恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2024-04-19 13:33:01	2024-04-19 13:35:10	129 秒

魔盾分数

3.9

可疑的

文件详细信息

文件名	wsock32.dll
文件大小	280576 字节
文件类型	PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5	2433ddadfdb3dd670cbf2897dd1ac38c
SHA1	708a3a6c41fd20a9bcb34fb5bd4a8875bce09a8d
SHA256	86cd587bd87dc5245eadfb7e8c6ebcc4d20d148cd3005d95a863c0ee992083c4
SHA512	50189683ecaffa02af3e2f91d88a1b0620f07f2991458301c7960192cc2e5205ea70791472b1b3c057ed6e29d832c28849c72dd97e4aa0a8ba9b56bcc86d44f7
CRC32	B36DAF44
Ssdeep	6144:QXqWcA6EGLd0a6KFAryDOfgF3ptG8/V8o45qmbr5sMXJOmyuD:QTd69LqaFVD0gpHG8d8oIqYrNZMuD
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x3fd10000
入口地址	0x3fd11120
声明校验值	0x00052208
实际校验值	0x00052208
最低操作系统版本要求	6.1
PDB路径	wsock32.pdb
编译时间	2009-07-14 09:12:03
载入哈希	1d57147ac707bdced59ba259d35cb8b4
导出DLL库名称	WSOCK32.dll

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text\x00m\x01	0x00001000	0x00002d40	0x00002e00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.59
.data	0x00004000	0x00000348	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.23
.rsrc	0x00005000	0x00000510	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.99
.vmp0	0x00006000	0x00000108	0x00000200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	4.12
.Silvana	0x00007000	0x00003000	0x00003000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.72
.pdata\x00\x01	0x0000a000	0x0002b000	0x0002b000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.90
.vmp1	0x00035000	0x00011a7a	0x00011c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.93

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
MUI	0x00005448	0x000000c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.69	data
RT_VERSION	0x000050b0	0x00000398	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.60	data

导入

库: WS2_32.dll:

• 0x3fd11000 WSARecv

• 0x3fd11004 getsockopt

• 0x3fd11008 WSARecvFrom

• 0x3fd1100c setsockopt

库: msvcrt.dll:

• 0x3fd11014 _except_handler4_common

• 0x3fd11018 _amsg_exit

• 0x3fd1101c _initterm

• 0x3fd11020 free

• 0x3fd11024 malloc

• 0x3fd11028 _XcptFilter

库: KERNEL32.dll:

• 0x3fd11030 InterlockedExchange

• 0x3fd11034 SetLastError

• 0x3fd11038 InterlockedCompareExchange

• 0x3fd1103c QueryPerformanceCounter

• 0x3fd11040 SetUnhandledExceptionFilter

• 0x3fd11044 UnhandledExceptionFilter

• 0x3fd11048 GetCurrentProcess

• 0x3fd1104c TerminateProcess

• 0x3fd11050 GetSystemTimeAsFileTime

• 0x3fd11054 GetCurrentProcessId

• 0x3fd11058 GetCurrentThreadId

• 0x3fd1105c GetTickCount

• 0x3fd11060 Sleep

库: KERNEL32.dll:

• 0x3fd17289 LoadLibraryA

• 0x3fd1728d GetModuleHandleA

• 0x3fd17291 GetProcAddress

• 0x3fd17295 FreeLibrary

• 0x3fd17299 VirtualProtect

• 0x3fd1729d GetCurrentDirectoryA

• 0x3fd172a1 CreateProcessA

• 0x3fd172a5 CloseHandle

• 0x3fd172a9 GetCurrentProcessId

• 0x3fd172ad GetSystemTimeAsFileTime

• 0x3fd172b1 QueryPerformanceCounter

• 0x3fd172b5 GetModuleFileNameA

• 0x3fd172b9 CreateFileA

• 0x3fd172bd GetFileSize

• 0x3fd172c1 ReadFile

• 0x3fd172c5 GetCurrentProcessId

• 0x3fd172c9 OpenProcess

• 0x3fd172cd VirtualProtectEx

• 0x3fd172d1 WriteProcessMemory

• 0x3fd172d5 InterlockedCompareExchange

• 0x3fd172d9 WritePrivateProfileStringA

• 0x3fd172dd CreateThread

• 0x3fd172e1 InterlockedCompareExchange

• 0x3fd172e5 InterlockedCompareExchange

• 0x3fd172e9 InterlockedCompareExchange

• 0x3fd172ed InterlockedCompareExchange

• 0x3fd172f1 InterlockedCompareExchange

• 0x3fd172f5 InterlockedCompareExchange

• 0x3fd172f9 InterlockedCompareExchange

库: MSVCRT.dll:

