比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2022-07-04 16:00:45 2022-07-04 16:01:45 60 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 EverEdit 4.4.1(4488).exe
文件大小 763590 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 270db0d414739bdb1c54632b3a9bc7d1
SHA1 fab0080e1a4d58e6ddfc9041c79cd396fc9a6a85
SHA256 3eea202c085c260ad448d86ae4709ef9d080c39879bce0c91ed2f7f466480901
SHA512 6acdecdfb365cbd0812698a7f34417b43853a1b48228fff1fb829f1bb8dfb11ca1c4e2d99c38aa951c3addabe6e9ac770b839da072299f214ad69a2b70b8af87
CRC32 876581D8
Ssdeep 12288:uaHc64b888888888888W88888888888OxscV7TdjL47zdU5imxo233rD+zG/oBi1:F86niW7uvmQmezG/aYFkJR30F6rp89
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
172.67.152.72 未知 美国
180.163.151.161 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.google-analytics.com A 180.163.151.161
avkit.org 未知 A 104.21.12.117
A 172.67.152.72

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0041181c
声明校验值 0x00000000
实际校验值 0x000bd547
最低操作系统版本要求 5.0
编译时间 2018-06-14 21:27:46
载入哈希 20dd26497880c05caed9305b3c8b9109
图标
图标精确哈希值 30adcb5c0b2e3c35eaec2c110733c9f8
图标相似性哈希值 c98f96d6ffe5af8d4eb0870c1dc20826

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000f25c 0x0000f400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.38
.itext 0x00011000 0x00000fa4 0x00001000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.78
.data 0x00012000 0x00000c8c 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.30
.bss 0x00013000 0x000056bc 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00019000 0x00000e04 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.60
.tls 0x0001a000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0001b000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.20
.rsrc 0x0001c000 0x0000b200 0x0000b200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.14

