比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2018-07-20 21:53:03 2018-07-20 21:55:43 160 秒

魔盾分数

3.3

可疑的

文件详细信息

文件名 wpltbbrp_001.exe
文件大小 391874 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 44c6661ff5829967791b25ecf3225bff
SHA1 ef6356ffb1231e390aefce8baa1807e3390b9e53
SHA256 cca7a5ed812ff5bce6da0c35b0ff7df7e5bd203517a0d23a1c057fcbab141a6a
SHA512 153ff04436209f71e9a641f57114fc12f6198f7927be1b9a1003a399a647e37ee17757cb347bd3a6c9f8f9cf3e03df5dfd133248465ac73ea844fec19b1c22ed
CRC32 D2CF83CE
Ssdeep 6144:0rojxP226Xk+DRLgFFFrFFFFNQPpT0+Bz1LS7NgxX6FLv7MGCuyxnI7hDelJ/6CK:njxP226X7DINQhrbK5YpuQI7YlJCH/2u
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.24.123.66 美国
216.250.99.5 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
update.wpltbbrp.com A 104.24.122.66
A 104.24.123.66
tj.wpltbbrp.com A 216.250.99.5

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00409c14
声明校验值 0x00000000
实际校验值 0x00063714
最低操作系统版本要求 1.0
编译时间 1992-06-20 06:22:17
载入哈希 884310b1928934402ea6fec1dbd3cf5e

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
CODE 0x00001000 0x00009338 0x00009400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
DATA 0x0000b000 0x0000024c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.75
BSS 0x0000c000 0x00000e50 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0000d000 0x00000950 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.43
.tls 0x0000e000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0000f000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x00010000 0x000008b0 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00011000 0x00011fe0 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.37

