分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2018-11-19 20:34:27 2018-11-19 20:35:04 37 秒

魔盾分数

3.15

可疑的

文件详细信息

文件名 逆战登录器1.0.0.3[宏助手专版].exe
文件大小 712192 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4197194e288ea7706a5c853cef88cf97
SHA1 ea953c7e747478b9475dc1429b6ef59a15d50609
SHA256 fd0ac7fe668863cd4cee5b786451fe09ebafeb80eb1568215217a504ee407bf8
SHA512 0a550d14d002059395b790a5cd177163c5f40c7a01e5c5cdd6a42aa8e76c1cbfdb541da38c556ba031d2ca8763e09cecf60bd1aa7797823c1aa4656cb3fa8b25
CRC32 79FDC7DD
Ssdeep 12288:MN0UGyPf+5Sd6wyMoUu1tVuv0HCcA+0USyPfw:MNb7f+57wyMoUu1tm0HCcA+bvfw
Yara 登录查看Yara规则
样本下载 提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00401000
声明校验值 0x00000000
实际校验值 0x000b0dbf
最低操作系统版本要求 4.0
编译时间 1972-12-25 13:33:23
载入哈希 ae0a5112fe1176f4e5f6e1bc95e4c209

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00000224 0x00000400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.51
.rdata 0x00002000 0x00000194 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.64
.data 0x00003000 0x00086e00 0x00086e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.54
.rsrc 0x0008a000 0x00026408 0x00026600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.70

导入

库: USER32.dll:
0x402030 MessageBoxA
库: KERNEL32.dll:
0x402010 FreeLibrary
0x402014 lstrcatA
0x402018 GetModuleFileNameA
0x40201c ExitProcess
0x402020 LoadLibraryA
0x402024 GetProcAddress
0x402028 lstrlenA
库: ADVAPI32.dll:
0x402000 RegQueryValueExA
0x402004 RegCloseKey
0x402008 RegOpenKeyExA

