分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-hpdapp01-1 | 2018-11-19 22:16:31 | 2018-11-19 22:19:03 | 152 秒 |
魔盾分数
10.0
Strictor病毒
文件详细信息
| 文件名 | cd.exe |
|---|---|
| 文件大小 | 513024 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | f90da380be1342cac7b8567162ca7d01 |
| SHA1 | c6bab46c023d90c307c617ef34f86960e0a2cb18 |
| SHA256 | a1b369c2942b3efac9417ff128384d754ed866c2ab214c2d3366b103bb361bba |
| SHA512 | 7d21adeebbfaecd7287ce9e62e3a431cb9781013c34363df3ca8f2077a00d6e9d334e0bad1668c786467684054ec93bfb85e8c9e342fbbdc5a5a4c5bba972b34 |
| CRC32 | 8221738F |
| Ssdeep | 12288:Lh1Lk70Tnvjcaqj6K+hjqyVS18lPRntBpD7kXDwLUUM:3k70TrcPWDjqMBpHkTYUV |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0040cd2f |
| 声明校验值 | 0x00023bfb |
| 实际校验值 | 0x0007fe33 |
| 最低操作系统版本要求 | 5.0 |
| PDB路径 | |
| 编译时间 | 2012-07-14 06:47:16 |
| 载入哈希 | bf5a4aa99e5b160f8521cadd6bfe73b8 |
版本信息
| Translation | |
|---|---|
| LegalCopyright | |
| Assembly Version | |
| InternalName | |
| FileVersion | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00019718 | 0x00019800 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.75 |
| .rdata | 0x0001b000 | 0x00006db4 | 0x00006e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.44 |
| .data | 0x00022000 | 0x000030c0 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.26 |
| .rsrc | 0x00026000 | 0x0005b3e4 | 0x0005b400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.85 |
导入
库: KERNEL32.dll:
• 0x41b000 RaiseException
• 0x41b004 GetLastError
• 0x41b008 MultiByteToWideChar
• 0x41b00c lstrlenA
• 0x41b010 InterlockedDecrement
• 0x41b014 GetProcAddress
• 0x41b018 LoadLibraryA
• 0x41b01c FreeResource
• 0x41b020 SizeofResource
• 0x41b024 LockResource
• 0x41b028 LoadResource
• 0x41b02c FindResourceA
• 0x41b030 GetModuleHandleA
• 0x41b034 Module32Next
• 0x41b038 CloseHandle
• 0x41b03c Module32First
• 0x41b040 CreateToolhelp32Snapshot
• 0x41b044 GetCurrentProcessId
• 0x41b048 SetEndOfFile
• 0x41b04c GetStringTypeW
• 0x41b050 GetStringTypeA
• 0x41b054 LCMapStringW
• 0x41b058 LCMapStringA
• 0x41b05c GetLocaleInfoA
• 0x41b060 HeapFree
• 0x41b064 GetProcessHeap
• 0x41b068 HeapAlloc
• 0x41b06c GetCommandLineA
• 0x41b070 HeapCreate
• 0x41b074 VirtualFree
• 0x41b078 DeleteCriticalSection
• 0x41b07c LeaveCriticalSection
• 0x41b080 EnterCriticalSection
• 0x41b084 VirtualAlloc
• 0x41b088 HeapReAlloc
• 0x41b08c HeapSize
• 0x41b090 TerminateProcess
• 0x41b094 GetCurrentProcess
• 0x41b098 UnhandledExceptionFilter
• 0x41b09c SetUnhandledExceptionFilter
• 0x41b0a0 IsDebuggerPresent
• 0x41b0a4 GetModuleHandleW
• 0x41b0a8 Sleep
• 0x41b0ac ExitProcess
• 0x41b0b0 WriteFile
• 0x41b0b4 GetStdHandle
• 0x41b0b8 GetModuleFileNameA
• 0x41b0bc WideCharToMultiByte
• 0x41b0c0 GetConsoleCP
• 0x41b0c4 GetConsoleMode
• 0x41b0c8 ReadFile
• 0x41b0cc TlsGetValue
• 0x41b0d0 TlsAlloc
• 0x41b0d4 TlsSetValue
• 0x41b0d8 TlsFree
• 0x41b0dc InterlockedIncrement
• 0x41b0e0 SetLastError
• 0x41b0e4 GetCurrentThreadId
