比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2024-04-19 16:13:47 2024-04-19 16:14:22 35 秒

魔盾分数

1.4

正常的

文件详细信息

文件名 H0H0K0b.exe
文件大小 151552 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f852aa63bc40b55bee5f0df8ab7ca885
SHA1 35bd2a698af33ef4dd20a8c32f7afbe65aafdb80
SHA256 e8b572831fe43f52bcf004ae3eee3ec7be5e8a31fc46721b1f6343baa2858aa0
SHA512 e95d1963953fa7a29c162b848cf30629b7bfb025f4235a6eda5f293e793e9dfac630e482fd246a4e337e12a8c1738066d83382e93c5b5bcdcbe91fe24742e5f1
CRC32 79D2832F
Ssdeep 1536:4ApcD8QFjMFvLl5DABLu7SN5+DLNPFthAQd3qHvDXrqwHn9cdsK0sM6QMIEvYn70:rp28Lpk82agQcqqW
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004014c0
声明校验值 0x00028df3
实际校验值 0x00028df3
最低操作系统版本要求 4.0
编译时间 1998-02-08 02:50:19
载入哈希 c3cfc69f15e8fbf2042de19fa93f74a9

版本信息

Translation
LegalCopyright
InternalName
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0001d104 0x0001e000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.66
.data 0x0001f000 0x00001468 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00021000 0x00000764 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.20
.rsrc 0x00022000 0x0000167c 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.89
.reloc 0x00024000 0x0000120e 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.29