• 0x3fd17400 fopen

• 0x3fd17404 fread

• 0x3fd17408 fclose

• 0x3fd1740c ftell

• 0x3fd17410 fseek

• 0x3fd17414 strstr

• 0x3fd17418 sprintf

• 0x3fd1741c _mbsnbicmp

• 0x3fd17420 memmove

• 0x3fd17424 memset

• 0x3fd17428 strncpy

• 0x3fd1742c _strnicmp

• 0x3fd17430 strstr

• 0x3fd17434 _mbsnbicmp

• 0x3fd17438 _mbsnbicmp

• 0x3fd1743c _mbsnbicmp

• 0x3fd17440 _mbsnbicmp

• 0x3fd17444 _mbsnbicmp

• 0x3fd17448 _mbsnbicmp

• 0x3fd1744c _mbsnbicmp

• 0x3fd17450 _mbsnbicmp

• 0x3fd17454 _mbsnbicmp

库: MFC42.dll:

• 0x3fd174ca None

• 0x3fd174ce None

• 0x3fd174d2 None

• 0x3fd174d6 None

• 0x3fd174da None

• 0x3fd174de None

• 0x3fd174e2 None

• 0x3fd174e6 None

• 0x3fd174ea None

• 0x3fd174ee None

导出

序列	地址	名称
1141	0x3fd13382	AcceptEx
1111	0x3fd13393	EnumProtocolsA
1112	0x3fd133aa	EnumProtocolsW
1142	0x3fd133c1	GetAcceptExSockaddrs
1109	0x3fd133de	GetAddressByNameA
1110	0x3fd133f8	GetAddressByNameW
1115	0x3fd13412	GetNameByTypeA
1116	0x3fd13429	GetNameByTypeW
1119	0x3fd13440	GetServiceA
1120	0x3fd13454	GetServiceW
1113	0x3fd13468	GetTypeByNameA
1114	0x3fd1347f	GetTypeByNameW
24	0x3fd13496	MigrateWinsockConfiguration
1130	0x3fd134ba	NPLoadNameSpaces
1117	0x3fd134d3	SetServiceA
1118	0x3fd134e7	SetServiceW
1140	0x3fd134fb	TransmitFile
500	0x3fd13510	WEP
102	0x3fd1351b	WSAAsyncGetHostByAddr
103	0x3fd13538	WSAAsyncGetHostByName
105	0x3fd13555	WSAAsyncGetProtoByName
104	0x3fd13573	WSAAsyncGetProtoByNumber
107	0x3fd13593	WSAAsyncGetServByName
106	0x3fd135b0	WSAAsyncGetServByPort
101	0x3fd135cd	WSAAsyncSelect
108	0x3fd135e3	WSACancelAsyncRequest
113	0x3fd13600	WSACancelBlockingCall
116	0x3fd1361d	WSACleanup
111	0x3fd1362f	WSAGetLastError
114	0x3fd13646	WSAIsBlocking
1107	0x3fd1365b	WSARecvEx
109	0x3fd1366d	WSASetBlockingHook
112	0x3fd13687	WSASetLastError
115	0x3fd1369e	WSAStartup
110	0x3fd136b0	WSAUnhookBlockingHook
1000	0x3fd136cd	WSApSetPostRoutine
151	0x3fd136e7	__WSAFDIsSet
1	0x3fd136fb	accept
2	0x3fd13709	bind
3	0x3fd13715	closesocket
4	0x3fd13728	connect
1106	0x3fd13737	dn_expand
51	0x3fd13749	gethostbyaddr
52	0x3fd1375e	gethostbyname
57	0x3fd13773	gethostname
1101	0x3fd13786	getnetbyname
5	0x3fd1379b	getpeername
53	0x3fd137ae	getprotobyname
54	0x3fd137c4	getprotobynumber
55	0x3fd137dc	getservbyname
56	0x3fd137f1	getservbyport
6	0x3fd13806	getsockname
7	0x3fd1186e	getsockopt
8	0x3fd13819	htonl
9	0x3fd13826	htons
10	0x3fd13833	inet_addr
1100	0x3fd13844	inet_network
11	0x3fd13859	inet_ntoa
12	0x3fd1386a	ioctlsocket
13	0x3fd1387d	listen
14	0x3fd1388b	ntohl
15	0x3fd13898	ntohs
1102	0x3fd138a5	rcmd
16	0x3fd117a8	recv
17	0x3fd11808	recvfrom
1103	0x3fd138b2	rexec
1104	0x3fd138c0	rresvport
1108	0x3fd138d2	s_perror
18	0x3fd138e3	select
19	0x3fd138f1	send
20	0x3fd138fd	sendto
1105	0x3fd1390b	sethostname
21	0x3fd118e0	setsockopt
22	0x3fd1391f	shutdown
23	0x3fd1392f	socket