覆盖

偏移量 0x00022fe0
大小 0x0003cae2

导入

库: kernel32.dll:
0x40d0c4 VirtualFree
0x40d0c8 VirtualAlloc
0x40d0cc LocalFree
0x40d0d0 LocalAlloc
0x40d0d4 WideCharToMultiByte
0x40d0d8 TlsSetValue
0x40d0dc TlsGetValue
0x40d0e0 MultiByteToWideChar
0x40d0e4 GetModuleHandleA
0x40d0e8 GetLastError
0x40d0ec GetCommandLineA
0x40d0f0 WriteFile
0x40d0f4 SetFilePointer
0x40d0f8 SetEndOfFile
0x40d0fc RtlUnwind
0x40d100 ReadFile
0x40d104 RaiseException
0x40d108 GetStdHandle
0x40d10c GetFileSize
0x40d110 GetSystemTime
0x40d114 GetFileType
0x40d118 ExitProcess
0x40d11c CreateFileA
0x40d120 CloseHandle
库: user32.dll:
0x40d128 MessageBoxA
库: oleaut32.dll:
0x40d130 VariantChangeTypeEx
0x40d134 VariantCopyInd
0x40d138 VariantClear
0x40d13c SysStringLen
0x40d140 SysAllocStringLen
库: advapi32.dll:
0x40d148 RegQueryValueExA
0x40d14c RegOpenKeyExA
0x40d150 RegCloseKey
0x40d154 OpenProcessToken
库: kernel32.dll:
0x40d160 WriteFile
0x40d164 VirtualQuery
0x40d168 VirtualProtect
0x40d16c VirtualFree
0x40d170 VirtualAlloc
0x40d174 Sleep
0x40d178 SizeofResource
0x40d17c SetLastError
0x40d180 SetFilePointer
0x40d184 SetErrorMode
0x40d188 SetEndOfFile
0x40d18c RemoveDirectoryA
0x40d190 ReadFile
0x40d194 LockResource
0x40d198 LoadResource
0x40d19c LoadLibraryA
0x40d1a0 IsDBCSLeadByte
0x40d1a8 GetVersionExA
0x40d1b0 GetSystemInfo
0x40d1b8 GetProcAddress
0x40d1bc GetModuleHandleA
0x40d1c0 GetModuleFileNameA
0x40d1c4 GetLocaleInfoA
0x40d1c8 GetLastError
0x40d1cc GetFullPathNameA
0x40d1d0 GetFileSize
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1e0 GetCurrentProcess
0x40d1e4 GetCommandLineA
0x40d1e8 GetACP
0x40d1ec InterlockedExchange
0x40d1f0 FormatMessageA
0x40d1f4 FindResourceA
0x40d1f8 DeleteFileA
0x40d1fc CreateProcessA
0x40d200 CreateFileA
0x40d204 CreateDirectoryA
0x40d208 CloseHandle
库: user32.dll:
0x40d210 TranslateMessage
0x40d214 SetWindowLongA
0x40d218 PeekMessageA
0x40d220 MessageBoxA
0x40d224 LoadStringA
0x40d228 ExitWindowsEx
0x40d22c DispatchMessageA
0x40d230 DestroyWindow
0x40d234 CreateWindowExA
0x40d238 CallWindowProcA
0x40d23c CharPrevA
库: comctl32.dll:
0x40d244 InitCommonControls
库: advapi32.dll:
`DATA
.idata
.rdata
P.reloc
P.rsrc
string
UhV%@
PhM,@
Ph|-@
Ph`.@
UWVSj
Uh`9@
F$S:@
F #:@
F$#:@
F &:@
|HtE=
,EXB@
,EXB@
Uh^C@
kernel32.dll
SetDllDirectoryW
SetSearchPathMode
SetProcessDEPPolicy
Exception
EInOutError
ERangeError
EZeroDivide
EInvalidPointer
UhzS@
m/d/yy
mmmm d, yyyy
AMPM
:mm:ss
UhWY@
UhK\@
Uh@k@
USERPROFILE
GetUserDefaultUILanguage
kernel32.dll
.DEFAULT\Control Panel\International
Locale
Control Panel\Desktop\ResourceLocale
[ExceptObject=nil]
Uh5t@
File I/O error %d
Sh0|@
Compressed block is corrupted
Compressed block is corrupted
Compressed block is corrupted
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
UhI~@
LzmaDecode failed (%d)
TSetupLanguageEntryA
The setup files are corrupted. Please obtain a new copy of the program.
Wow64DisableWow64FsRedirection
kernel32.dll
Wow64RevertWow64FsRedirection
shell32.dll
SeShutdownPrivilege
/SPAWNWND=
/Lang=
The setup files are corrupted. Please obtain a new copy of the program.
h,}@
h,}@
InnoSetupLdrWindow
STATIC
/SL5="$%x,%d,%d,
Runtime error at 00000000
Error
Inno Setup Setup Data (5.4.2)
Inno Setup Messages (5.1.11)
0123456789ABCDEFGHIJKLMNOPQRSTUV
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
WideCharToMultiByte
TlsSetValue
TlsGetValue
MultiByteToWideChar
GetModuleHandleA
GetLastError
GetCommandLineA
WriteFile
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
ExitProcess
CreateFileA
CloseHandle
user32.dll
MessageBoxA
oleaut32.dll
VariantChangeTypeEx
VariantCopyInd
VariantClear
SysStringLen
SysAllocStringLen
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
OpenProcessToken
LookupPrivilegeValueA
kernel32.dll
WriteFile
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
Sleep
SizeofResource
SetLastError
SetFilePointer
SetErrorMode
SetEndOfFile
RemoveDirectoryA
ReadFile
LockResource
LoadResource
LoadLibraryA
IsDBCSLeadByte
GetWindowsDirectoryA
GetVersionExA
GetUserDefaultLangID
GetSystemInfo
GetSystemDefaultLCID
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetFullPathNameA
GetFileSize
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetCurrentProcess
GetCommandLineA
GetACP
InterlockedExchange
FormatMessageA
FindResourceA
DeleteFileA
CreateProcessA
CreateFileA
CreateDirectoryA
CloseHandle
user32.dll
TranslateMessage
SetWindowLongA
PeekMessageA
MsgWaitForMultipleObjects
MessageBoxA
LoadStringA
ExitWindowsEx
DispatchMessageA
DestroyWindow
CreateWindowExA
CallWindowProcA
CharPrevA
comctl32.dll
InitCommonControls
advapi32.dll
AdjustTokenPrivileges
PADDINGXXPADDINGPADDINGXXPADDINGInno Setup Setup Data (5.4.2)
MAINICON
External exception %x
December
Saturday
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
This installation was built with Inno Setup.
CompanyName
18284
FileDescription
18284 Setup
FileVersion
LegalCopyright
ProductName
18284
ProductVersion
1.0.0.3
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