.text
`.rdata
@.data
.rsrc
GetNewSock
Error
krnln.fne
Not found the kernel library or the kernel library is invalid!
krnln.fnr
Software\FlySky\E\Install
MessageBoxA
USER32.dll
ExitProcess
FreeLibrary
GetProcAddress
LoadLibraryA
lstrcatA
lstrlenA
KERNEL32.dll
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
ADVAPI32.dll
GetModuleFileNameA
const
Id==switcher_plogin
href==javascript:amsSubmit(166801,512789);
href==javascript:jieshouyaoqing();
href==javascript:amsInit(166801, 512103);
Id==area1ContentId_nz
Id==areaContentId_nz
Id==login_button
Super-EC
Id==dologin
Id==confirmButtonId_nz
https://shang.qq.com/wpa/qunwpa?idkey=cc0bc75a834dbf1ad410c1d5b8ec5dc397c5c4c7112b2f877ad05b1fc80af0dc
iexplore.exe
Id==u
Id==p
Id==dologout
https://user.qzone.qq.com/97052000?ADUIN=97052000&ADSESSION=1542587929&ADTAG=CLIENT.QQ.5599_MyInfo_PersonalInfo.0&ADPUBNO=26854&source=namecardstar
1753KM/5bEBtKp7pn5XZOLF8sUlTZB8bCQKlo8Sc8T9tlMW6q30DTKrlFxgj1INWb4/lc/QWcTc9FMhda+Hqk/kGLMg4+q65STPOpQK8z2HoCnHxcrwDLEmRfb5VQ2AO9oAtMrvajSRzJThQ0bsFRxUdnF6KKWapzciQgtFLoj+svgus4pBK4ey4C480UZMc3DvyM8lu/6RFISms/Z6KkMFAPMZigYYNzDpi1Y5yA7C5bLMwT9qZIdC4D3blZQd6a0heOhaK1BjnR0nF8mv4LiTSJskIMFbMM1/h+ZM/zohuIJUSbzLCyoQyPyyQzLwX9YYa09SQcbQpFYnqilWhkp3XDLsHS9uN61g3b4ldmKqJtbTmaQkBeuX9wwMPIfu2EMXr6gM3UI8IbF3e65ujvTwQ4yvzgTPhZf3FpN5JC0CcGZlU0RvGfPOgs61WBcPAFrzCu+cvtlrWAs6t7jivSiQ6gYwXn29BQm3Zr03L7Mln31iHl6oYTkTkfzMLjb/XyRznPgtLfUcmtOp5dZPn/DG/zHQHmKToSSf9btVynPHcd11Z9vvShb1nIR5Vk5iVo2Cqa19cKiX0XgHWAx26Dvnh9fFdgczvYXv8Nj2jcpEtOJ/5lrmsyfU0DLJVtz1PkirDOPdoqE54q+DWwIymOV+BmFxPVvRdUbYHrGxT/8QyYu2OQ/9TBmWkkeC1f0FB7lS24Km9UPo2iymuub2QWnOg4fN5fEF8k7Svcwb9wNmDxEQbi/kivWR2MDttV3PI3src7KCXyorObdJ38n+T4+U4VUECaUmkaofEb0tqGsXk5klj+7qT4YHaZQg7c0Vz/ztASuRcnJIHvQ5ceA
[I]d39auszyK+eksjknUV4qs8bcbO46LRw0FSi3Dv3mKrqs8+497VqUkgGDi5MR14cDQFVlg9I[/I][H]6c27hQUQ+M66cmgI0oSECkOa/iYfhmt7PzXdLKgqPQ+CzIr6LeB9T19rVzTyWQ[/H][IF]b15b+j1/fknM9S1w/hV6VDU0KS3D+4UfdzulbdP1Q2p3nkE[/IF][U]4116aFB/9Q1X9hqxFXF3HXVS4DCaToW8FkGXwUfvV3GNC90[/U][V]6429+56a+cQV6wafKZ5/eHH5SrpKJj3FGNEpCqAKWxRr[/V][Q]56fbt/JN3ECrGq8BQYotz/rNKjUbUwXid18smK48F+hTsxEs7SF8[/Q][J]905fi25vI8nKNOWGRj6m966jW8kPOBuiXj+vKq4hJ8VX5FAMHw4nmjGSOYrJ2kp9BEDPHJmIHxRfaVMNTPOMdg[/J][Z]c0e6dEtuRYTz5G7OSsvzu26CUlKWYZ669LB2CE2zIoUnMm6SXg[/Z][Md]26a4ZCdIIRO6vkGn9m5NPn82IH5mK8LScB8P7IMdWLYP0bON7gQXpKRXiRFfkB99XyiQdgKUNIfULbllYg[/Md]
TWINCONTROL
DC-Z_
97052920
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=
",0]}
-1,0,0,0,"
OPTIONS
DELETE
TRACE
CONNECT
https://
User-Agent:
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Accept: */*
Accept:
Accept: */*
Referer:
Referer:
Accept-Language:
Accept-Language: zh-cn
Content-Type:
Content-Type: application/x-www-form-urlencoded
Cookie:
Cookie:
Set-Cookie
Set-Cookie:
http://
https
=deleted
ScriptControl
JScript
Language
';return unescape(x);}
function xx(){var x='
ExecuteStatement
Adodb.Stream
Write
Position
unicode
Charset
ReadText
Close
createElement
appendChild
_self
_blank
target
setAttribute
Internet Explorer_Server
WM_HTML_GETOBJECT
?1# A
DECODE
00000000000123456789ABCDEF
http://open.baidu.com/special/time/
window.baidu_time(
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept:
Referer:
Accept-Language:
1970-01-01 08:00:00
1970-01-01 00:00:00
@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
@KTcLZES7p2ans010cGoIQgqZbEq4gvjJRX0QVaR2Uf0ad-emRPAV2YaXASvjFu0mkdUZHLLPUWyolmip1gtYm4lWySenCW2ukhsP
script
length
text/css
stylesheet
embed
bgsound
documentElement
outerHTML
../../
Content-Length:
Set-Cookie:
offsetWidth
offsetHeight
innerHTML
']?\)
createControlRange
execCommand
radio
checkbox
select
textarea
button
image
hidden
table
onunload|
getAttribute
execWB
{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
parentWindow
{6D5140C1-7436-11CE-8034-00AA006009FA}
FireEvent
input
title
]</font>
selectedIndex
text|password|file
value
</font>
button|submit|reset
innerText
SPAN_
ULLI_
contentWindow
document
contentEditable
frames
[/IF]
frame
contentwindow
?)-D%)
96d7RqnadKwZmZeBcGHuAWUmuhkPAlUg1iOu+sY4Dl9eb/0jaO9VC26czlCVBXM+oj5hRLo6eZ+4UpCAG5aX0JfgfA
?)-D%f`
4ad8pmqJx6TXSM9XHBb7krSF98s4B2OUHwqbwyGEM73fo50V+oVAzk5LZjvOifx9Euj2cirLC2rn/BGwl+VvdYHS7g
?2A0`