覆盖

偏移量 0x0001da00
大小 0x0009ccc6

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x0001cd94 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_ICON 0x0001cd94 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_ICON 0x0001cd94 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_ICON 0x0001cd94 0x000008a8 LANG_DUTCH SUBLANG_DUTCH 3.91 data
RT_STRING 0x0001de14 0x00000294 LANG_NEUTRAL SUBLANG_NEUTRAL 3.28 data
RT_STRING 0x0001de14 0x00000294 LANG_NEUTRAL SUBLANG_NEUTRAL 3.28 data
RT_STRING 0x0001de14 0x00000294 LANG_NEUTRAL SUBLANG_NEUTRAL 3.28 data
RT_STRING 0x0001de14 0x00000294 LANG_NEUTRAL SUBLANG_NEUTRAL 3.28 data
RT_STRING 0x0001de14 0x00000294 LANG_NEUTRAL SUBLANG_NEUTRAL 3.28 data
RT_STRING 0x0001de14 0x00000294 LANG_NEUTRAL SUBLANG_NEUTRAL 3.28 data
RT_RCDATA 0x000264f0 0x0000002c LANG_NEUTRAL SUBLANG_NEUTRAL 4.48 data
RT_RCDATA 0x000264f0 0x0000002c LANG_NEUTRAL SUBLANG_NEUTRAL 4.48 data
RT_RCDATA 0x000264f0 0x0000002c LANG_NEUTRAL SUBLANG_NEUTRAL 4.48 data
RT_RCDATA 0x000264f0 0x0000002c LANG_NEUTRAL SUBLANG_NEUTRAL 4.48 data
RT_GROUP_ICON 0x0002651c 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US 2.65 MS Windows icon resource - 4 icons, 16x16, 16 colors
RT_VERSION 0x0002655c 0x000004f4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.47 data
RT_MANIFEST 0x00026a50 0x0000062c LANG_ENGLISH SUBLANG_ENGLISH_US 5.14 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库: oleaut32.dll:
0x419304 SysFreeString
0x419308 SysReAllocStringLen
0x41930c SysAllocStringLen
库: advapi32.dll:
0x419314 RegQueryValueExW
0x419318 RegOpenKeyExW
0x41931c RegCloseKey
库: user32.dll:
0x419324 GetKeyboardType
0x419328 LoadStringW
0x41932c MessageBoxA
0x419330 CharNextW
库: kernel32.dll:
0x419338 GetACP
0x41933c Sleep
0x419340 VirtualFree
0x419344 VirtualAlloc
0x419348 GetSystemInfo
0x41934c GetTickCount
0x419354 GetVersion
0x419358 GetCurrentThreadId
0x41935c VirtualQuery
0x419360 WideCharToMultiByte
0x419364 MultiByteToWideChar
0x419368 lstrlenW
0x41936c lstrcpynW
0x419370 LoadLibraryExW
0x419374 GetThreadLocale
0x419378 GetStartupInfoA
0x41937c GetProcAddress
0x419380 GetModuleHandleW
0x419384 GetModuleFileNameW
0x419388 GetLocaleInfoW
0x41938c GetCommandLineW
0x419390 FreeLibrary
0x419394 FindFirstFileW
0x419398 FindClose
0x41939c ExitProcess
0x4193a0 WriteFile
0x4193a8 RtlUnwind
0x4193ac RaiseException
0x4193b0 GetStdHandle
0x4193b4 CloseHandle
库: kernel32.dll:
0x4193bc TlsSetValue
0x4193c0 TlsGetValue
0x4193c4 LocalAlloc
0x4193c8 GetModuleHandleW
库: user32.dll:
0x4193d0 CreateWindowExW
0x4193d4 TranslateMessage
0x4193d8 SetWindowLongW
0x4193dc PeekMessageW
0x4193e4 MessageBoxW
0x4193e8 LoadStringW
0x4193ec GetSystemMetrics
0x4193f0 ExitWindowsEx
0x4193f4 DispatchMessageW
0x4193f8 DestroyWindow
0x4193fc CharUpperBuffW
0x419400 CallWindowProcW
库: kernel32.dll:
0x419408 WriteFile
0x41940c WideCharToMultiByte
0x419410 WaitForSingleObject
0x419414 VirtualQuery
0x419418 VirtualProtect
0x41941c VirtualFree
0x419420 VirtualAlloc
0x419424 SizeofResource
0x419428 SignalObjectAndWait
0x41942c SetLastError
0x419430 SetFilePointer
0x419434 SetEvent
0x419438 SetErrorMode
0x41943c SetEndOfFile
0x419440 ResetEvent
0x419444 RemoveDirectoryW
0x419448 ReadFile
0x41944c MultiByteToWideChar
0x419450 LockResource
0x419454 LoadResource
0x419458 LoadLibraryW
0x419460 GetVersionExW
0x419464 GetVersion
0x41946c GetThreadLocale
0x419470 GetSystemInfo
0x419474 GetSystemDirectoryW
0x419478 GetStdHandle
0x41947c GetProcAddress
0x419480 GetModuleHandleW
0x419484 GetModuleFileNameW
0x419488 GetLocaleInfoW
0x41948c GetLastError
0x419490 GetFullPathNameW
0x419494 GetFileSize
0x419498 GetFileAttributesW
0x41949c GetExitCodeProcess
0x4194a4 GetDiskFreeSpaceW
0x4194a8 GetCurrentProcess
0x4194ac GetCommandLineW
0x4194b0 GetCPInfo
0x4194b4 InterlockedExchange
0x4194bc FreeLibrary
0x4194c0 FormatMessageW
0x4194c4 FindResourceW
0x4194c8 EnumCalendarInfoW
0x4194cc DeleteFileW
0x4194d0 CreateProcessW
0x4194d4 CreateFileW
0x4194d8 CreateEventW
0x4194dc CreateDirectoryW
0x4194e0 CloseHandle
库: advapi32.dll:
0x4194e8 RegQueryValueExW
0x4194ec RegOpenKeyExW
0x4194f0 RegCloseKey