• 0x41b0e8 FlushFileBuffers
• 0x41b0ec SetFilePointer
• 0x41b0f0 SetHandleCount
• 0x41b0f4 GetFileType
• 0x41b0f8 GetStartupInfoA
• 0x41b0fc RtlUnwind
• 0x41b100 FreeEnvironmentStringsA
• 0x41b104 GetEnvironmentStrings
• 0x41b108 FreeEnvironmentStringsW
• 0x41b10c GetEnvironmentStringsW
• 0x41b110 QueryPerformanceCounter
• 0x41b114 GetTickCount
• 0x41b118 GetSystemTimeAsFileTime
• 0x41b11c InitializeCriticalSectionAndSpinCount
• 0x41b120 GetCPInfo
• 0x41b124 GetACP
• 0x41b128 GetOEMCP
• 0x41b12c IsValidCodePage
• 0x41b130 CompareStringA
• 0x41b134 CompareStringW
• 0x41b138 SetEnvironmentVariableA
• 0x41b13c WriteConsoleA
• 0x41b140 GetConsoleOutputCP
• 0x41b144 WriteConsoleW
• 0x41b148 SetStdHandle
• 0x41b14c CreateFileA
库: ole32.dll:
• 0x41b17c OleInitialize
库: OLEAUT32.dll:
• 0x41b154 SafeArrayCreate
• 0x41b158 SafeArrayAccessData
• 0x41b15c SafeArrayUnaccessData
• 0x41b160 SafeArrayDestroy
• 0x41b164 SafeArrayCreateVector
• 0x41b168 VariantClear
• 0x41b16c VariantInit
• 0x41b170 SysFreeString
• 0x41b174 SysAllocString
.text
`.rdata
@.data
.rsrc
WPWUj
VPWUj
V h0%
N h0%
N(Uh0%
95(6B
Ph4"B
354"B
uL9=\9B
9=\9B
;5P?B
9=P?B
;58-B
950>B
9=p>B
95(/B
SVWUj
v$;540B
95L>B
Delete
NoRemove
ForceRemove
1.2.3
1.2.3
bad allocation
Visual C++ CRT: Not enough memory to complete call to strerror.
Unknown exception
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
Illegal byte sequence
Directory not empty
Function not implemented
No locks available
Filename too long
Resource deadlock avoided
Result too large
Domain error
Broken pipe
Too many links
Read-only file system
Invalid seek
No space left on device
File too large
Inappropriate I/O control operation
Too many open files
Too many open files in system
Invalid argument
Is a directory
Not a directory
No such device
Improper link
File exists
Resource device
Unknown error
Bad address
Permission denied
Not enough space
Resource temporarily unavailable
No child processes
Bad file descriptor
Exec format error
Arg list too long
No such device or address
Input/output error
Interrupted function call
No such process
No such file or directory
Operation not permitted
No error
UTF-8
UTF-16LE
UNICODE
e+000
GAIsProcessorFeaturePresent
KERNEL32
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
1#QNAN
1#INF
1#IND
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
mscoree.dll
KERNEL32.DLL
(null)
| 防病毒引擎/厂商 | 病毒名/规则匹配 | 病毒库日期 |
|---|---|---|
| Bkav | 未发现病毒 | 20181113 |
| MicroWorld-eScan | Gen:Variant.Strictor.144799 | 20181114 |
| CMC | 未发现病毒 | 20181114 |
| CAT-QuickHeal | 未发现病毒 | 20181113 |
| McAfee | RDN/Generic.grp | 20181114 |
| Cylance | Unsafe | 20181114 |
| Zillya | 未发现病毒 | 20181113 |
| TheHacker | 未发现病毒 | 20181113 |
| BitDefender | Gen:Variant.Strictor.144799 | 20181114 |
| K7GW | Trojan ( 0053f6dc1 ) | 20181113 |
| K7AntiVirus | Trojan ( 0053f6dc1 ) | 20181113 |
| TrendMicro | TROJ_GEN.R014C0WKC18 | 20181114 |
| Baidu | 未发现病毒 | 20181112 |
