恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2024-04-22 17:34:29	2024-04-22 17:35:10	41 秒

魔盾分数

1.9

正常的

文件详细信息

文件名	打开5.exe
文件大小	437248 字节
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
MD5	2e2773be6cbe4ff7a1683e4621df5255
SHA1	c9705f5596a56e88cfb2205dd13fd56dc674c40c
SHA256	0d859be750ef8d175f671654f30e9afddfccd512fb8acf4b151939d5a3c05db8
SHA512	90ec6f256fd04c5fa39d0cb8c8b72f4b51394621cfa212d5a1df66a1597df26a1617739f819ba555f335d88f9522466e4404496c136a09d797165d56a983fab3
CRC32	A19C6846
Ssdeep	6144:cSCOeIKcleyZpnEkNmn8zEHcff10UU8BdGQxJCMj:cSCOVLvXEk4n8IHMfyG4OJZ
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	149.129.12.38	马来西亚

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
special.mylyricsbox.com	未知	A 149.129.12.38 CNAME outhook.oss-ap-northeast-2.aliyuncs.com

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0040beb0
声明校验值	0x0007313a
实际校验值	0x0007313a
最低操作系统版本要求	4.0
PDB路径	c:\Users\86130\Desktop\00\x64\release\00.pdb
编译时间	2024-04-11 11:59:16
载入哈希	ed05db898e2d3a03abc3f211d0ebda5b
图标
图标精确哈希值	e8f2bc5505598bcaa2ca3d5e277057c5
图标相似性哈希值	97b9e1cb20abc6171ea88a91083ca6fa

版本信息

LegalCopyright
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
None	Mon Apr 22 14:24:01 2024	否	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

证书链	Certificate Chain 1
发行给	andy
发行人	andy
有效期	Sun Jan 01 075959 2040
SHA1 哈希	4e0e0162dbba961596a17b102c26c04d7c853811

证书链	Timestamp Chain 1
发行给	GlobalSign
发行人	GlobalSign
有效期	Sun Dec 10 080000 2034
SHA1 哈希	8094640eb5a7a1ca119c1fddd59f810263a7fbd1

证书链	Timestamp Chain 2
发行给	GlobalSign Timestamping CA - SHA384 - G4
发行人	GlobalSign
有效期	Sun Dec 10 080000 2034
SHA1 哈希	f585500925786f88e721d235240a2452ae3d23f9

证书链	Timestamp Chain 3
发行给	Globalsign TSA for Advanced - G4 - 202311
发行人	GlobalSign Timestamping CA - SHA384 - G4
有效期	Mon Dec 04 183002 2034
SHA1 哈希	e201ff2bd75afdf8bc0c2c1b51bd58f8631d38b6

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0001423a	0x00014400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.96
.rdata	0x00016000	0x00006060	0x00006200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.77
.data	0x0001d000	0x00002458	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.08
.pdata	0x00020000	0x00001b30	0x00001c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.65
.rsrc	0x00022000	0x0004b4cc	0x0004b600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.88

覆盖

偏移量	0x00069000
大小	0x00001c00

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_ICON	0x0006c8a4	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.06	GLS_BINARY_LSB_FIRST
RT_MENU	0x0006cd0c	0x00000050	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.25	data
RT_DIALOG	0x0006cd5c	0x000000be	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.57	data
RT_STRING	0x0006ce1c	0x0000002c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.05	data
RT_ACCELERATOR	0x0006ce48	0x00000010	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.80	data
RT_GROUP_ICON	0x0006cf54	0x00000076	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.89	MS Windows icon resource - 8 icons, 32x32, 16 colors
RT_GROUP_ICON	0x0006cf54	0x00000076	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.89	MS Windows icon resource - 8 icons, 32x32, 16 colors
RT_GROUP_ICON	0x0006cf54	0x00000076	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.89	MS Windows icon resource - 8 icons, 32x32, 16 colors
RT_VERSION	0x0006cfcc	0x00000330	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.45	data
RT_MANIFEST	0x0006d2fc	0x000001cd	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.78	ASCII text

导入

库: KERNEL32.dll:

• 0x416000 LoadLibraryA

• 0x416008 GetProcAddress

• 0x416010 GetStringTypeW

• 0x416018 GetStringTypeA

• 0x416020 LCMapStringW

• 0x416028 LCMapStringA

• 0x416030 GetLocaleInfoA

• 0x416038 MultiByteToWideChar

• 0x416040 HeapReAlloc

• 0x416048 GetOEMCP

• 0x416050 GetACP

• 0x416058 GetCPInfo

• 0x416060 GetCommandLineA

• 0x416068 HeapFree

• 0x416070 GetVersionExA

• 0x416078 HeapAlloc

• 0x416080 GetProcessHeap

• 0x416088 GetStartupInfoA

• 0x416090 TerminateProcess

• 0x416098 GetCurrentProcess

• 0x4160a0 UnhandledExceptionFilter

• 0x4160a8 SetUnhandledExceptionFilter

• 0x4160b0 IsDebuggerPresent

• 0x4160b8 RtlVirtualUnwind

• 0x4160c0 RtlLookupFunctionEntry

• 0x4160c8 RtlCaptureContext

• 0x4160d0 GetLastError

• 0x4160d8 RaiseException

• 0x4160e0 RtlPcToFileHeader

• 0x4160e8 GetModuleHandleA

• 0x4160f0 ExitProcess

• 0x4160f8 WriteFile

• 0x416100 GetStdHandle

• 0x416108 GetModuleFileNameA

• 0x416110 RtlUnwindEx

• 0x416118 FreeEnvironmentStringsA

• 0x416120 GetEnvironmentStrings

• 0x416128 FreeEnvironmentStringsW

• 0x416130 WideCharToMultiByte

• 0x416138 GetEnvironmentStringsW

• 0x416140 SetHandleCount

• 0x416148 GetFileType

• 0x416150 DeleteCriticalSection

• 0x416158 FlsGetValue

• 0x416160 FlsSetValue

• 0x416168 TlsFree

• 0x416170 FlsFree

• 0x416178 SetLastError

• 0x416180 GetCurrentThreadId

• 0x416188 FlsAlloc

• 0x416190 HeapSetInformation

• 0x416198 HeapCreate

• 0x4161a0 QueryPerformanceCounter

• 0x4161a8 GetTickCount

• 0x4161b0 GetCurrentProcessId

• 0x4161b8 GetSystemTimeAsFileTime

• 0x4161c0 Sleep

• 0x4161c8 HeapSize

• 0x4161d0 LeaveCriticalSection

• 0x4161d8 EnterCriticalSection

• 0x4161e0 InitializeCriticalSection

库: USER32.dll:

• 0x4161f0 LoadStringA

• 0x4161f8 GetMessageA

• 0x416200 EndDialog

• 0x416208 PostQuitMessage

• 0x416210 EndPaint

• 0x416218 BeginPaint

• 0x416220 DefWindowProcA

• 0x416228 DialogBoxParamA

• 0x416230 UpdateWindow

• 0x416238 ShowWindow

• 0x416240 CreateWindowExA

• 0x416248 RegisterClassExA

• 0x416250 LoadCursorA

• 0x416258 DispatchMessageA

• 0x416260 TranslateMessage

• 0x416268 TranslateAcceleratorA

库: WININET.dll:

• 0x416278 InternetReadFile

• 0x416280 InternetOpenUrlA

.text
`.rdata
@.data
.pdata
@.rsrc
Unknown exception
CorExitProcess
mscoree.dll
runtime error 
Microsoft Visual C++ Runtime Library
<program name unknown>
Program: 
EncodePointer
KERNEL32.DLL
DecodePointer
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
string too long
invalid string position
bad exception
bad allocation
c:\Users\86130\Desktop\00\x64\release\00.pdb
LoadLibraryA
GetProcAddress
KERNEL32.dll
LoadStringA
GetMessageA
TranslateAcceleratorA
TranslateMessage
DispatchMessageA
LoadCursorA
RegisterClassExA
CreateWindowExA
ShowWindow
UpdateWindow
DialogBoxParamA
DefWindowProcA
BeginPaint
EndPaint
PostQuitMessage
EndDialog
USER32.dll
InternetOpenUrlA
InternetReadFile
WININET.dll
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetLastError
RaiseException
RtlPcToFileHeader
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
RtlUnwindEx
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
FlsGetValue
FlsSetValue
TlsFree
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
HeapSetInformation
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
Sleep
HeapSize
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetCPInfo
GetACP
GetOEMCP
HeapReAlloc
MultiByteToWideChar
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
.?AVtype_info@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVbad_alloc@std@@

没有防病毒引擎扫描信息!

