恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2024-04-19 12:27:18	2024-04-19 12:29:31	133 秒

魔盾分数

5.45

可疑的

文件详细信息

文件名	命运2pVE.exe
文件大小	946688 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	b0f1c52755094166cf8c389073fe3924
SHA1	b815b504f8cb31289ddec0a19c07b9b077b617a6
SHA256	64376b9d8c50c204e1c7d300543c23de6bb788116a05e503959868e40087db68
SHA512	4d4275ceafd5c2f4c30eefd18811d6df32fe025290f2a2bb829d25199f8c7c552d0b7f85d738cb3b231d25d253753b6f31c60f890b84e1d9842d44bd4d74ab5f
CRC32	3710AB80
Ssdeep	24576:/vywqk2OB9HWjrd6mecsdDFAIPn+FFWGeYJXKE6ERxGQII:nywqAtWZ6dD6ImFw4NAyxl
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
是	124.222.107.56	中国
否	49.71.75.195	中国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
www.ip138.com	未知	CNAME www.ip138.com.lxdns.com A 49.71.75.195 A 114.230.204.92
2024.ip138.com	未知	CNAME 2024.ip138.com.wswebpic.com

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x00686290
声明校验值	0x000f3861
实际校验值	0x000f3861
最低操作系统版本要求	4.0
编译时间	2024-04-13 11:34:53
载入哈希	a3c7d185f42d83ec68a8615dc81190e1
图标
图标精确哈希值	06f97597538e2cedb47ea17f8839f07f
图标相似性哈希值	39647e4d26f73c7c7843071b76111468

版本信息

LegalCopyright
FileVersion
Comments
ProductName
ProductVersion
FileDescription
Translation

PEiD 规则

[u'UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
UPX0	0x00001000	0x001a1000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x001a2000	0x000e5000	0x000e5000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.rsrc	0x00287000	0x00002000	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.22

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x00281548	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.41	data
TEXTINCLUDE	0x00281548	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.41	data
TEXTINCLUDE	0x00281548	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.41	data
RT_CURSOR	0x00281a38	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.91	data
RT_CURSOR	0x00281a38	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.91	data
RT_CURSOR	0x00281a38	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.91	data
RT_CURSOR	0x00281a38	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.91	data
RT_BITMAP	0x00281aec	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.34	Sendmail frozen configuration - version \013\207\213co\372\234\\363\244Jt\035\025\236\254\024\201\332\2657\002\215o>\205\|\331\244\244\231\223\254\007w\262z\216,\357\034\312&>S\023\247\217\372\310?\003\343
RT_ICON	0x00287528	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.78	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4291019716, next used block 4291019716
RT_ICON	0x00287528	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.78	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4291019716, next used block 4291019716
RT_ICON	0x00287528	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.78	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4291019716, next used block 4291019716
RT_DIALOG	0x00283288	0x000000e2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.11	data
RT_DIALOG	0x00283288	0x000000e2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.11	data
RT_DIALOG	0x00283288	0x000000e2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.11	data
RT_STRING	0x0028336c	0x000001c4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.45	data
RT_GROUP_CURSOR	0x00283558	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.03	data
RT_GROUP_CURSOR	0x00283558	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.03	data
RT_GROUP_CURSOR	0x00283558	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.03	data
RT_GROUP_ICON	0x002885d4	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.94	MS Windows icon resource - 1 icon, 32x32
RT_VERSION	0x002885ec	0x00000240	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.83	data
RT_MANIFEST	0x00288830	0x00000298	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.09	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

导入

库: KERNEL32.DLL:

• 0x688bcc LoadLibraryA

• 0x688bd0 GetProcAddress

• 0x688bd4 VirtualProtect

• 0x688bd8 VirtualAlloc

• 0x688bdc VirtualFree

• 0x688be0 ExitProcess

库: ADVAPI32.dll:

• 0x688be8 RegOpenKeyA

库: COMCTL32.dll:

• 0x688bf0 None

库: comdlg32.dll:

• 0x688bf8 ChooseColorA

库: GDI32.dll:

• 0x688c00 LineTo

库: ole32.dll:

• 0x688c08 OleRun

库: OLEAUT32.dll:

• 0x688c10 VariantCopy

库: SHELL32.dll:

• 0x688c18 ShellExecuteA

库: USER32.dll:

• 0x688c20 GetDC

库: WINMM.dll:

• 0x688c28 waveOutOpen

库: WINSPOOL.DRV:

• 0x688c30 OpenPrinterA

库: WS2_32.dll:

• 0x688c38 recv

.rsrc
%A,.K

没有防病毒引擎扫描信息!