| NANO-Antivirus | Trojan.Win32.ClipBanker.fkbtls | 20181114 |
| Cyren | W32/Agent.AIK.gen!Eldorado | 20181114 |
| Symantec | Trojan.Gen.2 | 20181114 |
| TotalDefense | 未发现病毒 | 20181113 |
| TrendMicro-HouseCall | TROJ_GEN.R014C0WKC18 | 20181114 |
| Avast | Win32:Trojan-gen | 20181114 |
| ClamAV | 未发现病毒 | 20181114 |
| Kaspersky | Trojan.MSIL.HydraPOS.abi | 20181114 |
| Alibaba | 未发现病毒 | 20180921 |
| Babable | 未发现病毒 | 20180918 |
| ViRobot | 未发现病毒 | 20181113 |
| AegisLab | 未发现病毒 | 20181114 |
| Rising | 未发现病毒 | 20181114 |
| Ad-Aware | Gen:Variant.Strictor.144799 | 20181112 |
| Trustlook | 未发现病毒 | 20181114 |
| Sophos | Mal/Generic-S | 20181114 |
| F-Secure | Gen:Variant.Strictor.144799 | 20181114 |
| DrWeb | 未发现病毒 | 20181114 |
| VIPRE | 未发现病毒 | 20181114 |
| Invincea | heuristic | 20181108 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.hh | 20181114 |
| Emsisoft | Gen:Variant.Strictor.144799 (B) | 20181114 |
| Ikarus | Trojan.MSIL.ClipBanker | 20181113 |
| F-Prot | W32/Agent.AIK.gen!Eldorado | 20181114 |
| Jiangmin | 未发现病毒 | 20181114 |
| Webroot | 未发现病毒 | 20181114 |
| Avira | HEUR/AGEN.1035936 | 20181114 |
| MAX | malware (ai score=80) | 20181114 |
| Antiy-AVL | 未发现病毒 | 20181114 |
| Kingsoft | 未发现病毒 | 20181114 |
| Microsoft | Trojan:Win32/Occamy.C | 20181114 |
| Endgame | malicious (high confidence) | 20181108 |
| Arcabit | Trojan.Strictor.D2359F | 20181114 |
| SUPERAntiSpyware | 未发现病毒 | 20181114 |
| ZoneAlarm | Trojan.MSIL.HydraPOS.abi | 20181114 |
| Avast-Mobile | 未发现病毒 | 20181113 |
| GData | Gen:Variant.Strictor.144799 | 20181114 |
| AhnLab-V3 | 未发现病毒 | 20181114 |
| VBA32 | Trojan.Tiggre | 20181113 |
| ALYac | Gen:Variant.Strictor.144799 | 20181114 |
| TACHYON | 未发现病毒 | 20181114 |
| Malwarebytes | 未发现病毒 | 20181114 |
| Panda | Trj/CI.A | 20181113 |
| Zoner | 未发现病毒 | 20181114 |
| ESET-NOD32 | a variant of MSIL/ClipBanker.HH | 20181114 |
| Tencent | 未发现病毒 | 20181114 |
| Yandex | 未发现病毒 | 20181113 |
| SentinelOne | static engine - malicious | 20181011 |
| eGambit | 未发现病毒 | 20181114 |
| Fortinet | MSIL/ClipBanker.HF!tr | 20181114 |
| AVG | Win32:Trojan-gen | 20181114 |
| Cybereason | malicious.0be134 | 20180225 |
| Paloalto | generic.ml | 20181114 |
| CrowdStrike | malicious_confidence_100% (W) | 20181022 |
| Qihoo-360 | Win32/Trojan.3bf | 20181114 |
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
| 文件名 | usrlog.exe |
|---|---|
| 相关文件 |
C:\Users\test\AppData\Roaming\usrlog.exe
|
| 文件大小 | 56320 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 4cef5e72f6c1453c6585566e31e85591 |
| SHA1 | 01d75ecefae5235b7da358ab5e316fcefa27c6d0 |
| SHA256 | b9993c7f4be467b399d4ce58c075e2574d18a1b81bba95a69c32f7771f2382c2 |
| CRC32 | 07C087F2 |
| Ssdeep | 1536:/lSZJUKxZgAyrV63kofvUmkg5pCye61JmtWC+tyI:/lGJUK2kNGyStWC+T |
| 下载 提交魔盾安全分析 |
| 文件名 | GDIPFONTCACHEV1.DAT |
|---|---|
| 相关文件 |
C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
|
| 文件大小 | 114272 字节 |
| 文件类型 | data |
| MD5 | 2262103813c49a07c65813bb58143c21 |