导入

库: MSVBVM50.DLL:
0x421180 None
0x421184 _CIcos
0x421188 _adj_fptan
0x42118c __vbaVarMove
0x421190 __vbaVarVargNofree
0x421194 __vbaFreeVar
0x421198 __vbaStrVarMove
0x42119c __vbaLenBstr
0x4211a0 __vbaFreeVarList
0x4211a4 __vbaEnd
0x4211a8 _adj_fdiv_m64
0x4211ac __vbaFreeObjList
0x4211b0 _adj_fprem1
0x4211b4 __vbaRecAnsiToUni
0x4211b8 __vbaResume
0x4211bc __vbaError
0x4211c0 __vbaLsetFixstr
0x4211c4 __vbaSetSystemError
0x4211cc _adj_fdiv_m32
0x4211d0 __vbaVarTstLe
0x4211d4 __vbaExitProc
0x4211d8 __vbaOnError
0x4211dc __vbaObjSet
0x4211e0 None
0x4211e4 _adj_fdiv_m16i
0x4211e8 __vbaObjSetAddref
0x4211ec _adj_fdivr_m16i
0x4211f0 None
0x4211f4 _CIsin
0x4211f8 None
0x4211fc __vbaVargVarMove
0x421200 None
0x421204 __vbaChkstk
0x421208 EVENT_SINK_AddRef
0x42120c __vbaStrCmp
0x421210 None
0x421214 __vbaVarTstEq
0x421218 __vbaI2I4
0x42121c DllFunctionCall
0x421220 None
0x421224 _adj_fpatan
0x42122c __vbaRecUniToAnsi
0x421230 EVENT_SINK_Release
0x421234 _CIsqrt
0x42123c __vbaExceptHandler
0x421240 __vbaStrToUnicode
0x421244 _adj_fprem
0x421248 _adj_fdivr_m64
0x42124c None
0x421250 __vbaFPException
0x421254 None
0x421258 __vbaStrVarVal
0x42125c __vbaVarCat
0x421260 __vbaI2Var
0x421264 None
0x421268 None
0x42126c _CIlog
0x421270 __vbaErrorOverflow
0x421274 __vbaNew2
0x421278 _adj_fdiv_m32i
0x42127c _adj_fdivr_m32i
0x421280 __vbaStrCopy
0x421284 __vbaFreeStrList
0x421288 _adj_fdivr_m32
0x42128c _adj_fdiv_r
0x421290 None
0x421294 __vbaVarTstNe
0x421298 __vbaI4Var
0x42129c None
0x4212a0 __vbaVarAdd
0x4212a4 __vbaVarDup
0x4212a8 __vbaStrToAnsi
0x4212ac None
0x4212b0 __vbaVarCopy
0x4212b4 None
0x4212b8 _CIatan
0x4212bc __vbaStrMove
0x4212c0 _allmul
0x4212c4 _CItan
0x4212c8 _CIexp
0x4212cc __vbaFreeObj
0x4212d0 __vbaFreeStr
.text
`.data
.idata
@.rsrc
@.reloc
MSVBVM50.DLL
Recover
Recover
Recover
mdlOsVer
mdlUser
mdlStart
frmdummy
mdlRegApi
frmConfimBye
Recover
kernel32
GetVersionExA
GetWindowsDirectoryA
HHCtrl.ocx
HtmlHelpA
shell32.dll
ShellExecuteA
lblWelcome
E:\Program Files\DevStudio\VB\VB5.OLB
lblRegInfo
lblDrivers
lblStartRestore
cmdBegin
cmdDetails
lblIfCant
lblHaveAccess
lblUserInfo
pctTape
cmdBack
cmdYes
cmdno
pctWiz
Command1
chkShow
Label7
cmdDevice
Frame1
Picture1
cmdcancel
txtOwner
txtCompany
lblUser
pctWelcome
lblCompany
lblComplete
pctRestore
pctReg
cmdNext
QueryValueEx
SetValueEx
SetKeyValue
__vbaI2I4
CreateNewKey
cmdBack_KeyPress
cmdDetails_Click
cmdDevice_Click
cmdBack_Click
cmdBegin_Click
cmdcancel_Click
cmdNext_Click
cmdNext_KeyPress
cmdYes_Click
Form_Activate
Form_Load
CountRunTimes
GetCurrentOwner
ShowWizardPage
Form_MouseMove
txtCompany_KeyPress
txtCompany_KeyUp
txtOwner_Change
DeleteTempRecovery
DoStrings
txtOwner_KeyPress
VBA5.DLL
__vbaVarCopy
__vbaVarCat
__vbaStrCopy
__vbaVarMove
__vbaFreeStrList
__vbaStrToUnicode
__vbaStrToAnsi
__vbaLenBstr
__vbaEnd
__vbaFreeVarList
__vbaRecAnsiToUni
__vbaSetSystemError
__vbaRecUniToAnsi
__vbaFreeStr
__vbaStrMove
__vbaLsetFixstr
__vbaHresultCheckObj
__vbaNew2
__vbaFreeVar
__vbaVarTstEq
__vbaFixstrConstruct
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
lblChose
cmdno_Click
__vbaI2Var
__vbaVarAdd
__vbaVarTstNe
__vbaFreeObjList
__vbaVarDup
__vbaObjSetAddref
__vbaStrCmp
__vbaFreeObj
__vbaObjSet
__vbaVarTstLe
__vbaStrVarVal
__vbaI4Var
__vbaVarVargNofree
__vbaErrorOverflow
__vbaExitProc
__vbaResume
__vbaVargVarMove
__vbaStrVarMove
__vbaError
__vbaOnError
frmConfimBye
System Recovery
Form1
cmdno
cmdYes
pctTape
wwwwwwwwww
wwwwwwwwwwwx
lblChose
You have chosen to exit the system recovery wizard. Would you like to see the system recovery wizard the next time you start your computer?
frmdummy
Form1
wwwwwwwwww
wwwwwwwwwwwx
Form1
Picture1
Command1
Command1
cmdcancel
&Cancel
cmdBack
< &Back
cmdNext
&Next >
chkShow
Frame1
cmdBegin
&Begin
pctWelcome
Label7
Label7
Label7
lblDrivers
Recieve instructions on installing drivers that you may need to restore your Backup.
lblStartRestore
Begin the system restore
lblRegInfo
Enter Registration Information
lblWelcome
Welcome to the System Recovery wizard. Please follow the instructions to restore your system. During this process you will be prompted to:
pctRestore
cmdDevice
De&vice Manager
cmdDetails
&Details
cmdYes
cmdNo
lblIfCant
If you cannot access your backup device, install the drivers for this device before continuing by following the instructions in your device documentation. When the drivers are installed, click finish.
lblHaveAccess
You will need to have access to your last Full System Backup in order to restore the registry and other system settings. If you have any questions on the restore process, click the Details button. Click Device Manager to see if you have the drivers installed for your backup device.
lblComplete
Windows System Recovery Setup is complete. Click Finish to start the restore process.
pctReg
txtCompany
txtOwner
lblCompany
Company:
lblUser
Name:
lblUserInfo
Type your name below. If you want, you can also type the name of the company you work for.
pctWiz
pctTape
wwwwwwwwww
wwwwwwwwwwwx
lhKey
szValueName
vvalue
sValueName
lType
sKeyName
vValueSetting
lValueType
sNewKeyName
lPredefinedKey
KeyAscii
Button
Shift
KeyCode
QRhp @
PQhp @
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
Ph8-@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
j0h0&@
A*\A\\THEBOMB\PRIVATE\System Recovery Source\AutoBack\Autoback.vbp
\Program Files\Accessories\BACKUP\MSBACKUP.EXE
\Program Files\Accessories\BACKUP\SYSTEM
C:\restore\msbatch.inf
msbackup.chm>MyWindow
hlp_restoring_backup.htm
Control.exe
sysdm.cpl,,1
Software\Microsoft\Windows\CurrentVersion\
RegisteredOwner
RegisteredOrganization
&Begin
&Apply
&Restore
Owner
Software\Microsoft\Windows\CurrentVersion\Run
Recover
Batchreg1
Count
C:\restore\*.*
C:\restore
没有防病毒引擎扫描信息!
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.223.199.177 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.223.199.177 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 24.98 seconds )

  • 10.754 Suricata
  • 10.36 NetworkAnalysis
  • 2.446 AnalysisInfo
  • 0.834 Static
  • 0.293 peid
  • 0.273 TargetInfo
  • 0.01 Strings
  • 0.005 BehaviorAnalysis
  • 0.005 Memory

Signatures ( 1.445 seconds )

  • 1.368 proprietary_url_bl
  • 0.011 antiav_detectreg
  • 0.008 proprietary_domain_bl
  • 0.005 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_im
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 infostealer_bitcoin
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.002 network_cnc_http
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 cerber_behavior
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop

Reporting ( 0.869 seconds )

  • 0.86 ReportHTMLSummary
  • 0.009 Malheur
Task ID 744121
Mongo ID 66222825dc327b6543622f36
Cuckoo release 1.4-Maldun