比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2024-03-27 11:02:44 2024-03-27 11:04:56 132 秒

魔盾分数

1.4

正常的

文件详细信息

文件名 consolepauser.exe
文件大小 1380864 字节
文件类型 PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5 3a0b0a9ee4d120e3c5683146e0f28703
SHA1 e0c2c758e202a11519b89c9556ecfbc9f32daf40
SHA256 33557796498640deb62aea66ddb9695e8e5acdd0cbda7c588b5259c1724207ab
SHA512 9d953a322a99f91aa1c2be8ec70624bdeb160016fc1ec6fff5cf11f4c04a205f18754b714ce0ad6eb0417b21c2d6a5ba533a4dbd121877d2b34078cbab4bcd86
CRC32 FF4DF5C0
Ssdeep 12288:UBoncKZh8wmPysudst/DR1y5/wImwyCcsPwJ7+jIVsNMhttgdryNDRx9feLCDpOr:UycKZawkysu+t/l1y5/qwQtgdryxBe6
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x1400013f0
声明校验值 0x00152b06
实际校验值 0x00152b06
最低操作系统版本要求 4.0
编译时间 2024-03-26 20:51:04
载入哈希 de0b7e072ad4f18aabbae04f43d0ff7c

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000cf2b0 0x000cf400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.20
.data 0x000d1000 0x00002f20 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.32
.rdata 0x000d4000 0x000605f0 0x00060600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.38
.pdata 0x00135000 0x0000b658 0x0000b800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.93
.xdata 0x00141000 0x0000f7c4 0x0000f800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88
.bss 0x00151000 0x00000da0 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00152000 0x0000172c 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.52
.CRT 0x00154000 0x00000068 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.41
.tls 0x00155000 0x00000010 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.reloc 0x00156000 0x00001648 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.34