| SHA1 | a1e4a613f51e8e57592464c61cc271f2fecec4f2 |
| SHA256 | ac3bd52d544a061ee8c90fa787f07af9d01a0c5a72981ed8172617b210798d31 |
| CRC32 | 4C77BE6A |
| Ssdeep | 1536:mLKAaE8z5wHgTlyhAQcDnBlC+X886UMMDbEDuezh:moiuzBzXGMDezh |
| 魔盾安全分析结果 | 2.0 分析时间:2017-03-07 13:12:04 查看分析报告 |
| 下载 提交魔盾安全分析 |
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 23.837 seconds )
- 11.926 Suricata
- 4.864 BehaviorAnalysis
- 2.924 VirusTotal
- 2.09 Static
- 0.976 TargetInfo
- 0.427 peid
- 0.359 NetworkAnalysis
- 0.152 Debug
- 0.069 AnalysisInfo
- 0.029 Dropped
- 0.016 Strings
- 0.004 Memory
- 0.001 config_decoder
Signatures ( 2.444 seconds )
- 0.469 mimics_filetime
- 0.295 md_bad_drop
- 0.259 api_spamming
- 0.215 stealth_timeout
- 0.183 stealth_decoy_document
- 0.092 stealth_file
- 0.073 reads_self
- 0.061 anomaly_persistence_autorun
- 0.056 bootkit
- 0.055 gootkit_behavior
- 0.051 virus
- 0.048 antivm_generic_disk
- 0.043 banker_prinimalka
- 0.043 creates_largekey
- 0.04 antiav_detectreg
- 0.039 anomaly_persistence_bootexecute
- 0.039 antivm_generic_scsi
- 0.038 anomaly_reset_winsock
- 0.037 shifu_behavior
- 0.022 hancitor_behavior
- 0.022 antiav_detectfile
- 0.021 alphacrypt_behavior
- 0.021 infostealer_ftp
- 0.021 md_url_bl
- 0.018 md_domain_bl
- 0.015 infostealer_bitcoin
- 0.013 infostealer_im
- 0.011 antiemu_wine_func
- 0.011 kovter_behavior
- 0.01 infostealer_browser_password
- 0.009 antivm_vbox_files
- 0.008 infostealer_mail
- 0.007 ransomware_extensions
- 0.007 ransomware_files
- 0.004 antivm_vbox_libs
- 0.004 injection_createremotethread
- 0.004 antivm_generic_services
- 0.004 geodo_banking_trojan
- 0.003 tinba_behavior
- 0.003 network_tor
- 0.003 rat_nanocore
- 0.003 betabot_behavior
- 0.003 antisandbox_sunbelt_libs
- 0.003 kibex_behavior
- 0.003 anormaly_invoke_kills
- 0.003 injection_runpe
- 0.003 disables_browser_warn
- 0.003 rat_pcclient
- 0.002 hawkeye_behavior
- 0.002 antiav_avast_libs
- 0.002 antisandbox_sboxie_libs
- 0.002 antiav_bitdefender_libs
- 0.002 exec_crash
- 0.002 cerber_behavior
- 0.002 antivm_parallels_keys
- 0.002 antivm_xen_keys
- 0.002 browser_security
- 0.002 modify_proxy
- 0.001 infostealer_browser
- 0.001 antivm_vmware_libs
- 0.001 Locky_behavior
- 0.001 ursnif_behavior
- 0.001 kazybot_behavior
- 0.001 dyre_behavior
- 0.001 encrypted_ioc
- 0.001 injection_rwx
- 0.001 sniffer_winpcap
- 0.001 antivm_generic_diskreg
- 0.001 antivm_vmware_files
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 disables_system_restore
- 0.001 disables_windows_defender
- 0.001 codelux_behavior
- 0.001 darkcomet_regkeys
- 0.001 targeted_flame
- 0.001 network_tor_service
- 0.001 office_security
- 0.001 rat_spynet
- 0.001 recon_fingerprint
- 0.001 stealth_hide_notifications
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.447 seconds )
- 0.447 Malheur
| Task ID | 215115 |
|---|---|
| Mongo ID | 5bf2c6872e06334acf6c8980 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号