恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-1	2019-04-06 21:28:47	2019-04-06 21:31:09	142 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	War3Edit.exe
文件大小	4269568 字节
文件类型	PE32 executable (console) Intel 80386, for MS Windows
MD5	04a6aeeb73e4e8c17014d2686b29efe1
SHA1	49ad597edfd7ce6c2687e0f376fe6d09af3abb93
SHA256	8fc90ed4ebc298a4e20332eea71de5987940c448556ef670e85dc596b2c0370f
SHA512	3ff11791ca399d38e88fa3459696a6dbe0a67deecee11d1d0f2fe8a2f54ff6647485fdcce33fe8291ad99c635204cbd3fcdcfffff4a312882cf251d481064c9e
CRC32	FB005446
Ssdeep	98304:W2z65h0Slr40E9ciS+4VoGtvVRIinVqpX3Gmf:ZSlr4rciS+AFvVRIwuXPf
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	183.131.212.53	中国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
w.eydata.net	A 183.131.212.53

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00401000
声明校验值	0x00413ae0
实际校验值	0x00413ae0
最低操作系统版本要求	4.0
编译时间	2019-03-02 11:38:18
载入哈希	7617622eb6e5d8df5c14ddf6142b13bf

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0000d1b2	0x0000d200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.32
.rdata	0x0000f000	0x000007f6	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.08
.data	0x00010000	0x00410794	0x00404600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.rsrc	0x00421000	0x00001000	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.78

导入

库: USER32.dll:

• 0x40f0f4 PeekMessageA

• 0x40f0f8 GetMessageA

• 0x40f0fc TranslateMessage

• 0x40f100 DispatchMessageA

• 0x40f104 wsprintfA

• 0x40f108 MessageBoxA

• 0x40f10c PostMessageA

• 0x40f110 GetDlgItem

• 0x40f114 GetClassNameA

• 0x40f118 GetWindowThreadProcessId

• 0x40f11c IsWindowVisible

• 0x40f120 MsgWaitForMultipleObjects

• 0x40f124 GetWindowTextA

• 0x40f128 ShowWindow

库: ADVAPI32.dll:

• 0x40f000 CryptDestroyHash

• 0x40f004 CryptHashData

• 0x40f008 CryptReleaseContext

• 0x40f00c CryptCreateHash

• 0x40f010 CryptAcquireContextA

• 0x40f014 CryptGetHashParam

库: KERNEL32.dll:

• 0x40f01c ReadConsoleA

• 0x40f020 GetStartupInfoA

• 0x40f024 CreateProcessA

• 0x40f028 DeleteFileA

• 0x40f02c CreateFileA

• 0x40f030 CloseHandle

• 0x40f034 GetStdHandle

• 0x40f038 WriteFile

• 0x40f03c GetTickCount

• 0x40f040 FreeLibrary

• 0x40f044 GetProcAddress

• 0x40f048 LoadLibraryA

• 0x40f04c LCMapStringA

• 0x40f050 WaitForSingleObject

• 0x40f054 HeapFree

• 0x40f058 GetCurrentProcessId

• 0x40f05c OpenProcess

• 0x40f060 TerminateProcess

• 0x40f064 GetTempPathA

• 0x40f068 CreateToolhelp32Snapshot

• 0x40f06c Process32First

• 0x40f070 Process32Next

• 0x40f074 CreateWaitableTimerA

• 0x40f078 SetWaitableTimer

• 0x40f07c ReadProcessMemory

• 0x40f080 WriteProcessMemory

• 0x40f084 GetProcessHeap

• 0x40f088 GetModuleHandleA

• 0x40f08c ExitProcess

• 0x40f090 HeapAlloc

• 0x40f094 HeapReAlloc

• 0x40f098 GetModuleFileNameA

• 0x40f09c IsBadReadPtr

库: SHLWAPI.dll:

• 0x40f0ec PathFileExistsA

库: MSVCRT.dll:

• 0x40f0a4 atoi

• 0x40f0a8 _ftol

• 0x40f0ac _CIpow

• 0x40f0b0 strtod

• 0x40f0b4 strncpy

• 0x40f0b8 ??3@YAXPAX@Z

• 0x40f0bc strncmp

• 0x40f0c0 ??2@YAPAXI@Z

• 0x40f0c4 strchr

• 0x40f0c8 modf

• 0x40f0cc realloc

• 0x40f0d0 memmove

• 0x40f0d4 __CxxFrameHandler

• 0x40f0d8 _getch

• 0x40f0dc malloc

• 0x40f0e0 free

• 0x40f0e4 sprintf

.text
`.rdata
@.data
.rsrc
Phha@
VMProtect begin
VMProtect end
4SVUPh
8`}<j
ShowWindow
GetWindowTextA
MsgWaitForMultipleObjects
IsWindowVisible
GetWindowThreadProcessId
GetClassNameA
GetDlgItem
PostMessageA
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA
USER32.dll
CryptAcquireContextA
CryptCreateHash
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
ADVAPI32.dll
GetCurrentProcessId
OpenProcess
TerminateProcess
GetTempPathA
CreateToolhelp32Snapshot
Process32First
Process32Next
CreateWaitableTimerA
SetWaitableTimer
ReadProcessMemory
WriteProcessMemory
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
WriteFile
GetStdHandle
CloseHandle
CreateFileA
WaitForSingleObject
CreateProcessA
GetStartupInfoA
ReadConsoleA
DeleteFileA
GetTickCount
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
KERNEL32.dll
PathFileExistsA
SHLWAPI.dll
sprintf
malloc
_ftol
_CIpow
strtod
strncpy
??3@YAXPAX@Z
strncmp
??2@YAPAXI@Z
strchr
realloc
memmove
__CxxFrameHandler
MSVCRT.dll
_getch
DED4ACEEDBE0ABA5B17225B62+
.text
.rdata
.data
.rsrc
.aspack
.adata
[2Cax

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	HW32.Packed.	20190318
MicroWorld-eScan	Gen:Trojan.Heur.FU.@tW@aug70ufb	20190319
CMC	未发现病毒	20190318
CAT-QuickHeal	Trojan.Agent	20190318
McAfee	GenericRXGQ-YC!04A6AEEB73E4	20190319
Malwarebytes	未发现病毒	20190319
Zillya	未发现病毒	20190318
AegisLab	未发现病毒	20190318
TheHacker	未发现病毒	20190315
BitDefender	Gen:Trojan.Heur.FU.@tW@aug70ufb	20190319
K7GW	Adware ( 005070c51 )	20190315
K7AntiVirus	Adware ( 005070c51 )	20190318
Baidu	未发现病毒	20190318
Babable	未发现病毒	20180918
Cyren	W32/Trojan.IQYH-3637	20190319
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A potentially unwanted	20190319
TrendMicro-HouseCall	TROJ_GEN.R005C0PCF19	20190319
Avast	Win32:Malware-gen	20190318
ClamAV	未发现病毒	20190318
Kaspersky	UDS:DangerousObject.Multi.Generic	20190319
Alibaba	未发现病毒	20190306
NANO-Antivirus	未发现病毒	20190319
ViRobot	Trojan.Win32.Z.Packed.4269568	20190318
Rising	Trojan.Tiggre!8.ED98 (CLOUD)	20190319
Ad-Aware	Gen:Trojan.Heur.FU.@tW@aug70ufb	20190319
Trustlook	未发现病毒	20190319
Sophos	Generic PUA OM (PUA)	20190319
Comodo	TrojWare.Win32.Kryptik.ARSN@4t6mxs	20190319
F-Secure	未发现病毒	20190319
DrWeb	未发现病毒	20190319
VIPRE	未发现病毒	20190319
Invincea	heuristic	20190313
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc	20190318
Trapmine	malicious.high.ml.score	20190301
Emsisoft	Gen:Trojan.Heur.FU.@tW@aug70ufb (B)	20190319
SentinelOne	DFI - Suspicious PE	20190317
GData	Gen:Trojan.Heur.FU.@tW@aug70ufb	20190319
Jiangmin	未发现病毒	20190319
Avira	未发现病毒	20190318
MAX	malware (ai score=99)	20190319
Antiy-AVL	Trojan[Packed]/Win32.Blackmoon	20190319
Kingsoft	未发现病毒	20190319
Microsoft	Trojan:Win32/Tiggre!rfn	20190319
Endgame	malicious (high confidence)	20190215
Arcabit	Trojan.Heur.FU.EB78A0	20190319
SUPERAntiSpyware	未发现病毒	20190314
AhnLab-V3	未发现病毒	20190319
ZoneAlarm	UDS:DangerousObject.Multi.Generic	20190319
Avast-Mobile	未发现病毒	20190318
TotalDefense	未发现病毒	20190318
Acronis	suspicious	20190318
VBA32	BScope.Trojan.Downloader	20190318
ALYac	未发现病毒	20190319
TACHYON	未发现病毒	20190319
Panda	Trj/GdSda.A	20190318
Zoner	未发现病毒	20190318
Tencent	未发现病毒	20190319
Yandex	Riskware.BlackMoon!	20190318
Ikarus	未发现病毒	20190318
eGambit	Unsafe.AI_Score_91%	20190319
Fortinet	W32/Injector.BBYK!tr	20190319
AVG	Win32:Malware-gen	20190318
Cybereason	malicious.b73e4e	20190109
Paloalto	generic.ml	20190319
CrowdStrike	win/malicious_confidence_90% (W)	20190212
Qihoo-360	未发现病毒	20190319