导入

库: ADVAPI32.dll:
0x140152580 RegCloseKey
0x140152588 RegOpenKeyExA
0x140152590 RegQueryValueExA
库: KERNEL32.dll:
0x1401525a8 AssignProcessToJobObject
0x1401525b0 CloseHandle
0x1401525b8 CreateEventA
0x1401525c0 CreateFileA
0x1401525c8 CreateJobObjectA
0x1401525d0 CreateProcessA
0x1401525d8 CreateSemaphoreA
0x1401525e0 DeleteCriticalSection
0x1401525e8 DuplicateHandle
0x1401525f0 EnterCriticalSection
0x1401525f8 FlushConsoleInputBuffer
0x140152600 FormatMessageA
0x140152608 GetConsoleOutputCP
0x140152610 GetCurrentProcess
0x140152618 GetCurrentProcessId
0x140152620 GetCurrentThread
0x140152628 GetCurrentThreadId
0x140152630 GetExitCodeProcess
0x140152638 GetHandleInformation
0x140152640 GetLastError
0x140152648 GetModuleHandleW
0x140152650 GetProcAddress
0x140152658 GetProcessAffinityMask
0x140152660 GetProcessTimes
0x140152668 GetStdHandle
0x140152670 GetSystemTimeAsFileTime
0x140152678 GetThreadContext
0x140152680 GetThreadPriority
0x140152688 GetTickCount64
0x140152698 IsDBCSLeadByteEx
0x1401526a0 IsDebuggerPresent
0x1401526a8 K32GetProcessMemoryInfo
0x1401526b0 LeaveCriticalSection
0x1401526b8 LoadLibraryW
0x1401526c0 LocalFree
0x1401526c8 MapViewOfFile
0x1401526d0 MultiByteToWideChar
0x1401526d8 OpenFileMappingA
0x1401526e0 OpenProcess
0x1401526e8 OutputDebugStringA
0x1401526f0 QueryPerformanceCounter
0x140152700 RaiseException
0x140152708 ReleaseSemaphore
0x140152718 ResetEvent
0x140152720 ResumeThread
0x140152728 RtlCaptureContext
0x140152730 RtlLookupFunctionEntry
0x140152738 RtlUnwindEx
0x140152740 RtlVirtualUnwind
0x140152748 SetConsoleTitleA
0x140152750 SetEvent
0x140152758 SetInformationJobObject
0x140152760 SetLastError
0x140152768 SetProcessAffinityMask
0x140152770 SetStdHandle
0x140152778 SetThreadContext
0x140152780 SetThreadPriority
0x140152790 Sleep
0x140152798 SuspendThread
0x1401527a0 TlsAlloc
0x1401527a8 TlsGetValue
0x1401527b0 TlsSetValue
0x1401527b8 TryEnterCriticalSection
0x1401527c0 UnmapViewOfFile
0x1401527c8 VirtualProtect
0x1401527d0 VirtualQuery
0x1401527d8 WaitForMultipleObjects
0x1401527e0 WaitForSingleObject
0x1401527e8 WideCharToMultiByte
库: msvcrt.dll:
0x1401527f8 __C_specific_handler
0x140152800 ___lc_codepage_func
0x140152808 ___mb_cur_max_func
0x140152810 __getmainargs
0x140152818 __initenv
0x140152820 __iob_func
0x140152828 __set_app_type
0x140152830 __setusermatherr
0x140152838 _amsg_exit
0x140152840 _beginthreadex
0x140152848 _cexit
0x140152850 _commode
0x140152858 _endthreadex
0x140152860 _errno
0x140152868 _fdopen
0x140152870 _filelengthi64
0x140152878 _fileno
0x140152880 _fileno
0x140152888 _fmode
0x140152890 _fstat64
0x140152898 _getch
0x1401528a0 _initterm
0x1401528a8 _lock
0x1401528b0 _lseeki64
0x1401528b8 _onexit
0x1401528c0 _read
0x1401528c8 _setjmp
0x1401528d0 _strdup
0x1401528d8 _ultoa
0x1401528e0 _unlock
0x1401528e8 _wfopen
0x1401528f0 _write
0x1401528f8 abort
0x140152900 atoi
0x140152908 calloc
0x140152910 exit
0x140152918 fclose
0x140152920 fflush
0x140152928 fgetpos
0x140152930 fopen
0x140152938 fprintf
0x140152940 fputc
0x140152948 fputs
0x140152950 fread
0x140152958 free
0x140152960 freopen
0x140152968 fsetpos
0x140152970 fwrite
0x140152978 getc
0x140152980 getenv
0x140152988 getwc
0x140152990 isspace
0x140152998 iswctype
0x1401529a0 localeconv
0x1401529a8 longjmp
0x1401529b0 malloc
0x1401529b8 memchr
0x1401529c0 memcmp
0x1401529c8 memcpy
0x1401529d0 memmove
0x1401529d8 memset
0x1401529e0 printf
0x1401529e8 putc
0x1401529f0 putwc
0x1401529f8 realloc
0x140152a00 setlocale
0x140152a08 setvbuf
0x140152a10 signal
0x140152a18 strchr
0x140152a20 strcmp
0x140152a28 strcoll
0x140152a30 strerror
0x140152a38 strftime
0x140152a40 strlen
0x140152a48 strncmp
0x140152a50 strtoul
0x140152a58 strxfrm
0x140152a60 towlower
0x140152a68 towupper
0x140152a70 ungetwc
0x140152a78 ungetc
0x140152a80 vfprintf
0x140152a88 wcscoll
0x140152a90 wcsftime
0x140152a98 wcslen
0x140152aa0 wcsxfrm
.text
`.data
.rdata
@.pdata
@.xdata
@.bss
.idata
.reloc
没有防病毒引擎扫描信息!

进程树

consolepauser.exe, PID: 2604, 上一级进程 PID: 2256
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 2.22.89.27 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 2.22.89.27 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 18.179 seconds )

  • 12.852 Suricata
  • 2.667 NetworkAnalysis
  • 1.604 Static
  • 0.521 TargetInfo
  • 0.494 peid
  • 0.014 AnalysisInfo
  • 0.014 Strings
  • 0.009 BehaviorAnalysis
  • 0.002 Memory
  • 0.002 config_decoder

Signatures ( 1.432 seconds )

  • 1.351 proprietary_url_bl
  • 0.011 antiav_detectreg
  • 0.009 proprietary_domain_bl
  • 0.005 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 network_http
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 cerber_behavior
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.001 betabot_behavior
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.572 seconds )

  • 0.555 ReportHTMLSummary
  • 0.017 Malheur
Task ID 743095
Mongo ID 66038d157e769a7996a5a80f
Cuckoo release 1.4-Maldun