魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-11-30 10:28:34 2020-11-30 10:30:42 128 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2020-11-30 10:28:35 2020-11-30 10:30:44
魔盾分数

10.0

恶意的

文件详细信息

文件名 AdHunter.exe
文件大小 6961664 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
CRC32 72A87AB0
MD5 58537b557c1e3909592f8d5f2789bf82
SHA1 ac53c725ea4bfc8ead3a8a4d8d205e3d5d333ac5
SHA256 0b79cf8edbab1aff6eeb6ee6ea1cf5e3f45b62a08c858678df899a16f18595b5
SHA512 d553d3f6dc1d560452aceac172eb153ed997c8931bb65f8479aacd07e795dfe16d16e19077605436439719999fbac40bc0d814c1ec3a87ec3efe9a4fe8ce352c
Ssdeep 98304:LgyXBmFee0TR+5vojug9Ljhj1cWk79wX1KJCDmlWAKXjXU9ahSmPdMbfXpt/UWc4:LgyXmgmyLjhj1ew5DGKXk2ba3Oa
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RIPEMD160_Constants (Look for RIPEMD-160 constants)
  • SHA1_Constants (Look for SHA1 constants)
  • BASE64_table (Look for Base64 table)
  • with_urls (Detected the presence of an or several urls)
  • IsPE64 (Detected a 64bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
  • antisb_threatExpert (Anti-Sandbox checks for ThreatExpert)
  • network_tcp_socket (Detected network communications over RAW socket)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-11-30 01:59:16
扫描结果: 13/71

特征

二进制文件可能包含加密或压缩数据
section: name: .pdata, entropy: 7.84, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0000fa00, virtual_size: 0x0000f8a0
section: name: .vmp0, entropy: 7.73, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00501800, virtual_size: 0x005016fd
section: name: .vmp1, entropy: 6.89, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00085c00, virtual_size: 0x00085a1c
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到网络活动但没有显示在API日志中
ip: 23.211.14.171
domain: acroipm.adobe.com
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00116000', 'size_of_data': '0x00501800', 'entropy': '7.73', 'virtual_size': '0x005016fd', 'characteristics_raw': '0x60000060'}
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Cybereason: malicious.5ea4bf
Kaspersky: HEUR:Trojan.Win64.Agent.gen
Sophos: ML/PE-A
F-Secure: Heuristic.HEUR/AGEN.1123093
FireEye: Generic.mg.58537b557c1e3909
Ikarus: Trojan.Agent
Avira: HEUR/AGEN.1123093
Gridinsoft: Trojan.Heur!.02014423
ZoneAlarm: HEUR:Trojan.Win64.Agent.gen
Cynet: Malicious (score: 85)
Cylance: Unsafe
APEX: Malicious
Fortinet: W64/Agent.A!tr

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.211.14.171
A 23.211.14.185

TCP连接

IP地址 端口
23.211.14.171 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x140000000
入口地址 0x1406218ac
声明校验值 0x006a920c
实际校验值 0x006a920c
最低操作系统版本要求 5.2
编译时间 2020-10-16 16:23:42
载入哈希 da35d6362dd89520cec66a360ddcd46d
图标
图标精确哈希值 7517ba1ddaee8397ae6adf759448e103
图标相似性哈希值 13ac8a8c827d687cf8e3bf370f7bd75a

版本信息

LegalCopyright: \xe6\xe6\xe6\xe5\xe7\xe7\xe7\xe6\xe6\xe9\xe5\xe5\xefhttp://adhunter.cn
FileVersion: 2.6.10.1616
CompanyName: \xe6\xe6\xe6\xe5\xe7\xe7\xe7\xe6\xe6\xe9\xe5\xe5
ProductName: \xe5\xe5\xe7\xe6
ProductVersion: 2.6.10.1616
FileDescription: \xe4\xe6\xe9\xe6\xe7
Translation: 0x0804 0x03a8

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000bc6e3 0x000bc800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.88
.rdata 0x000be000 0x0003d8d4 0x0003da00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.14
.data 0x000fc000 0x00008ed4 0x00007600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.77
.pdata 0x00105000 0x0000f8a0 0x0000fa00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.84
SelfSec 0x00115000 0x00000104 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.11
.vmp0 0x00116000 0x005016fd 0x00501800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.73
.vmp1 0x00618000 0x00085a1c 0x00085c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.89
.reloc 0x0069e000 0x00001da8 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.47
.rsrc 0x006a0000 0x00008f6f 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x006a83f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006a83f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006a83f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006a83f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006a83f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x006a8858 0x0000004c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.80 MS Windows icon resource - 5 icons, 64x64
RT_VERSION 0x006a88a8 0x00000250 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.98 data
RT_MANIFEST 0x006a8af8 0x00000477 LANG_ENGLISH SUBLANG_ENGLISH_US 5.07 ASCII text, with CRLF line terminators

导入

库 mfc90u.dll:
0x140622000 - None
库 MSVCR90.dll:
0x140622010 - ?_type_info_dtor_internal_method@type_info@@QEAAXXZ
库 KERNEL32.dll:
0x140622020 - GetVersionExW
库 USER32.dll:
0x140622030 - SetWindowRgn
库 GDI32.dll:
0x140622040 - SelectClipRgn
库 ADVAPI32.dll:
0x140622050 - RegSetValueExW
库 SHELL32.dll:
0x140622060 - ShellExecuteW
库 SHLWAPI.dll:
0x140622070 - PathFileExistsW
库 ole32.dll:
0x140622080 - OleLockRunning
库 OLEAUT32.dll:
0x140622090 - GetErrorInfo
库 MSVCP90.dll:
0x1406220a0 - ?to_char_type@?$char_traits@D@std@@SADAEBH@Z
库 WINHTTP.dll:
0x1406220b0 - WinHttpConnect
库 dbghelp.dll:
0x1406220c0 - MiniDumpWriteDump
库 IPHLPAPI.DLL:
0x1406220d0 - GetAdaptersInfo
库 VERSION.dll:
0x1406220e0 - VerQueryValueW
库 WININET.dll:
0x1406220f0 - InternetOpenW
库 PSAPI.DLL:
0x140622100 - GetModuleFileNameExW
库 WS2_32.dll:
0x140622110 - connect
库 COMCTL32.dll:
0x140622120 - _TrackMouseEvent
库 WTSAPI32.dll:
0x140622130 - WTSSendMessageW
库 KERNEL32.dll:
0x140622140 - LoadLibraryA
库 USER32.dll:
0x140622150 - CharUpperBuffW
库 ADVAPI32.dll:
0x140622160 - RegQueryValueExA
库 KERNEL32.dll:
0x140622170 - LocalAlloc
0x140622178 - GetCurrentProcess
0x140622180 - GetCurrentThread
0x140622188 - LocalFree
0x140622190 - GetModuleFileNameW
0x140622198 - GetProcessAffinityMask
0x1406221a0 - SetProcessAffinityMask
0x1406221a8 - SetThreadAffinityMask
0x1406221b0 - Sleep
0x1406221b8 - ExitProcess
0x1406221c0 - GetLastError
0x1406221c8 - FreeLibrary
0x1406221d0 - LoadLibraryA
0x1406221d8 - GetModuleHandleA
库 ADVAPI32.dll:
0x1406221e8 - OpenSCManagerW
0x1406221f0 - EnumServicesStatusExW
0x1406221f8 - OpenServiceW
0x140622200 - QueryServiceConfigW
0x140622208 - CloseServiceHandle

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

AdHunter.exe PID: 2328, 上一级进程 PID: 2176

访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息