cad2xRUcdav+hE6SeJkwcrLquxoYiuvVaya6v9Y+ZsgOYa4AXQ9rGmiRVVfTuJ3J2yxdOQThYiAfYrCpySk21ISADw
fileSize
JavaScript
location.reload()
execScript
window.location.href="
scrollWidth
scrollHeight
{25336920-03F9-11CF-8FD0-00AA00686F13}
<HTML><BODY></BODY></HTML>
write
style
removeNode
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
tagName
navigate
Style
Y@click
focus
Javascript:
javascript:
JavaScript:
ParentWindow
retjs
getElementById
<textarea style='display:none;' id=retjs></textarea>
BeforeEnd
insertAdjacentHTML
document.all.retjs.innerText=
VBScript
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
type=radio
type=checkbox
type=file
type=text
type=image
type=password
type=submit
type=button
type=reset
type=hidden
elementFromPoint
IFRAME
FRAME
scrollLeft
scrollTop
offsetLeft
offsettop
parentElement
cssText
px solid
;border:
#ff0000
#ff00ff
#0000ff
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
DISPLAY
block
display
disabled
charset
BUTTON
user.qzone.qq.com
topMargin
mail.qq.com
leftMargin
activeElement
iframe
offsetheight
offsetParent
offsetTop
location
selection
createRange
htmlText
function alert(){return;}
function confirm(){return;}
function prompt(){return;}
function showModalDialog(){return;}
MessageBoxIndirectW
user32.dll
pasteHTML
ff0000
D6F20D
; BACKGROUND-COLOR: #
<B style='COLOR: #
<font style='COLOR: #
createTextRange
FindText
character
MoveStart
<font style='COLOR: #ff0000; BACKGROUND-COLOR: #D6F20D'>
cookie
domain
onkeyup
onblur
onchange
type='text'
type='password'
type="text"
type="password"
GetOpenFileNameW
comdlg32.dll
<@macromediaflashplayeractivex
checked
onclick
onmousedown
onmouseup
src==
height
width
select-one|select
getElementsByTagName
fireEvent
submit
action
method
<FORM
</FORM>
<font color=red>[
<font color=red>
className
getElementsByName
namedItem
getElementsByClassName
classname
outerTEXT
onmouseover
overflow
overflow-x
overflow-y
:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','
cells
offsetwidth
readyState
complete
').value="
document.getElementById('
VBScript.RegExp
IgnoreCase
Multiline
Singleline
Global
Pattern
Execute
Replace
Count
Value
FirstIndex
SubMatches
user32
wininet.dll
ole32.dll
OLEACC.DLL
advapi32.dll
kernel32.dll
shlwapi.dll
User32.dll
kernel32
Kernel32.dll
oleaut32.dll
gdiplus.dll
gdi32
CreateWaitableTimerA
SetWaitableTimer
MsgWaitForMultipleObjects
CloseHandle
OpenFileMappingA
MapViewOfFile
RtlMoveMemory
ShellExecuteA
GetCurrentThreadId
RegisterWindowMessageA
CreateThread
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
PostThreadMessageA
Sleep
SetTimer
GetAsyncKeyState
CreateToolhelp32Snapshot
Process32First
Process32Next
Module32First
EnumWindows
IsWindowVisible
GetWindowTextA
GetClassNameA
GetWindowThreadProcessId
GetDesktopWindow
PostMessageA
InternetOpenA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
HttpQueryInfoA
CoInitialize
CoUninitialize
lstrlenA
GetProcessHeap
HeapAlloc
IsWindow
FindWindowExA
SendMessageTimeoutA
ObjectFromLresult
CryptAcquireContextA
CryptCreateHash
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
GetUrlCacheEntryInfoA
GetLastError
LocalAlloc
LocalFree
InternetSetCookieA
GetTempPathA
PathFindExtensionA
SetHandleCount
CLSIDFromString
MultiByteToWideChar
CallWindowProcA
DispCallFunc
SetWindowLongA
RegSetValueExA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
ScreenToClient
WindowFromPoint
GetCursorPos
GetWindowRect
SHGetSpecialFolderPathA
GetWindowsDirectoryA
GetSystemDirectoryA
lstrcpyn
ClientToScreen
SetCursorPos
mouse_event
GetWindow
GdiplusStartup
GlobalAlloc
CreateStreamOnHGlobal
GlobalLock
GlobalUnlock
GdipCreateBitmapFromStream
GdipSaveImageToStream
GetHGlobalFromStream
GlobalSize
GdipDisposeImage
GlobalFree
GdiplusShutdown
OpenClipboard
GetClipboardData
CloseClipboard
GetObjectA
CreateCompatibleDC
GetDIBits
DeleteDC
EmptyClipboard
GetInputState
LoadLibraryA
GetProcAddress
FreeLibrary
VirtualProtect
lstrcpynA
XwqEeDDDtGwwh
gwEgefvvtuwvx
gwaFgvvvpeGwh
GvP@Ggwgp@Gwh
gwgwtpwth
p@Gwh
pGweh
5ewth
pw@DGwh
DEwwwh
wtwwx
zeNTS-%1;8My
FXOW\
Rcq.&
y<N*g
TV_f1
]_..&
uuuS?K
Xou-`
(O(}L
`i B$u+f2
X9zD!
208$z>$
IcC`,
:i_m#52
B.Dj1
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
没有防病毒引擎扫描信息!