wpltbbrp_001.exe, PID: 2064, 上一级进程 PID: 1520
wpltbbrp_001.tmp, PID: 2116, 上一级进程 PID: 2064
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.24.123.66 美国
216.250.99.5 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.24.123.66 update.wpltbbrp.com 80
192.168.122.201 49162 104.24.123.66 update.wpltbbrp.com 80
192.168.122.201 49163 216.250.99.5 tj.wpltbbrp.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57651 192.168.122.1 53
192.168.122.201 65281 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
update.wpltbbrp.com A 104.24.122.66
A 104.24.123.66
tj.wpltbbrp.com A 216.250.99.5

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.24.123.66 update.wpltbbrp.com 80
192.168.122.201 49162 104.24.123.66 update.wpltbbrp.com 80
192.168.122.201 49163 216.250.99.5 tj.wpltbbrp.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57651 192.168.122.1 53
192.168.122.201 65281 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://update.wpltbbrp.com/m/wpltbbrp_001tj.php 
GET /m/wpltbbrp_001tj.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: update.wpltbbrp.com
Connection: Keep-Alive
URL专业沙箱检测 -> http://update.wpltbbrp.com/m/wpltbbrp_001tj.php 
GET /m/wpltbbrp_001tj.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: update.wpltbbrp.com
Connection: Keep-Alive
Cookie: __cfduid=d6a3ead12bbb1ddfe57d584a97d433bf51532094823
URL专业沙箱检测 -> http://tj.wpltbbrp.com/tongji.php?uid=wpltbbrp_001&mac=52:54:00:8A:47:09&pid=2116&mid=best 
GET /tongji.php?uid=wpltbbrp_001&mac=52:54:00:8A:47:09&pid=2116&mid=best HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tj.wpltbbrp.com
Connection: Keep-Alive
Cookie: __cfduid=d6a3ead12bbb1ddfe57d584a97d433bf51532094823

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 RunTongJi.tmp
相关文件
C:\Users\test\AppData\Local\Temp\is-4N7BU.tmp\RunTongJi.tmp
文件大小 12 字节
文件类型 UTF-8 Unicode (with BOM) text, with no line terminators
MD5 2dc133967ef6f92c4bc49a39c9230232
SHA1 2f46b65cc2d88445839f2804caa01b4eda05bb66
SHA256 8bf5b058836ff8056986407ce250cdb296f39863ada5ffb9872a22dddeac9a78
CRC32 0893C630
Ssdeep 3:tDB:xB
下载提交魔盾安全分析
文件名 _setup64.tmp
相关文件
C:\Users\test\AppData\Local\Temp\is-4N7BU.tmp\_isetup\_setup64.tmp
文件大小 6144 字节
文件类型 PE32+ executable (console) x86-64, for MS Windows
MD5 4ff75f505fddcc6a9ae62216446205d9
SHA1 efe32d504ce72f32e92dcf01aa2752b04d81a342
SHA256 a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
CRC32 B1C5F7C5
Ssdeep 96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
下载提交魔盾安全分析
文件名 _shfoldr.dll
相关文件
C:\Users\test\AppData\Local\Temp\is-4N7BU.tmp\_isetup\_shfoldr.dll
文件大小 23312 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
CRC32 AE2C3EC2
Ssdeep 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
魔盾安全分析结果 1.5分析时间:2016-11-12 22:58:52查看分析报告
下载提交魔盾安全分析
文件名 wpltbbrp_001.tmp
相关文件
C:\Users\test\AppData\Local\Temp\is-B7TLC.tmp\wpltbbrp_001.tmp
文件大小 804352 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6d5d165ca8232e47a65cffec91a3f513
SHA1 6dec8950d1ef4fdb4f216cdb5b2575bb2333158d
SHA256 1eb9127e5071c23f7a60f4341b7af605541cba086ce88911b9dee64a1bb8c69c
CRC32 378B3FEC
Ssdeep 24576:mSyVUEDFrP537rzHaA6Dv+EDTEh/P/+x32PnWDExl9L:mphrP537rzHaA6Dcmx32PrH
下载提交魔盾安全分析
文件名 _RegDLL.tmp
相关文件
C:\Users\test\AppData\Local\Temp\is-4N7BU.tmp\_isetup\_RegDLL.tmp
文件大小 4096 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0ee914c6f0bb93996c75941e1ad629c6
SHA1 12e2cb05506ee3e82046c41510f39a258a5e5549
SHA256 4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
CRC32 2748B2DA
Ssdeep 48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
下载提交魔盾安全分析
文件名 test@wpltbbrp[1].txt
相关文件
C:\Users\test\AppData\Roaming\Microsoft\Windows\Cookies\test@wpltbbrp[1].txt
文件大小 114 字节
文件类型 ASCII text
MD5 ce9d67992c836228d8e4916a68b339bc
SHA1 52c2a4815aaba8463d602a64103d862ec9ebfa37
SHA256 99b7e393001c69509bf7dc8c1eb7f99dfea1cdfdebb7d22d5f834b44fcb7df88
CRC32 CE088446
Ssdeep 3:GmM/DUXHshSUShyoS1leX0jXU7acOF6VWVvPvn:XM/IcY4P2XIX5rX
下载提交魔盾安全分析显示文本 
__cfduid
d6a3ead12bbb1ddfe57d584a97d433bf51532094823
wpltbbrp.com/
9216
2330217856
30752514
1643001120
30655030
*
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 37.872 seconds )

