比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2022-05-27 19:37:20 2022-05-27 19:38:05 45 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 启动1 mysql数据库关闭.exe
文件大小 50688 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
MD5 3153f9a33d21af7e2ff4b1166b0ddc47
SHA1 899db581d76b5d6e389eb9f536177b250a51de5f
SHA256 715f7f5e40202cf455e018be65e056c75334c95b14cb1417c0885ee2eb68f3a5
SHA512 9fd45e4ebba0451b07ae6611ef472f1e356a2a21dc4792ba9431f0926a18e8744d76a8b027180bff1060ac382bdba3101ca39db8cff29e832e768a5cd4d256c2
CRC32 AE7E1E46
Ssdeep 768:A9J8NowRheD8/3rJiUqyet8w9abyzm5E50kyoVonvzRiZljBwiwo5sW3LhaNIC4T:A9wvQUreUbyzABq2mLha2OCXx
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0040a0c0
声明校验值 0x00000000
实际校验值 0x0000db02
最低操作系统版本要求 4.0
编译时间 1992-06-20 06:22:17
载入哈希 1754bc2d288533008a4f1472fc626401

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
CODE 0x00001000 0x00009558 0x00009600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.36
DATA 0x0000b000 0x0000045c 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.09
BSS 0x0000c000 0x00000965 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0000d000 0x000008ca 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.23
.tls 0x0000e000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0000f000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x00010000 0x00000ed8 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00011000 0x000018b0 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 5.20

导入

库: kernel32.dll:
0x40d0b0 VirtualFree
0x40d0b4 VirtualAlloc
0x40d0b8 LocalFree
0x40d0bc LocalAlloc
0x40d0c0 GetVersion
0x40d0c4 GetCurrentThreadId
0x40d0c8 WideCharToMultiByte
0x40d0cc lstrlenA
0x40d0d0 lstrcpynA
0x40d0d4 LoadLibraryExA
0x40d0d8 GetThreadLocale
0x40d0dc GetStartupInfoA
0x40d0e0 GetProcAddress
0x40d0e4 GetModuleHandleA
0x40d0e8 GetModuleFileNameA
0x40d0ec GetLocaleInfoA
0x40d0f0 GetCommandLineA
0x40d0f4 FreeLibrary
0x40d0f8 FindFirstFileA
0x40d0fc FindClose
0x40d100 ExitProcess
0x40d104 WriteFile
0x40d10c RtlUnwind
0x40d110 RaiseException
0x40d114 GetStdHandle
库: user32.dll:
0x40d11c GetKeyboardType
0x40d120 LoadStringA
0x40d124 MessageBoxA
0x40d128 CharNextA
库: advapi32.dll:
0x40d130 RegQueryValueExA
0x40d134 RegOpenKeyExA
0x40d138 RegCloseKey
库: oleaut32.dll:
0x40d140 SysFreeString
库: kernel32.dll:
0x40d148 TlsSetValue
0x40d14c TlsGetValue
0x40d150 LocalAlloc
0x40d154 GetModuleHandleA
库: kernel32.dll:
0x40d15c WriteFile
0x40d160 WaitForSingleObject
0x40d164 VirtualQuery
0x40d168 SizeofResource
0x40d16c SetFilePointer
0x40d170 SetFileAttributesA
0x40d178 SetEndOfFile
0x40d17c ReadFile
0x40d180 LockResource
0x40d184 LoadResource
0x40d188 GlobalUnlock
0x40d18c GlobalReAlloc
0x40d190 GlobalHandle
0x40d194 GlobalLock
0x40d198 GlobalFree
0x40d19c GlobalAlloc
0x40d1a4 GetVersionExA
0x40d1a8 GetThreadLocale
0x40d1ac GetTempFileNameA
0x40d1b0 GetStringTypeExA
0x40d1b4 GetStdHandle
0x40d1b8 GetShortPathNameA
0x40d1bc GetProcAddress
0x40d1c0 GetModuleHandleA
0x40d1c4 GetModuleFileNameA
0x40d1c8 GetLocaleInfoA
0x40d1cc GetLastError
0x40d1d0 GetFullPathNameA
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1e0 GetDiskFreeSpaceA
0x40d1e4 GetCommandLineA
0x40d1e8 GetCPInfo
0x40d1ec GetACP
0x40d1f0 FreeResource
0x40d1f4 FormatMessageA
0x40d1f8 FindResourceA
0x40d1fc EnumCalendarInfoA
0x40d200 DeleteFileA
0x40d204 CreateProcessA
0x40d208 CreateFileA
0x40d20c CloseHandle
库: user32.dll:
0x40d214 MessageBoxA
0x40d218 LoadStringA
0x40d21c GetSystemMetrics
0x40d220 CharPrevA
0x40d224 CharNextA
0x40d228 CharToOemA
`DATA
.idata
.rdata
P.reloc
P.rsrc
UhQ(@
Uh]/@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
UhU7@
kernel32.dll
GetLongPathNameA
Software\Borland\Locales
Software\Borland\Delphi\Locales
UhcF@
UhFH@
UhQJ@
UheO@
Exception,P@
EInOutError<Q@
EZeroDivide`T@
EInvalidPointerlU@
Uh_k@
Phpk@
D$LPj
Uh?w@
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
USERPROFILE
5HGzdfhAEYJDSTtgh0gqk34toiwefwlFWF
cmdln
cmd.exe /c
command.com /c
Error
Runtime error at 00000000
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
WideCharToMultiByte
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
kernel32.dll
WriteFile
WaitForSingleObject
VirtualQuery
SizeofResource
SetFilePointer
SetFileAttributesA
SetEnvironmentVariableA
SetEndOfFile
ReadFile
LockResource
LoadResource
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalAlloc
GetWindowsDirectoryA
GetVersionExA
GetThreadLocale
GetTempFileNameA
GetStringTypeExA
GetStdHandle
GetShortPathNameA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetFullPathNameA
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDiskFreeSpaceA
GetCommandLineA
GetCPInfo
GetACP
FreeResource
FormatMessageA
FindResourceA
EnumCalendarInfoA
DeleteFileA
CreateProcessA
CreateFileA
CloseHandle
user32.dll
MessageBoxA
LoadStringA
GetSystemMetrics
CharPrevA
CharNextA
CharToOemA
MAINICON
Stream write error
Thursday
August
Write$Error creating variant or safe array)Variant or safe array index out of bounds
Floating point underflow
没有防病毒引擎扫描信息!