进程树

______5.exe id: 2548

搜索
______5.exe (2548)

______5.exe, PID: 2548, 上一级进程 PID: 2248

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	149.129.12.38	马来西亚

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	149.129.12.38 special.mylyricsbox.com	80
192.168.122.201	49162	149.129.12.38 special.mylyricsbox.com	80
192.168.122.201	49160	23.209.84.72	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
special.mylyricsbox.com	未知	A 149.129.12.38 CNAME outhook.oss-ap-northeast-2.aliyuncs.com

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	149.129.12.38 special.mylyricsbox.com	80
192.168.122.201	49162	149.129.12.38 special.mylyricsbox.com	80
192.168.122.201	49160	23.209.84.72	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://special.mylyricsbox.com/longlingqian.rar	GET /longlingqian.rar HTTP/1.1 User-Agent: 66df1234 Host: special.mylyricsbox.com Cache-Control: no-cache
URL专业沙箱检测 -> http://special.mylyricsbox.com/output.log	GET /output.log HTTP/1.1 User-Agent: MyApp Host: special.mylyricsbox.com Cache-Control: no-cache
URL专业沙箱检测 -> http://special.mylyricsbox.com/config.ini	GET /config.ini HTTP/1.1 User-Agent: MyApp Host: special.mylyricsbox.com Cache-Control: no-cache
URL专业沙箱检测 -> http://special.mylyricsbox.com/tdIdd.inf	GET /tdIdd.inf HTTP/1.1 User-Agent: MyApp Host: special.mylyricsbox.com Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 26.651 seconds )

13.472 NetworkAnalysis
11.52 Suricata
0.709 Static
0.349 TargetInfo
0.319 peid
0.254 BehaviorAnalysis
0.015 AnalysisInfo
0.011 Strings
0.002 Memory

Signatures ( 47.201 seconds )

45.46 network_http
1.57 proprietary_url_bl
0.018 antiav_detectreg
0.013 api_spamming
0.011 proprietary_domain_bl
0.01 stealth_decoy_document
0.01 stealth_timeout
0.009 kovter_behavior
0.008 antiemu_wine_func
0.007 infostealer_browser_password
0.007 infostealer_ftp
0.006 anomaly_persistence_autorun
0.006 ransomware_files
0.005 antiav_detectfile
0.005 geodo_banking_trojan
0.004 antianalysis_detectreg
0.004 infostealer_im
0.004 ransomware_extensions
0.003 infostealer_bitcoin
0.003 infostealer_mail
0.002 tinba_behavior
0.002 antivm_vbox_libs
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 network_torgateway
0.001 rat_nanocore
0.001 antiav_avast_libs
0.001 mimics_filetime
0.001 network_anomaly
0.001 betabot_behavior
0.001 antisandbox_sunbelt_libs
0.001 kibex_behavior
0.001 shifu_behavior
0.001 exec_crash
0.001 antivm_generic_disk
0.001 cerber_behavior
0.001 antivm_parallels_keys
0.001 antivm_vmware_files
0.001 antivm_xen_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http
0.001 rat_pcclient
0.001 rat_spynet
0.001 recon_fingerprint
0.001 stealth_hiddenreg
0.001 stealth_hide_notifications
0.001 stealth_modify_uac_prompt
0.001 stealth_modify_security_center_warnings

Reporting ( 0.542 seconds )

0.494 ReportHTMLSummary
0.048 Malheur


Task ID	744211
Mongo ID	66262fc57e769a7ecd4b4ed3
Cuckoo release	1.4-Maldun