0x4194f4 OpenProcessToken
库: comctl32.dll:
0x419500 InitCommonControls
库: kernel32.dll:
0x419508 Sleep
库: advapi32.dll:
.text
`.itext
`.data
.idata
.rdata
@.rsrc
AnsiString
FastMM Borland Edition (c) 2004 - 2008 Pierre le Riche / Professional Software Development
An unexpected memory leak has occurred.
The sizes of unexpected leaked medium and large blocks are:
bytes:
Unknown
AnsiString
UnicodeString
Unexpected Memory Leak
#5@:A
)=<:A
Uhk:@
PhT>@
VWUUh(?@
PhbA@
UhMB@
Uh`C@
0123456789ABCDEF
UhJT@
GetLongPathNameW
Uhhb@
Uh>j@
Uh j@
Exception0n@
t&f=0
r@f=9
WVUSj
TSetupLanguageEntry=
SetDefaultDllDirectories
SetDllDirectoryW
SetSearchPathMode
SetProcessDEPPolicy
Error
Runtime error at 00000000
Inno Setup Setup Data (5.5.7) (u)
Inno Setup Messages (5.5.3) (u)
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
advapi32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
LoadStringW
MessageBoxA
CharNextW
kernel32.dll
GetACP
Sleep
VirtualFree
VirtualAlloc
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
lstrcpynW
LoadLibraryExW
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetCommandLineW
FreeLibrary
FindFirstFileW
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
CloseHandle
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleW
user32.dll
CreateWindowExW
TranslateMessage
SetWindowLongW
PeekMessageW
MsgWaitForMultipleObjects
MessageBoxW
LoadStringW
GetSystemMetrics
ExitWindowsEx
DispatchMessageW
DestroyWindow
CharUpperBuffW
CallWindowProcW
kernel32.dll
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
SizeofResource
SignalObjectAndWait
SetLastError
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
RemoveDirectoryW
ReadFile
MultiByteToWideChar
LockResource
LoadResource
LoadLibraryW
GetWindowsDirectoryW
GetVersionExW
GetVersion
GetUserDefaultLangID
GetThreadLocale
GetSystemInfo
GetSystemDirectoryW
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLastError
GetFullPathNameW
GetFileSize
GetFileAttributesW
GetExitCodeProcess
GetEnvironmentVariableW
GetDiskFreeSpaceW
GetCurrentProcess
GetCommandLineW
GetCPInfo
InterlockedExchange
InterlockedCompareExchange
FreeLibrary
FormatMessageW
FindResourceW
EnumCalendarInfoW
DeleteFileW
CreateProcessW
CreateFileW
CreateEventW
CreateDirectoryW
CloseHandle
advapi32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
comctl32.dll
InitCommonControls
kernel32.dll
Sleep
advapi32.dll
AdjustTokenPrivileges
wxr""/p
r""/p
wr""/p
wwwwwwwxp
wwwwwwww
SetupLdr
RedirFunc
7PathFunc
SysUtils
eCharacter
KWindows
UTypes
SysInit
System
"RTLConsts
SysConst
YStrUtils
ImageHlp
CmnFunc2
VerInfo
AFileClass
Int64Em
cInstFunc
6MsgIDs
Compress
Struct
*ShellAPI
3Messages
SetupEnt
JLZMADecompSmall
SXPTheme
SafeDLLPath
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
kernel32.dll
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExW
USERPROFILE
GetUserDefaultUILanguage
kernel32.dll
.DEFAULT\Control Panel\International
Locale
Control Panel\Desktop\ResourceLocale
[ExceptObject=nil]
File I/O error %d
Compressed block is corrupted
Compressed block is corrupted
Compressed block is corrupted
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
Unknown
Itanium
ARM64
The setup files are corrupted. Please obtain a new copy of the program.
SeShutdownPrivilege
/SPAWNWND=
/Lang=
/HELP
The setup files are corrupted. Please obtain a new copy of the program.
For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Setup
kernel32.dll
uxtheme.dll
userenv.dll
setupapi.dll
apphelp.dll
propsys.dll
dwmapi.dll
cryptbase.dll
oleacc.dll
version.dll
profapi.dll
comres.dll
clbcatq.dll
ntmarta.dll
Wow64DisableWow64FsRedirection
kernel32.dll
Wow64RevertWow64FsRedirection
shell32.dll
InnoSetupLdrWindow
STATIC
/SL5="$%x,%d,%d,
MAINICON(
Invalid file name - %s
Thursday
Write$Error creating variant or safe array)Variant or safe array index out of bounds
Invalid pointer operation
0@P`
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
This installation was built with Inno Setup.
CompanyName
FileDescription
FileVersion
102.170
LegalCopyright
ProductName
ProductVersion
102.170
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

