魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-09-24 22:41:53 2022-09-24 22:42:20 27 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2022-09-24 22:41:53 2022-09-24 22:42:20
魔盾分数

1.35

正常的

文件详细信息

文件名 TASLogin.exe
文件大小 583080 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 0A336E0C
MD5 3ec7d3fc775eb1f272747a1a7aedbc32
SHA1 e263305550a7115c927e337c8da296baaa4c51b9
SHA256 35e3843ea394cadd2b946aeeeaf47c377801c00083520aa92137bc3f90452a61
SHA512 4d3bc8a84374cf357590fcdc54b91a59a8fc81d795112cd71221fdd863df9638cd372fd1e4a3af5ddbad3d1ed7c5b997cd88e1b750c2a77e201cc6133047fc52
Ssdeep 6144:AGvoieZN4bGLeUayj8r0mHegM5MA5jrzMAchapCpv81bA1hnSW0THw8EPgdfWo:Roi0s4enrDXge/+Q8XdfWo
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasOverlay (Detected Overlay signature)
  • HasDigitalSignature (Detected Digital Signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • with_urls (Detected the presence of an or several urls)
VirusTotal VirusTotal查询失败

特征

样本的签名证书合法
魔盾安全Yara检测结果 - 普通
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
二进制文件可能包含加密或压缩数据
section: name: .wegame, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0001f600, virtual_size: 0x00048f59
section: name: .tvm0, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00020a00, virtual_size: 0x00056000
section: name: .wegame, entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ, raw_size: 0x00002000, virtual_size: 0x00003000
section: name: .wegame, entropy: 7.98, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00007e00, virtual_size: 0x00007d54
异常的二进制特征
anomaly: Found duplicated section names

运行截图

无运行截图

网络分析

TCP连接

IP地址 端口
23.223.199.177 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004ecd4e
声明校验值 0x0009a45d
实际校验值 0x0009a45d
最低操作系统版本要求 5.1
PDB路径 D:\Workspace\p-2ed35f15174943f6b676502b51f53d81\Output\TASLogin.pdb
编译时间 2022-05-23 16:50:26
载入哈希 25538053878f3098020a0651be7be354

版本信息

LegalCopyright: Copyright (C) 2012
InternalName: TASLogin
FileVersion: 3.0.2205.233
ProductName: TASLogin Application
ProductVersion: 3.0.2205.233
FileDescription: TASLogin Application
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.wegame 0x00001000 0x00048f59 0x0001f600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 8.00
.wegame 0x0004a000 0x00030336 0x00030400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.96
.wegame 0x0007b000 0x0000285c 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.08
.wegame 0x0007e000 0x0000011c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.58
.wegame 0x0007f000 0x00000009 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.02
.wegame 0x00080000 0x0000bea8 0x0000c000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.27
.tvm0 0x0008c000 0x00056000 0x00020a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 8.00
.wegame 0x000e2000 0x00003000 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 7.96
.wegame 0x000e5000 0x00007d54 0x00007e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98

导入

库 TASLoginBase.dll:
0x4ecd00 - None

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息