.text
.data
.rsrc
@.vmp0
`.Silvana
.pdata
.vmp1
SelfCode.dll
\TdxW.exe
WSOCK32.dll
AcceptEx
EnumProtocolsA
EnumProtocolsW
GetAcceptExSockaddrs
GetAddressByNameA
GetAddressByNameW
GetNameByTypeA
GetNameByTypeW
GetServiceA
GetServiceW
GetTypeByNameA
GetTypeByNameW
MigrateWinsockConfiguration
NPLoadNameSpaces
SetServiceA
SetServiceW
TransmitFile
WSAAsyncGetHostByAddr
WSAAsyncGetHostByName
WSAAsyncGetProtoByName
WSAAsyncGetProtoByNumber
WSAAsyncGetServByName
WSAAsyncGetServByPort
WSAAsyncSelect
WSACancelAsyncRequest
WSACancelBlockingCall
WSACleanup
WSAGetLastError
WSAIsBlocking
WSARecvEx
WSASetBlockingHook
WSASetLastError
WSAStartup
WSAUnhookBlockingHook
WSApSetPostRoutine
__WSAFDIsSet
accept
closesocket
connect
dn_expand
gethostbyaddr
gethostbyname
gethostname
getnetbyname
getpeername
getprotobyname
getprotobynumber
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_network
inet_ntoa
ioctlsocket
listen
ntohl
ntohs
recvfrom
rexec
rresvport
s_perror
select
sendto
sethostname
setsockopt
shutdown
socket
MSWSOCK.AcceptEx
MSWSOCK.EnumProtocolsA
MSWSOCK.EnumProtocolsW
MSWSOCK.GetAcceptExSockaddrs
MSWSOCK.GetAddressByNameA
MSWSOCK.GetAddressByNameW
MSWSOCK.GetNameByTypeA
MSWSOCK.GetNameByTypeW
MSWSOCK.GetServiceA
MSWSOCK.GetServiceW
MSWSOCK.GetTypeByNameA
MSWSOCK.GetTypeByNameW
MSWSOCK.MigrateWinsockConfiguration
MSWSOCK.NPLoadNameSpaces
MSWSOCK.SetServiceA
MSWSOCK.SetServiceW
MSWSOCK.TransmitFile
ws2_32.WEP
ws2_32.WSAAsyncGetHostByAddr
ws2_32.WSAAsyncGetHostByName
ws2_32.WSAAsyncGetProtoByName
ws2_32.WSAAsyncGetProtoByNumber
ws2_32.WSAAsyncGetServByName
ws2_32.WSAAsyncGetServByPort
ws2_32.WSAAsyncSelect
ws2_32.WSACancelAsyncRequest
ws2_32.WSACancelBlockingCall
ws2_32.WSACleanup
ws2_32.WSAGetLastError
ws2_32.WSAIsBlocking
MSWSOCK.WSARecvEx
ws2_32.WSASetBlockingHook
ws2_32.WSASetLastError
ws2_32.WSAStartup
ws2_32.WSAUnhookBlockingHook
ws2_32.WSApSetPostRoutine
ws2_32.__WSAFDIsSet
ws2_32.accept
ws2_32.bind
ws2_32.closesocket
ws2_32.connect
MSWSOCK.dn_expand
ws2_32.gethostbyaddr
ws2_32.gethostbyname
ws2_32.gethostname
MSWSOCK.getnetbyname
ws2_32.getpeername
ws2_32.getprotobyname
ws2_32.getprotobynumber
ws2_32.getservbyname
ws2_32.getservbyport
ws2_32.getsockname
ws2_32.htonl
ws2_32.htons
ws2_32.inet_addr
MSWSOCK.inet_network
ws2_32.inet_ntoa
ws2_32.ioctlsocket
ws2_32.listen
ws2_32.ntohl
ws2_32.ntohs
MSWSOCK.rcmd
MSWSOCK.rexec
MSWSOCK.rresvport
MSWSOCK.s_perror
ws2_32.select
ws2_32.send
ws2_32.sendto
MSWSOCK.sethostname
ws2_32.shutdown
ws2_32.socket
KERNEL32.dll
msvcrt.dll
WS2_32.dll
WSARecv
WSARecvFrom
_except_handler4_common
_amsg_exit
_initterm
malloc
_XcptFilter
InterlockedExchange
SetLastError
InterlockedCompareExchange
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
Sleep
wsock32.pdb
KERNEL32.dll
LoadLibraryA
GetModuleHandleA
GetProcAddress
FreeLibrary
VirtualProtect
GetCurrentDirectoryA
CreateProcessA
CloseHandle
GetCurrentProcessId
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetModuleFileNameA
CreateFileA
GetFileSize
ReadFile
GetCurrentProcessId
OpenProcess
VirtualProtectEx
WriteProcessMemory
InterlockedCompareExchange
WritePrivateProfileStringA
CreateThread
mpareExchange
InterlockedCompareExchange
InterlockedCompareExchange
InterlockedCompareExchange
InterlockedCompareExchange
InterlockedCompareExchange
InterlockedCompareExchange
InterlockedCompareExchange
MSVCRT.dll
fopen
fread
fclose
ftell
fseek
strstr
sprintf
_mbsnbicmp
memmove
memset
strncpy
_strnicmp
strstr
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
_mbsnbicmp
MFC42.dll
80170BC
80170BC
80170BC
80170BC
80170BC
80170BC
80170BC
80170BC
80170BC
80170BC
\tdxw.exe
\\modify.dat
L2Type
Version
\connect.cfg
\embui.cfg
Other
EMBUI
\T0002\user.ini
ProcessMsg
\AddJy.dll
ProcessID:%d
\AppJy.dll
\modify.dai
fortune@tend
tdx_zjzh117cookie
tdx_gx_whs_9527_cl
SECURE20071116_TDXSS
SECURE20091215_TDXSS
SECURE20031107_TDXDS
tdx_zhinfo7cookie
l2wl_verify0
tdx_fzzqjcjsignal
tdx_zjzh_tztz_@#$
tdxjgb_softfile0115
tdxjgb
SECURE20031107_TDXAB
~xawn
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Windows Socket 32-Bit DLL
FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)
InternalName
wsock32.dll
LegalCopyright
 Microsoft Corporation. All rights reserved.
OriginalFilename
wsock32.dll
ProductName
 Operating System
ProductVersion
6.1.7600.16385
VarFileInfo
Translation
en-US