进程树


_______________1.0.0.3_________________.exe, PID: 2424, 上一级进程 PID: 2288

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 17.838 seconds )

  • 11.894 Suricata
  • 2.374 Static
  • 1.37 VirusTotal
  • 1.235 TargetInfo
  • 0.421 peid
  • 0.337 NetworkAnalysis
  • 0.076 BehaviorAnalysis
  • 0.064 AnalysisInfo
  • 0.047 Debug
  • 0.015 Strings
  • 0.003 Memory
  • 0.002 config_decoder

Signatures ( 0.33 seconds )

  • 0.162 md_bad_drop
  • 0.028 antiav_detectreg
  • 0.018 md_url_bl
  • 0.016 md_domain_bl
  • 0.012 infostealer_ftp
  • 0.008 antiav_detectfile
  • 0.007 anomaly_persistence_autorun
  • 0.007 infostealer_im
  • 0.007 ransomware_files
  • 0.006 ransomware_extensions
  • 0.005 infostealer_bitcoin
  • 0.004 api_spamming
  • 0.004 infostealer_mail
  • 0.003 tinba_behavior
  • 0.003 stealth_decoy_document
  • 0.003 stealth_timeout
  • 0.003 antivm_vbox_files
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 cerber_behavior
  • 0.002 bot_drive
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 network_tor
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.394 seconds )

  • 0.394 Malheur
Task ID 215091
Mongo ID 5bf2ae0d2e06334ae76c88c3
Cuckoo release 1.4-Maldun