进程树

______1 mysql_______________.exe, PID: 2384, 上一级进程 PID: 2240
cmd.exe, PID: 2464, 上一级进程 PID: 2384
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 104.99.238.89 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 104.99.238.89 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 31.818 seconds )

  • 17.505 VirusTotal
  • 11.041 Suricata
  • 1.851 NetworkAnalysis
  • 0.732 Static
  • 0.355 peid
  • 0.274 TargetInfo
  • 0.039 BehaviorAnalysis
  • 0.012 AnalysisInfo
  • 0.007 Strings
  • 0.002 Memory

Signatures ( 1.593 seconds )

  • 1.453 md_url_bl
  • 0.016 antiav_detectreg
  • 0.015 stealth_file
  • 0.009 infostealer_ftp
  • 0.009 md_domain_bl
  • 0.007 geodo_banking_trojan
  • 0.006 anomaly_persistence_autorun
  • 0.006 antiav_detectfile
  • 0.006 infostealer_bitcoin
  • 0.005 ransomware_files
  • 0.004 disables_browser_warn
  • 0.004 infostealer_mail
  • 0.004 infostealer_im
  • 0.004 ransomware_extensions
  • 0.003 antianalysis_detectreg
  • 0.003 antivm_vbox_files
  • 0.003 browser_security
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 api_spamming
  • 0.002 shifu_behavior
  • 0.002 cerber_behavior
  • 0.002 bot_drive
  • 0.002 bot_drive2
  • 0.002 modify_proxy
  • 0.001 stealth_decoy_document
  • 0.001 mimics_filetime
  • 0.001 betabot_behavior
  • 0.001 reads_self
  • 0.001 kibex_behavior
  • 0.001 stealth_timeout
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_athenahttp
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.482 seconds )

  • 0.476 ReportHTMLSummary
  • 0.006 Malheur
Task ID 692554
Mongo ID 6290b852dc327b07f40dc8f2
Cuckoo release 1.4-Maldun