrol.xyz:8080 Connection: Keep-Alive |
无SMTP流量.
无IRC请求.
无ICMP流量.
无 CIF 结果
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Protocol | SID | Signature | Category |
---|---|---|---|---|---|---|---|---|
2018-07-09 20:21:42.700422+0800 | 192.168.122.202 | 49165 | 47.75.173.43 | 80 | TCP | 2022520 | ET POLICY Possible HTA Application Download | Potentially Bad Traffic |
2018-07-09 20:21:43.432263+0800 | 192.168.122.202 | 49166 | 47.75.173.43 | 8080 | TCP | 2022896 | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 | A Network Trojan was detected |
2018-07-09 20:21:42.793812+0800 | 47.75.173.43 | 80 | 192.168.122.202 | 49165 | TCP | 2012041 | ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding | Potentially Bad Traffic |
2018-07-09 20:21:42.793812+0800 | 47.75.173.43 | 80 | 192.168.122.202 | 49165 | TCP | 2012043 | ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding | Potentially Bad Traffic |
2018-07-09 20:21:42.793812+0800 | 47.75.173.43 | 80 | 192.168.122.202 | 49165 | TCP | 2012059 | ET WEB_CLIENT Hex Obfuscation of document.write % Encoding | Potentially Bad Traffic |
2018-07-09 20:21:42.793812+0800 | 47.75.173.43 | 80 | 192.168.122.202 | 49165 | TCP | 2012263 | ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding | Potentially Bad Traffic |
2018-07-09 20:21:42.793812+0800 | 47.75.173.43 | 80 | 192.168.122.202 | 49165 | TCP | 2012266 | ET WEB_CLIENT Hex Obfuscation of unescape % Encoding | Potentially Bad Traffic |
2018-07-09 20:21:42.793812+0800 | 47.75.173.43 | 80 | 192.168.122.202 | 49165 | TCP | 2012269 | ET WEB_CLIENT Hex Obfuscation of substr % Encoding | Potentially Bad Traffic |
2018-07-09 20:21:43.663014+0800 | 47.75.173.43 | 8080 | 192.168.122.202 | 49166 | TCP | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
2018-07-09 20:21:43.663014+0800 | 47.75.173.43 | 8080 | 192.168.122.202 | 49166 | TCP | 2020500 | ET CURRENT_EVENTS DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) | A Network Trojan was detected |
No TLS
No Suricata HTTP
文件名 | error[1] |
---|---|
相关文件 |
C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CB4GP22D\error[1]
|
文件大小 | 3138 字节 |
文件类型 | HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
MD5 | 9bba08a58fda3049383d1390bcfa8277 |
SHA1 | 919f125817eae113c9b4c6a0c5f18a37fb60f095 |
SHA256 | bfbe066acb5bf3459b4a221a1686d993a4b25dbb9b0b7de0ae965bb34797e109 |
CRC32 | 44A3D48D |
Ssdeep | 96:lkMd1/TxjqDppzwO8ddFAdd5Eddd1hddv+dd8QFhlls1MH5:lXwpq+y1FWDls1MH5 |
下载 提交魔盾安全分析 |
HTML 总结报告 (需15-60分钟同步) |
下载 |
---|
Task ID | 169738 |
---|---|
Mongo ID | 5b4353f4bb7d57487f05abb9 |
Cuckoo release | 1.4-Maldun |