魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-09-22 17:06:02 2021-09-22 17:06:03 1 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2021-09-22 17:06:03 2021-09-22 17:06:03
魔盾分数

2.55

可疑的

文件详细信息

文件名 TeamViewer.exe
文件大小 1743257 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
CRC32 DC326907
MD5 3ebe21761dc14cfe5ff92c4b3bdebc0b
SHA1 0e20934fed73d9bbab8ffbe145e8fe97577887ec
SHA256 883e9b74497a71ffc78b11c5e193d109660e5352f46eb8a746667496181b3f67
SHA512 eb264b0b188378d5d94be1545c4148241cb9b0cd18be2481211b44eb8d47c5d341ab52930186cfd5420ffb53916e0ac15fb415eef961f2932e31bbe778a931fd
Ssdeep 24576:BsWw+T18laXM56aiS/m8HpbbskWQi/eyfu9LBA0EfEeKEz0dpAZGmIzLnRi8RgVw:nwb8M5ykCQNVYEVE0oZwLnRHK7c
PEiD 无匹配
Yara
  • DebuggerCheck__RemoteAPI ()
  • DebuggerHiding__Thread ()
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • ThreadControl__Context ()
  • anti_dbg (Detected self protection if being debugged)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE64 (Detected a 64bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasOverlay (Detected Overlay signature)
  • MD5_Constants (Look for MD5 constants)
  • RijnDael_AES (Look for RijnDael AES)
  • with_urls (Detected the presence of an or several urls)
VirusTotal VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_64BYTES, raw_size: 0x00013e00, virtual_size: 0x0009a000
section: name: .sedata, entropy: 7.66, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00144e00, virtual_size: 0x00145000
section: name: .sedata, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00001000, virtual_size: 0x00001000
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
异常的二进制特征
anomaly: Found duplicated section names

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x005dc93c
声明校验值 0x001aa4a7
实际校验值 0x001aa4a7
最低操作系统版本要求 4.0
编译时间 2021-07-27 22:07:22
载入哈希 cd87ea698732bc53059f748059a24560

版本信息

LegalCopyright: TeamViewer Germany GmbH
InternalName: TeamViewer
FileVersion: 15.17.7.0
CompanyName: TeamViewer Germany GmbH
PrivateBuild: TeamViewer Remote Control Application
LegalTrademarks: TeamViewer
ProductName: TeamViewer
ProductVersion: 15.17.7.0
FileDescription: TeamViewer
OriginalFilename: TeamViewer_Desktop.exe
Translation: 0x0809 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0009a000 0x00013e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_64BYTES 8.00
.sedata 0x0009b000 0x00145000 0x00144e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.66
.idata 0x001e0000 0x00001000 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.49
.rsrc 0x001e1000 0x00047000 0x00046c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.84
.sedata 0x00228000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.98

覆盖

偏移量: 0x001a1200
大小: 0x00008799

导入

库 KERNEL32.dll:
0x5e017a - DeleteCriticalSection
库 msvcrt.dll:
0x5e0192 - __C_specific_handler
库 IPHLPAPI.DLL:
0x5e01aa - GetInterfaceInfo
库 PSAPI.DLL:
0x5e01c2 - GetMappedFileNameW
库 USER32.dll:
0x5e01da - GetWindow
库 ADVAPI32.dll:
0x5e01f2 - RegSetValueExA
库 SHELL32.dll:
0x5e020a - SHGetFolderPathW

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息