魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2018-05-22 10:41:00 2018-05-22 10:43:17 137 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp01-1 win7-sp1-x64-shaapp01-1 KVM 2018-05-22 10:41:00 2018-05-22 10:43:15
魔盾分数

0.0

正常的

文件详细信息

文件名 QQScLauncher.exe
文件大小 62200 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 2D049377
MD5 7a08effa5c1dbe120abff2612db17c32
SHA1 bc89306c0f827e18e818f355280fe9077b9a6c29
SHA256 fe69122b4d957590a33a119481e75a313a3b9cda3be9f0dda0fc2c0249d7aaab
SHA512 2c89a180803f813f784025b1c49db907c75406389eb28d6748bf444650993e1e4708072575a6637da9fb17467cf4e1b6c1beebf3e3ee891af9a03dbcc473b9f7
Ssdeep 768:dJ0mU6Rk9ar2A9uo6Vkp+SKYyN7vaBa0bFDRGLpTHypaZsHJu1p23+zj:TUUk9k9iukSaErDY1TpZ/m0
PEiD 无匹配
Yara
  • IsPE32 ()
  • IsWindowsGUI ()
  • HasOverlay (Overlay Check)
  • HasDigitalSignature (DigitalSignature Check)
  • HasDebugData (DebugData Check)
  • HasRichSignature (Rich Signature Check)
  • anti_dbg (Checks if being debugged)
  • screenshot (Take screenshot)
  • with_urls (Rule to detect the presence of an or several urls)
  • without_attachments (Rule to detect the no presence of any attachment)
  • without_images (Rule to detect the no presence of any image)
  • Big_Numbers0 (Looks for big numbers 20:sized)
  • VC8_Microsoft_Corporation ()
  • Microsoft_Visual_Cpp_8 ()
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2018-05-21 20:18:56
扫描结果: 0/66

特征

样本的签名证书合法

运行截图

网络分析

TCP连接

IP地址 端口
23.35.171.27 80
23.35.171.27 80
96.7.54.88 80

UDP连接

IP地址 端口
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53

HTTP请求

URL HTTP数据
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFIEi5yKZ%2BKPDMjMdYE93Fo%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFIEi5yKZ%2BKPDMjMdYE93Fo%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com
http://crl.microsoft.com/pki/crl/products/tspca.crl 
GET /pki/crl/products/tspca.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:54 GMT
If-None-Match: "8ab194b3d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004017fc
声明校验值 0x0001d206
实际校验值 0x0001d206
最低操作系统版本要求 5.1
PDB路径 R:\TempView\Output\BinFinal\QQScLauncher.pdb
编译时间 2018-05-17 16:28:50
载入哈希 a2c8a8fefebfd8a0ee9473f734210806
图标
图标精确哈希值 bf99df3556aeb620e552d085ba314dcf
图标相似性哈希值 5d08e4bd5fdacd1f8677e641686e06fc

版本信息

LegalCopyright: Copyright (C) 1999-2018 Tencent. All Rights Reserved
FileVersion: 9.0.3.23743
CompanyName: Tencent
ProductName: \x817e\x8bafQQ
ProductVersion: 9.0.3.23743
FileDescription: \x817e\x8bafQQ
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000133a 0x00001400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.19
.rdata 0x00003000 0x00001040 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.31
.data 0x00005000 0x00000404 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.78
.gfids 0x00006000 0x00000050 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.39
.rsrc 0x00007000 0x00008d10 0x00008e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.33
.reloc 0x00010000 0x0000025c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.50

覆盖

偏移量: 0x0000c000
大小: 0x000032f8

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_ICON 0x0000ede8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.67 GLS_BINARY_LSB_FIRST
RT_MENU 0x0000f250 0x0000004a LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.71 data
RT_DIALOG 0x0000f29c 0x000000fa LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.38 data
RT_STRING 0x0000f398 0x00000050 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.21 data
RT_ACCELERATOR 0x0000f3e8 0x00000010 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.80 data
RT_GROUP_ICON 0x0000f3f8 0x00000076 LANG_ENGLISH SUBLANG_ENGLISH_US 2.80 MS Windows icon resource - 8 icons, 16x16, 16 colors
RT_VERSION 0x0000f470 0x00000270 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.57 data
RT_MANIFEST 0x0000f6e0 0x0000062f LANG_ENGLISH SUBLANG_ENGLISH_US 5.14 XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

导入

库 KERNEL32.dll:
0x403008 - FindFirstFileW
0x40300c - FindClose
0x403010 - GetModuleFileNameW
0x403014 - CloseHandle
0x403018 - IsDebuggerPresent
0x40301c - InitializeSListHead
0x403020 - GetSystemTimeAsFileTime
0x403024 - GetCurrentThreadId
0x403028 - GetStartupInfoW
0x40302c - CreateProcessW
0x403030 - GetCurrentProcessId
0x403034 - QueryPerformanceCounter
0x403038 - IsProcessorFeaturePresent
0x40303c - TerminateProcess
0x403040 - GetCurrentProcess
0x403044 - SetUnhandledExceptionFilter
0x403048 - UnhandledExceptionFilter
0x40304c - GetModuleHandleW
库 USER32.dll:
0x403054 - ReleaseDC
0x403058 - FindWindowW
0x40305c - SendMessageW
0x403060 - GetDC
库 GDI32.dll:
0x403000 - GetDeviceCaps
库 VCRUNTIME140.dll:
0x403068 - _except_handler4_common
0x40306c - _CxxThrowException
0x403070 - wcsrchr
0x403074 - memset
0x403078 - __std_exception_destroy
0x40307c - __std_exception_copy
库 api-ms-win-crt-runtime-l1-1-0.dll:
0x4030a8 - exit
0x4030ac - _initterm_e
0x4030b0 - _initterm
0x4030b4 - _initialize_onexit_table
0x4030b8 - _exit
0x4030bc - _crt_atexit
0x4030c0 - _controlfp_s
0x4030c4 - terminate
0x4030c8 - _get_wide_winmain_command_line
0x4030cc - _initialize_wide_environment
0x4030d0 - _c_exit
0x4030d4 - _register_onexit_function
0x4030d8 - _configure_wide_argv
0x4030dc - _register_thread_local_exe_atexit_callback
0x4030e0 - _set_app_type
0x4030e4 - _seh_filter_exe
0x4030e8 - __p___wargv
0x4030ec - __p___argc
0x4030f0 - _cexit
库 api-ms-win-crt-string-l1-1-0.dll:
0x403108 - wcsncmp
0x40310c - wcslen
库 api-ms-win-crt-stdio-l1-1-0.dll:
0x4030f8 - __p__commode
0x4030fc - _set_fmode
0x403100 - __stdio_common_vswprintf_s
库 api-ms-win-crt-math-l1-1-0.dll:
0x4030a0 - __setusermatherr
库 api-ms-win-crt-locale-l1-1-0.dll:
0x403098 - _configthreadlocale
库 api-ms-win-crt-heap-l1-1-0.dll:
0x403084 - _callnewh
0x403088 - malloc
0x40308c - free
0x403090 - _set_new_mode

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息