EverEdit 4.4.1_4488_.exe, PID: 2624, 上一级进程 PID: 2304
EverEdit 4.4.1_4488_.tmp, PID: 2748, 上一级进程 PID: 2624
7za.exe, PID: 2444, 上一级进程 PID: 2748
7za.exe, PID: 2368, 上一级进程 PID: 2748
7za.exe, PID: 1740, 上一级进程 PID: 2748
sitool.exe, PID: 2380, 上一级进程 PID: 2748
schtasks.exe, PID: 2464, 上一级进程 PID: 2380
schtasks.exe, PID: 2716, 上一级进程 PID: 2380
explorer.exe, PID: 2948, 上一级进程 PID: 2748
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
172.67.152.72 未知 美国
180.163.151.161 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49166 172.67.152.72 avkit.org 80
192.168.122.202 49162 180.163.151.161 www.google-analytics.com 80
192.168.122.202 49160 42.99.140.178 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53
192.168.122.202 57208 192.168.122.1 53
192.168.122.202 62960 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.google-analytics.com A 180.163.151.161
avkit.org 未知 A 104.21.12.117
A 172.67.152.72

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49166 172.67.152.72 avkit.org 80
192.168.122.202 49162 180.163.151.161 www.google-analytics.com 80
192.168.122.202 49160 42.99.140.178 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53
192.168.122.202 57208 192.168.122.1 53
192.168.122.202 62960 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
URL专业沙箱检测 -> http://www.google-analytics.com/collect 
POST /collect HTTP/1.1
Connection: Keep-Alive
Content-Type: text/html; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 66
Host: www.google-analytics.com
URL专业沙箱检测 -> http://avkit.org/home/getchannel 
GET /home/getchannel HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent:  
Host: avkit.org
URL专业沙箱检测 -> http://www.google-analytics.com/collect 
POST /collect HTTP/1.1
Connection: Keep-Alive
Content-Type: text/html; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 68
Host: www.google-analytics.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 35.371 seconds )

  • 20.489 NetworkAnalysis
  • 10.655 Suricata
  • 2.116 VirusTotal
  • 0.698 BehaviorAnalysis
  • 0.676 Static
  • 0.393 TargetInfo
  • 0.315 peid
  • 0.016 Strings
  • 0.01 AnalysisInfo
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 45.757 seconds )

  • 43.914 network_http
  • 1.405 md_url_bl
  • 0.052 antiav_detectreg
  • 0.04 api_spamming
  • 0.033 stealth_timeout
  • 0.03 stealth_decoy_document
  • 0.022 infostealer_ftp
  • 0.013 infostealer_im
  • 0.013 md_domain_bl
  • 0.011 antiav_detectfile
  • 0.01 mimics_filetime
  • 0.01 antianalysis_detectreg
  • 0.009 reads_self
  • 0.008 bootkit
  • 0.008 stealth_file
  • 0.008 antivm_generic_disk
  • 0.008 virus
  • 0.008 infostealer_bitcoin
  • 0.007 kovter_behavior
  • 0.007 infostealer_mail
  • 0.006 antiemu_wine_func
  • 0.006 antivm_generic_scsi
  • 0.006 infostealer_browser_password
  • 0.006 ransomware_extensions
  • 0.006 ransomware_files
  • 0.005 anomaly_persistence_autorun
  • 0.005 antidbg_windows
  • 0.005 hancitor_behavior
  • 0.005 antivm_vbox_files
  • 0.005 geodo_banking_trojan
  • 0.004 antivm_vbox_libs
  • 0.003 injection_createremotethread
  • 0.003 antivm_generic_services
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 anormaly_invoke_kills
  • 0.003 network_torgateway
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antiav_avast_libs
  • 0.002 infostealer_browser
  • 0.002 maldun_anomaly_massive_file_ops
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 antiav_bitdefender_libs
  • 0.002 exec_crash
  • 0.002 injection_runpe
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 disables_browser_warn
  • 0.002 darkcomet_regkeys
  • 0.002 md_bad_drop
  • 0.002 rat_pcclient
  • 0.002 recon_fingerprint
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.001 antivm_vmware_libs
  • 0.001 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.001 antivm_vbox_window
  • 0.001 kazybot_behavior
  • 0.001 shifu_behavior
  • 0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.001 cerber_behavior
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antisandbox_productid
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vmware_files
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 codelux_behavior
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 network_cnc_http
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_spynet
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_modify_security_center_warnings

Reporting ( 0.493 seconds )

  • 0.487 ReportHTMLSummary
  • 0.006 Malheur
Task ID 697886
Mongo ID 62c29ec57e769a4b3820583c
Cuckoo release 1.4-Maldun