  • 11.958 Suricata
  • 11.17 VirusTotal
  • 9.224 NetworkAnalysis
  • 2.056 Static
  • 1.519 TargetInfo
  • 0.751 BehaviorAnalysis
  • 0.548 peid
  • 0.455 AnalysisInfo
  • 0.107 Dropped
  • 0.063 Debug
  • 0.017 Strings
  • 0.003 Memory
  • 0.001 config_decoder

Signatures ( 2.97 seconds )

  • 2.121 md_url_bl
  • 0.35 md_bad_drop
  • 0.057 antiav_detectreg
  • 0.041 stealth_timeout
  • 0.034 api_spamming
  • 0.027 decoy_document
  • 0.024 stealth_file
  • 0.023 infostealer_ftp
  • 0.019 md_domain_bl
  • 0.016 antivm_generic_scsi
  • 0.014 infostealer_im
  • 0.013 mimics_filetime
  • 0.012 reads_self
  • 0.012 antianalysis_detectreg
  • 0.012 antiav_detectfile
  • 0.01 antivm_generic_services
  • 0.009 antivm_generic_disk
  • 0.008 antidbg_windows
  • 0.008 persistence_autorun
  • 0.008 geodo_banking_trojan
  • 0.008 infostealer_bitcoin
  • 0.008 infostealer_mail
  • 0.007 bootkit
  • 0.007 ransomware_files
  • 0.006 infostealer_browser
  • 0.006 virus
  • 0.006 ransomware_extensions
  • 0.005 antivm_vbox_files
  • 0.004 hancitor_behavior
  • 0.004 infostealer_browser_password
  • 0.004 disables_browser_warn
  • 0.004 network_http
  • 0.003 antiemu_wine_func
  • 0.003 rat_nanocore
  • 0.003 tinba_behavior
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 antivm_parallels_keys
  • 0.003 antivm_xen_keys
  • 0.003 network_torgateway
  • 0.002 dridex_behavior
  • 0.002 antivm_vbox_libs
  • 0.002 ipc_namedpipe
  • 0.002 shifu_behavior
  • 0.002 cerber_behavior
  • 0.002 kovter_behavior
  • 0.002 antivm_generic_diskreg
  • 0.002 bot_drive
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 darkcomet_regkeys
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antiav_avast_libs
  • 0.001 injection_createremotethread
  • 0.001 antivm_vbox_window
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 ursnif_behavior
  • 0.001 injection_runpe
  • 0.001 antisandbox_script_timer
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antisandbox_productid
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 bypass_firewall
  • 0.001 codelux_behavior
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_blacklist
  • 0.001 modify_uac_prompt
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications

Reporting ( 1.093 seconds )

  • 0.628 ReportHTMLSummary
  • 0.465 Malheur
Task ID 171274
Mongo ID 5b51ea102e063307d733977e
Cuckoo release 1.4-Maldun