魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-09-28 23:25:45 2020-09-28 23:25:46 1 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2020-09-28 23:25:46 2020-09-28 23:25:46
魔盾分数

1.75

正常的

文件详细信息

文件名 N_m3u8DL-CLI.exe
文件大小 923136 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
CRC32 EF01E421
MD5 53badba61b86d9864257be4cf955d800
SHA1 c761701de1c93b7f059eaf89d3c5208ab8ffda43
SHA256 5b69c8c67cbcee5821358237f3c22ac1c48c6e3cad1933993e5aa4a0496e9380
SHA512 0225343d6a8ebab1448edd4533f66d27f59e93c599881b87fe6c7dc95a0dca8bccf89a70133b5f042fb41fe86da19b547b332a7f8ff56643f5ef757c5fb7b133
Ssdeep 24576:16+EmuyeO/RaKGjV2p7JJvFDKyxfWmA5nAUkTtiqF:16+EZLjjVwvFDhL
PEiD 无匹配
Yara
  • DebuggerCheck__QueryInfo ()
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • DebuggerException__SetConsoleCtrl ()
  • ThreadControl__Context ()
  • disable_dep (Bypass DEP)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsConsole (Detected a console program sample)
  • IsPacked (Detected Entropy signature)
  • HasDebugData (Detected Debug Data)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • BASE64_table (Look for Base64 table)
  • Borland (Detects Borland program)
VirusTotal VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据
section: name: .enigma1, entropy: 7.91, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00076000, virtual_size: 0x00002000
魔盾安全Yara规则检测结果 - 安全告警
Warning: Bypass DEP
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0042238e
声明校验值 0x00000000
实际校验值 0x000e729b
最低操作系统版本要求 4.0
编译时间 2020-09-20 13:32:41
载入哈希 ae4ae436602a0fced8410c4c48e4ae05

版本信息

Translation: 0x0000 0x04b0
LegalCopyright: Copyright \xa9 2020
Assembly Version: 1.0.0.0
InternalName: N_m3u8DL-CLI.exe
FileVersion: 2.7.4.0
CompanyName: nilaoda
LegalTrademarks:
Comments: \u4e00\u6b3e\u547d\u4ee4\u884cm3u8\u4e0b\u8f7d\u5668
ProductName: N_m3u8DL-CLI
ProductVersion: 2.7.4.0
FileDescription: N_m3u8DL-CLI
OriginalFilename: N_m3u8DL-CLI.exe

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00002000 0x00020394 0x00020400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.21
.rsrc 0x00024000 0x00006ad8 0x00006c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.92
.reloc 0x0002c000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10
.enigma1 0x0002e000 0x00002000 0x00076000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.91
.enigma2 0x00030000 0x00044000 0x00044000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.94