没有防病毒引擎扫描信息!

进程树

rundll32.exe id: 2564

搜索
rundll32.exe (2564)

rundll32.exe, PID: 2564, 上一级进程 PID: 2248

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	104.114.76.194	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	104.114.76.194	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 16.85 seconds )

11.348 Suricata
2.23 AnalysisInfo
2.054 NetworkAnalysis
0.528 Static
0.328 peid
0.321 TargetInfo
0.028 BehaviorAnalysis
0.011 Strings
0.002 Memory

Signatures ( 1.622 seconds )

1.527 proprietary_url_bl
0.013 antiav_detectreg
0.009 proprietary_domain_bl
0.006 antiav_detectfile
0.006 infostealer_ftp
0.006 ransomware_files
0.005 anomaly_persistence_autorun
0.004 geodo_banking_trojan
0.004 infostealer_bitcoin
0.004 infostealer_im
0.004 network_http
0.004 ransomware_extensions
0.003 antianalysis_detectreg
0.003 antivm_vbox_files
0.002 tinba_behavior
0.002 rat_nanocore
0.002 disables_browser_warn
0.002 infostealer_mail
0.001 stealth_decoy_document
0.001 api_spamming
0.001 betabot_behavior
0.001 kibex_behavior
0.001 cerber_behavior
0.001 stealth_timeout
0.001 antivm_parallels_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http
0.001 stealth_modify_security_center_warnings

Reporting ( 0.661 seconds )

0.653 ReportHTMLSummary
0.008 Malheur


Task ID	744116
Mongo ID	662202c57e769a7c1916ea9b
Cuckoo release	1.4-Maldun