进程树

War3Edit.exe id: 2692

War3Edit.exe, PID: 2692, 上一级进程 PID: 2296

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

ini.cg, PID: 2808, 上一级进程 PID: 2692

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	183.131.212.53	中国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	183.131.212.53 w.eydata.net	80
192.168.122.201	49162	183.131.212.53 w.eydata.net	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	62233	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
w.eydata.net	A 183.131.212.53

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	183.131.212.53 w.eydata.net	80
192.168.122.201	49162	183.131.212.53 w.eydata.net	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	62233	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://w.eydata.net/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: w.eydata.net
URL专业沙箱检测 -> http://w.eydata.net/98039776530cf506	POST /98039776530cf506 HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 7 Cache-Control: no-cache ver=1.0
URL专业沙箱检测 -> http://w.eydata.net/98529ec3e5a5dad8	POST /98529ec3e5a5dad8 HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 0 Cache-Control: no-cache

URI

HTTP数据

URL专业沙箱检测 -> http://w.eydata.net/

GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: w.eydata.net

URL专业沙箱检测 -> http://w.eydata.net/98039776530cf506

POST /98039776530cf506 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: w.eydata.net
Content-Length: 7
Cache-Control: no-cache

ver=1.0

URL专业沙箱检测 -> http://w.eydata.net/98529ec3e5a5dad8

POST /98529ec3e5a5dad8 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: w.eydata.net
Content-Length: 0
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	ini.cg
相关文件	C:\Users\test\AppData\Local\Temp\ini.cg
文件大小	1891840 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	c1d5851134908839a62dab2e8f40a5a9
SHA1	ecf4306ab708a68ddc191b19e4407d4fec5baa0a
SHA256	d44f74669c9697cf8aec911d3a3f818012c5cc96cef754a79dbce31a0cebb635
CRC32	64FCC299
Ssdeep	24576:KtLkAGFS35fRRdJensS3eaO+yKkk9SaYGVS/6ysylFz9pVG50qn:KtAzS35fRRdJDqiUSMS/6ysylTpC
	下载提交魔盾安全分析

文件名	ini.g
相关文件	C:\Users\test\AppData\Local\Temp\ini.g
文件大小	2315430 字节
文件类型	data
MD5	581bb903cafb050e910885cb9ce325a8
SHA1	8ebf8a0fbaff46b5c58b9aa908887e61e35d54bc
SHA256	2fb5d9cce516dc8b4f48ebc440939b10c39f194c39a877d5eb622418641b3f88
CRC32	733CA2DD
Ssdeep	49152:cwJ9c+fS+rUVspXySGFPPvH1g6IdIvvxDD+pX32DX/efB:cE9ciS+4VoGtvVRIinVqpX3GmfB
	下载提交魔盾安全分析

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 61.05 seconds )

23.38 BehaviorAnalysis
15.531 Suricata
11.99 Static
4.95 TargetInfo
3.931 NetworkAnalysis
0.483 peid
0.464 VirusTotal
0.241 Dropped
0.05 AnalysisInfo
0.014 Strings
0.013 config_decoder
0.003 Memory

Signatures ( 11.934 seconds )

2.003 md_url_bl
1.813 antivm_vbox_window
1.69 antisandbox_script_timer
1.432 api_spamming
1.42 browser_needed
1.169 stealth_timeout
1.016 stealth_decoy_document
0.942 injection_explorer
0.298 md_bad_drop
0.023 md_domain_bl
0.017 antiav_detectreg
0.008 infostealer_ftp
0.007 anomaly_persistence_autorun
0.007 antiav_detectfile
0.006 ransomware_files
0.005 injection_createremotethread
0.005 process_interest
0.005 geodo_banking_trojan
0.005 infostealer_bitcoin
0.005 infostealer_im
0.005 network_http
0.005 ransomware_extensions
0.003 tinba_behavior
0.003 vawtrak_behavior
0.003 injection_runpe
0.003 antivm_vbox_files
0.003 disables_browser_warn
0.003 infostealer_mail
0.003 network_torgateway
0.002 rat_nanocore
0.002 cerber_behavior
0.002 process_needed
0.002 browser_security
0.002 modify_proxy
0.002 network_cnc_http
0.001 betabot_behavior
0.001 ursnif_behavior
0.001 kibex_behavior
0.001 shifu_behavior
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 malicious_drop_executable_file_to_temp_folder
0.001 maldun_blacklist
0.001 stealth_modify_uac_prompt

Reporting ( 0.932 seconds )

0.898 ReportHTMLSummary
0.034 Malheur


Task ID	272828
Mongo ID	5ca8aad72f8f2e6830e771c1
Cuckoo release	1.4-Maldun