魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2019-09-16 16:54:50	2019-09-16 16:56:43	113 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-2	win7-sp1-x64-hpdapp01-2	KVM	2019-09-16 16:55:35	2019-09-16 16:56:44

魔盾分数
3.2 可疑的

文件详细信息

文件名	欧阳CF过租.rar
文件大小	3198976 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	55FDB7C0
MD5	843d195eb61584f160f7695b2870e226
SHA1	f2f447b99d01bafa716fc98ad017d3cc8efc852c
SHA256	befce833888cb6e4fca45c75e43f20e92139812822d0acf8d41c18c4d99c8610
SHA512	e848f8a9803771559499376dcd5d3efb686eb9e9a5f81dcc5e84cf1095b09e36b2018134a6b12ae9627a98f7429962277912661429604c184e25bf6f2113e44e
Ssdeep	49152:Q4Ddm2nmDuBEYneqDkhnfE42p5j8GjTWgub/0DIsa0/moV0U0fSeldc+TNI7OvU:npm2nmDuFkVfps5jRaPoV5oSel6
PEiD	无匹配
Yara	DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) vmdetect (Possibly employs anti-virtualization techniques) anti_dbg (Checks if being debugged) network_tcp_listen (Listen for incoming communication) network_tcp_socket (Communications over RAW socket) spreading_file (Malware can spread east-west file) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) persistence (Install itself for autorun at Windows startup) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_Logging_Persistence (Spotted postential abnormal behaviors, like logging and persistenc3) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) UPX (Detected UPX. Commonly used by RAT!) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () IsPE32 (Detected 32bit PE signature) IsWindowsGUI (Detected Windows GUI signature) HasRichSignature (Detected Rich Signature)
VirusTotal	无此文件扫描结果

特征

魔盾安全Yara规则检测结果 - 高危

Informational: Possibly employs anti-virtualization techniques

运行截图

网络分析

无信息

静态分析

投放文件

\xe6\xac\xa7\xe9\x98\xb3CF\xe8\xbf\x87\xe7\xa7\x9f.exe

文件名	\xe6\xac\xa7\xe9\x98\xb3CF\xe8\xbf\x87\xe7\xa7\x9f.exe
相关文件	C:\Users\test\AppData\Local\Temp\rar-tmp\\xe6\xac\xa7\xe9\x98\xb3CF\xe8\xbf\x87\xe7\xa7\x9f.exe
文件大小	3198976 bytes
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	843d195eb61584f160f7695b2870e226
SHA1	f2f447b99d01bafa716fc98ad017d3cc8efc852c
SHA256	befce833888cb6e4fca45c75e43f20e92139812822d0acf8d41c18c4d99c8610
SHA512	e848f8a9803771559499376dcd5d3efb686eb9e9a5f81dcc5e84cf1095b09e36b2018134a6b12ae9627a98f7429962277912661429604c184e25bf6f2113e44e
Ssdeep	49152:Q4Ddm2nmDuBEYneqDkhnfE42p5j8GjTWgub/0DIsa0/moV0U0fSeldc+TNI7OvU:npm2nmDuFkVfps5jRaPoV5oSel6
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes) 无信息

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

cmd.exe PID: 2564, 上一级进程 PID: 2344

访问的文件 无信息

读取的文件 无信息

修改的文件 无信息

删除的文件 无信息

注册表键 无信息

读取的注册表键 无信息

修改的注册表键 无信息

删除的注册表键 无信息

API解析 无信息