导入

库 kernel32.dll:
0x46817c - DeleteCriticalSection
0x468180 - LeaveCriticalSection
0x468184 - EnterCriticalSection
0x468188 - InitializeCriticalSection
0x46818c - VirtualFree
0x468190 - VirtualAlloc
0x468194 - LocalFree
0x468198 - LocalAlloc
0x46819c - GetTickCount
0x4681a0 - QueryPerformanceCounter
0x4681a4 - GetVersion
0x4681a8 - GetCurrentThreadId
0x4681ac - InterlockedDecrement
0x4681b0 - InterlockedIncrement
0x4681b4 - VirtualQuery
0x4681b8 - WideCharToMultiByte
0x4681bc - MultiByteToWideChar
0x4681c0 - lstrlenA
0x4681c4 - lstrcpynA
0x4681c8 - LoadLibraryExA
0x4681cc - GetThreadLocale
0x4681d0 - GetStartupInfoA
0x4681d4 - GetProcAddress
0x4681d8 - GetModuleHandleA
0x4681dc - GetModuleFileNameA
0x4681e0 - GetLocaleInfoA
0x4681e4 - GetCommandLineA
0x4681e8 - FreeLibrary
0x4681ec - FindFirstFileA
0x4681f0 - FindClose
0x4681f4 - ExitProcess
0x4681f8 - ExitThread
0x4681fc - WriteFile
0x468200 - UnhandledExceptionFilter
0x468204 - RtlUnwind
0x468208 - RaiseException
0x46820c - GetStdHandle
库 user32.dll:
0x468214 - GetKeyboardType
0x468218 - LoadStringA
0x46821c - MessageBoxA
0x468220 - CharNextA
库 advapi32.dll:
0x468228 - RegQueryValueExA
0x46822c - RegOpenKeyExA
0x468230 - RegCloseKey
库 oleaut32.dll:
0x468238 - SysFreeString
0x46823c - SysReAllocStringLen
0x468240 - SysAllocStringLen
库 kernel32.dll:
0x468248 - TlsSetValue
0x46824c - TlsGetValue
0x468250 - TlsFree
0x468254 - TlsAlloc
0x468258 - LocalFree
0x46825c - LocalAlloc
库 advapi32.dll:
0x468264 - RegOpenKeyA
库 kernel32.dll:
0x46826c - WriteProcessMemory
0x468270 - WriteFile
0x468274 - WideCharToMultiByte
0x468278 - WaitForSingleObject
0x46827c - VirtualQuery
0x468280 - VirtualProtectEx
0x468284 - VirtualProtect
0x468288 - VirtualFree
0x46828c - VirtualAllocEx
0x468290 - VirtualAlloc
0x468294 - SystemTimeToFileTime
0x468298 - SizeofResource
0x46829c - SetThreadContext
0x4682a0 - SetLastError
0x4682a4 - SetFileTime
0x4682a8 - SetFilePointer
0x4682ac - SetFileAttributesW
0x4682b0 - SetFileAttributesA
0x4682b4 - SetEvent
0x4682b8 - SetErrorMode
0x4682bc - SetEndOfFile
0x4682c0 - SetCurrentDirectoryW
0x4682c4 - SetCurrentDirectoryA
0x4682c8 - ResetEvent
0x4682cc - RemoveDirectoryW
0x4682d0 - RemoveDirectoryA
0x4682d4 - ReadProcessMemory
0x4682d8 - ReadFile
0x4682dc - QueryDosDeviceW
0x4682e0 - PostQueuedCompletionStatus
0x4682e4 - MultiByteToWideChar
0x4682e8 - LockResource
0x4682ec - LoadResource
0x4682f0 - LoadLibraryW
0x4682f4 - LoadLibraryA
0x4682f8 - LeaveCriticalSection
0x4682fc - IsBadWritePtr
0x468300 - IsBadStringPtrW
0x468304 - IsBadReadPtr
0x468308 - InitializeCriticalSection
0x46830c - GetWindowsDirectoryW
0x468310 - GetWindowsDirectoryA
0x468314 - GetVersionExA
0x468318 - GetVersion
0x46831c - GetThreadLocale
0x468320 - GetThreadContext
0x468324 - GetTempPathW
0x468328 - GetTempPathA
0x46832c - GetTempFileNameW
0x468330 - GetTempFileNameA
0x468334 - GetSystemDirectoryW
0x468338 - GetSystemDirectoryA
0x46833c - GetStringTypeExW
0x468340 - GetStringTypeExA
0x468344 - GetStdHandle
0x468348 - GetProcAddress
0x46834c - GetModuleHandleA
0x468350 - GetModuleFileNameW
0x468354 - GetModuleFileNameA
0x468358 - GetLogicalDriveStringsW
0x46835c - GetLocaleInfoW
0x468360 - GetLocaleInfoA
0x468364 - GetLocalTime
0x468368 - GetLastError
0x46836c - GetFullPathNameW
0x468370 - GetFullPathNameA
0x468374 - GetFileSize
0x468378 - GetFileAttributesW
0x46837c - GetFileAttributesA
0x468380 - GetDiskFreeSpaceA
0x468384 - GetDateFormatA
0x468388 - GetCurrentThreadId
0x46838c - GetCurrentProcessId
0x468390 - GetCurrentProcess
0x468394 - GetCurrentDirectoryW
0x468398 - GetCurrentDirectoryA
0x46839c - GetCPInfo
0x4683a0 - GetACP
0x4683a4 - FreeResource
0x4683a8 - FreeLibrary
0x4683ac - FormatMessageA
0x4683b0 - FlushInstructionCache
0x4683b4 - FindResourceW
0x4683b8 - FindNextFileW
0x4683bc - FindNextFileA
0x4683c0 - FindFirstFileW
0x4683c4 - FindFirstFileA
0x4683c8 - FindClose
0x4683cc - FileTimeToLocalFileTime
0x4683d0 - FileTimeToDosDateTime
0x4683d4 - ExitProcess
0x4683d8 - EnumCalendarInfoA
0x4683dc - EnterCriticalSection
0x4683e0 - DeleteFileW
0x4683e4 - DeleteFileA
0x4683e8 - DeleteCriticalSection
0x4683ec - CreateFileW
0x4683f0 - CreateFileA
0x4683f4 - CreateEventA
0x4683f8 - CreateDirectoryW
0x4683fc - CreateDirectoryA
0x468400 - CompareStringW
0x468404 - CompareStringA
0x468408 - CloseHandle
库 user32.dll:
0x468410 - MessageBoxA
0x468414 - LoadStringA
0x468418 - GetSystemMetrics
0x46841c - CharUpperBuffW
0x468420 - CharUpperW
0x468424 - CharLowerBuffW
0x468428 - CharLowerW
0x46842c - CharNextA
0x468430 - CharLowerA
0x468434 - CharUpperA
0x468438 - CharToOemA
库 kernel32.dll:
0x468440 - Sleep
库 kernel32.dll:
0x468448 - ActivateActCtx
0x46844c - CreateActCtxW
0x468450 - QueryDosDeviceW
库 ole32.dll:
0x468458 - CreateStreamOnHGlobal
0x46845c - CoUninitialize
0x468460 - CoInitialize
库 oleaut32.dll:
0x468468 - GetErrorInfo
0x46846c - SysFreeString
库 oleaut32.dll:
0x468474 - SafeArrayPtrOfIndex
0x468478 - SafeArrayGetUBound
0x46847c - SafeArrayGetLBound
0x468480 - SafeArrayCreate
0x468484 - VariantChangeType
0x468488 - VariantCopy
0x46848c - VariantClear
0x468490 - VariantInit
库 ntdll.dll:
0x468498 - RtlInitUnicodeString
0x46849c - RtlFreeUnicodeString
0x4684a0 - RtlFormatCurrentUserKeyPath
0x4684a4 - RtlDosPathNameToNtPathName_U
库 SHFolder.dll:
0x4684ac - SHGetFolderPathW
0x4684b0 - SHGetFolderPathA
库 ntdll.dll:
0x4684b8 - ZwProtectVirtualMemory
库 shlwapi.dll:
0x4684c0 - PathMatchSpecW
库 ntdll.dll:
0x4684c8 - LdrGetProcedureAddress
0x4684cc - RtlFreeUnicodeString
0x4684d0 - RtlInitAnsiString
0x4684d4 - RtlAnsiStringToUnicodeString
0x4684d8 - LdrLoadDll

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息