进程树

______2pVE.exe id: 2568
services.exe id: 432

______2pVE.exe, PID: 2568, 上一级进程 PID: 2256

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

services.exe, PID: 432, 上一级进程 PID: 344

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
是	124.222.107.56	中国
否	49.71.75.195	中国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49166	124.222.107.56	6886
192.168.122.201	49160	23.48.32.11	80
192.168.122.201	49162	49.71.75.195 www.ip138.com	80
192.168.122.201	49163	49.71.75.195 www.ip138.com	443
192.168.122.201	49165	49.71.75.195 www.ip138.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53
192.168.122.201	59906	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
www.ip138.com	未知	CNAME www.ip138.com.lxdns.com A 49.71.75.195 A 114.230.204.92
2024.ip138.com	未知	CNAME 2024.ip138.com.wswebpic.com

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49166	124.222.107.56	6886
192.168.122.201	49160	23.48.32.11	80
192.168.122.201	49162	49.71.75.195 www.ip138.com	80
192.168.122.201	49163	49.71.75.195 www.ip138.com	443
192.168.122.201	49165	49.71.75.195 www.ip138.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53
192.168.122.201	59906	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://www.ip138.com/	GET / HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://www.ip138.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36 Host: www.ip138.com
URL专业沙箱检测 -> http://2024.ip138.com/	GET / HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://2024.ip138.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 2024.ip138.com

URI

HTTP数据

URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://www.ip138.com/

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: http://www.ip138.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
Host: www.ip138.com

URL专业沙箱检测 -> http://2024.ip138.com/

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: http://2024.ip138.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: 2024.ip138.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Version	Issuer	Subject	Fingerprint
2024-04-19 12:27:55.868111+0800	192.168.122.201	49163	49.71.75.195	443	TLSv1	C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2	C=CN, ST=福建省, L=厦门市, O=网宿科技股份有限公司厦门分公司, CN=default.chinanetcenter.com	80:bb:c2:18:e3:78:a9:76:40:45:87:2d:2d:95:8b:0b:76:0b:d0:43

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 29.464 seconds )

13.536 NetworkAnalysis
12.994 Suricata
1.32 Static
0.793 BehaviorAnalysis
0.472 TargetInfo
0.316 peid
0.017 Strings
0.011 AnalysisInfo
0.003 config_decoder
0.002 Memory

Signatures ( 50.089 seconds )

48.183 network_http
1.523 proprietary_url_bl
0.052 antiav_detectreg
0.041 api_spamming
0.033 stealth_timeout
0.032 stealth_decoy_document
0.02 infostealer_ftp
0.012 proprietary_domain_bl
0.011 antianalysis_detectreg
0.011 infostealer_im
0.01 antiemu_wine_func
0.01 kovter_behavior
0.009 infostealer_browser_password
0.008 antivm_generic_scsi
0.008 antiav_detectfile
0.007 infostealer_mail
0.006 antivm_generic_services
0.006 anomaly_persistence_autorun
0.005 antivm_vbox_libs
0.005 anormaly_invoke_kills
0.005 geodo_banking_trojan
0.004 mimics_filetime
0.004 reads_self
0.004 infostealer_bitcoin
0.004 ransomware_extensions
0.004 ransomware_files
0.003 bootkit
0.003 stealth_file
0.003 kibex_behavior
0.003 shifu_behavior
0.003 exec_crash
0.003 antivm_generic_disk
0.003 virus
0.003 antivm_vbox_files
0.003 network_torgateway
0.002 tinba_behavior
0.002 antiav_avast_libs
0.002 betabot_behavior
0.002 antisandbox_sunbelt_libs
0.002 hancitor_behavior
0.002 antivm_generic_diskreg
0.002 antivm_parallels_keys
0.002 antivm_xen_keys
0.002 disables_browser_warn
0.002 darkcomet_regkeys
0.001 rat_nanocore
0.001 antivm_vmware_libs
0.001 injection_createremotethread
0.001 proprietary_anomaly_massive_file_ops
0.001 stealth_network
0.001 antisandbox_sboxie_libs
0.001 antiav_bitdefender_libs
0.001 cerber_behavior
0.001 bypass_firewall
0.001 antidbg_devices
0.001 antivm_hyperv_keys
0.001 antivm_vbox_keys
0.001 antivm_vpc_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_anomaly_invoke_vb_vba
0.001 proprietary_bad_drop
0.001 network_cnc_http
0.001 packer_armadillo_regkey
0.001 recon_fingerprint
0.001 stealth_modify_uac_prompt

Reporting ( 0.635 seconds )

0.534 ReportHTMLSummary
0.101 Malheur


Task ID	744115
Mongo ID	6621f3ae7e769a7c1b16ec43
Cuckoo release	1.4-Maldun