魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-11-30 11:20:27 2020-11-30 11:22:34 127 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2020-11-30 11:20:28 2020-11-30 11:22:36
魔盾分数

3.95

可疑的

文件详细信息

文件名 AdHunter.exe
文件大小 7000064 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
CRC32 24A70CA9
MD5 45e7909b530ef574ec0024b4c2720030
SHA1 57bc9c2143ee4cebe2ba3d49f5768a26085f0d55
SHA256 9f8ac462afd47ab0caa44b3c56dfc739be2e9009b22b6c646625a9a4684e43f4
SHA512 6a0986cf54e2e47ca86a42066a27ce640d9a3503697f5948a538798a87f2b83a77e215aa25cd250127dc1004b8c34d40f30838792a5d29fbb5983e426be92f5a
Ssdeep 98304:8oyOmW11nrWLHkgC43gy93WAndBJkJ7qPEHgJYs6y63Ddw8OpLfHhM/+zSGRcHyh:8oycr6E01NWAnLJkO8xi8CLHhEmSzs
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RIPEMD160_Constants (Look for RIPEMD-160 constants)
  • SHA1_Constants (Look for SHA1 constants)
  • BASE64_table (Look for Base64 table)
  • with_urls (Detected the presence of an or several urls)
  • IsPE64 (Detected a 64bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
  • antisb_threatExpert (Anti-Sandbox checks for ThreatExpert)
  • network_tcp_socket (Detected network communications over RAW socket)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal 无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据
section: name: .pdata, entropy: 7.82, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0000fa00, virtual_size: 0x0000f8a0
section: name: .vmp0, entropy: 7.74, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00504400, virtual_size: 0x00504394
section: name: .vmp1, entropy: 7.05, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0008c600, virtual_size: 0x0008c44c
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到网络活动但没有显示在API日志中
ip: 104.75.169.10
domain: acroipm.adobe.com
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00116000', 'size_of_data': '0x00504400', 'entropy': '7.74', 'virtual_size': '0x00504394', 'characteristics_raw': '0x60000060'}

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.211.14.171
A 23.211.14.185

TCP连接

IP地址 端口
23.211.14.185 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x140000000
入口地址 0x14064ac09
声明校验值 0x006b8120
实际校验值 0x006b8120
最低操作系统版本要求 5.2
编译时间 2020-10-16 16:23:42
载入哈希 da35d6362dd89520cec66a360ddcd46d
图标
图标精确哈希值 7517ba1ddaee8397ae6adf759448e103
图标相似性哈希值 13ac8a8c827d687cf8e3bf370f7bd75a

版本信息

LegalCopyright: \xe6\xe6\xe6\xe5\xe7\xe7\xe7\xe6\xe6\xe9\xe5\xe5\xefhttp://adhunter.cn
FileVersion: 2.6.10.1616
CompanyName: \xe6\xe6\xe6\xe5\xe7\xe7\xe7\xe6\xe6\xe9\xe5\xe5
ProductName: \xe5\xe5\xe7\xe6
ProductVersion: 2.6.10.1616
FileDescription: \xe4\xe6\xe9\xe6\xe7
Translation: 0x0804 0x03a8

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000bc6e3 0x000bc800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.88
.rdata 0x000be000 0x0003d8d4 0x0003da00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.14
.data 0x000fc000 0x00008ed4 0x00007600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.77
.pdata 0x00105000 0x0000f8a0 0x0000fa00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.82
SelfSec 0x00115000 0x00000104 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.16
.vmp0 0x00116000 0x00504394 0x00504400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.74
.vmp1 0x0061b000 0x0008c44c 0x0008c600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.05
.reloc 0x006a8000 0x00001da8 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.47
.rsrc 0x006aa000 0x00008f6f 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x006b23f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006b23f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006b23f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006b23f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_ICON 0x006b23f0 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.49 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x006b2858 0x0000004c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.80 MS Windows icon resource - 5 icons, 64x64
RT_VERSION 0x006b28a8 0x00000250 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.98 data
RT_MANIFEST 0x006b2af8 0x00000477 LANG_ENGLISH SUBLANG_ENGLISH_US 5.07 ASCII text, with CRLF line terminators

导入

库 mfc90u.dll:
0x140636000 - None
库 MSVCR90.dll:
0x140636010 - ?_type_info_dtor_internal_method@type_info@@QEAAXXZ
库 KERNEL32.dll:
0x140636020 - GetVersionExW
库 USER32.dll:
0x140636030 - SetWindowRgn
库 GDI32.dll:
0x140636040 - SelectClipRgn
库 ADVAPI32.dll:
0x140636050 - RegSetValueExW
库 SHELL32.dll:
0x140636060 - ShellExecuteW
库 SHLWAPI.dll:
0x140636070 - PathFileExistsW
库 ole32.dll:
0x140636080 - OleLockRunning
库 OLEAUT32.dll:
0x140636090 - GetErrorInfo
库 MSVCP90.dll:
0x1406360a0 - ?to_char_type@?$char_traits@D@std@@SADAEBH@Z
库 WINHTTP.dll:
0x1406360b0 - WinHttpConnect
库 dbghelp.dll:
0x1406360c0 - MiniDumpWriteDump
库 IPHLPAPI.DLL:
0x1406360d0 - GetAdaptersInfo
库 VERSION.dll:
0x1406360e0 - VerQueryValueW
库 WININET.dll:
0x1406360f0 - InternetOpenW
库 PSAPI.DLL:
0x140636100 - GetModuleFileNameExW
库 WS2_32.dll:
0x140636110 - connect
库 COMCTL32.dll:
0x140636120 - _TrackMouseEvent
库 WTSAPI32.dll:
0x140636130 - WTSSendMessageW
库 KERNEL32.dll:
0x140636140 - LoadLibraryA
库 USER32.dll:
0x140636150 - CharUpperBuffW
库 ADVAPI32.dll:
0x140636160 - RegQueryValueExA
库 KERNEL32.dll:
0x140636170 - LocalAlloc
0x140636178 - GetCurrentProcess
0x140636180 - GetCurrentThread
0x140636188 - LocalFree
0x140636190 - GetModuleFileNameW
0x140636198 - GetProcessAffinityMask
0x1406361a0 - SetProcessAffinityMask
0x1406361a8 - SetThreadAffinityMask
0x1406361b0 - Sleep
0x1406361b8 - ExitProcess
0x1406361c0 - GetLastError
0x1406361c8 - FreeLibrary
0x1406361d0 - LoadLibraryA
0x1406361d8 - GetModuleHandleA
库 ADVAPI32.dll:
0x1406361e8 - OpenSCManagerW
0x1406361f0 - EnumServicesStatusExW
0x1406361f8 - OpenServiceW
0x140636200 - QueryServiceConfigW
0x140636208 - CloseServiceHandle

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

AdHunter.exe PID: 2328, 上一级进程 PID: 2176

访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息