恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2024-04-22 19:15:25	2024-04-22 19:17:40	135 秒

魔盾分数

5.25

可疑的

文件详细信息

文件名	网上交易.exe
文件大小	5901312 字节
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
MD5	f1f1e44ce2d94e04b8bcfd71e77f3e08
SHA1	878526629858534871c263cde4b97da4a9c5eb9a
SHA256	2ac6056ec233651a6d250a79e90067501fcb160d575451484da5e96f7c930030
SHA512	748e33a5b8cb7aeb31e51a79c116fb78e8ce572f490ec0c93d00c8241060e6138a03da12ab0c2f3e03fefc9435a761e36996b6c42f3572ed4bebc809130456e3
CRC32	EBBDC210
Ssdeep	49152:NvX/aPftKKrS0T4Ma/9rYzypYrBbXBzFOh3nf5X0R2VAbXBFibvV7pWS7l0k5to+:0PfAJG01a4p509hsmtUv2O
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x140000000
入口地址	0x14037d1e0
声明校验值	0x005aa6a4
实际校验值	0x005aa6a4
最低操作系统版本要求	6.0
编译时间	2023-06-14 16:18:33
载入哈希	b54b1ef811f6b0401efda3c7b931445c

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0037d074	0x0037d200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.28
.rdata	0x0037f000	0x000c5194	0x000c5200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.69
.data	0x00445000	0x000081b0	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.44
.pdata	0x0044e000	0x0001104c	0x00011200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.02
.00cfg	0x00460000	0x00000028	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.39
.tls	0x00461000	0x00000021	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.02
.voltbl	0x00462000	0x0000001c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.49
.rsrc	0x00463000	0x00141300	0x00141400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.71
.reloc	0x005a5000	0x00008f58	0x00009000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.44

导入

库: KERNEL32.dll:

• 0x14043f5b0 AcquireSRWLockExclusive

• 0x14043f5b8 AcquireSRWLockShared

• 0x14043f5c0 AssignProcessToJobObject

• 0x14043f5c8 CloseHandle

• 0x14043f5d0 CreateDirectoryW

• 0x14043f5d8 CreateEventW

• 0x14043f5e0 CreateFileMappingW

• 0x14043f5e8 CreateFileW

• 0x14043f5f0 CreateJobObjectW

• 0x14043f5f8 CreateProcessW

• 0x14043f600 DeleteCriticalSection

• 0x14043f608 DuplicateHandle

• 0x14043f610 EnterCriticalSection

• 0x14043f618 ExpandEnvironmentStringsW

• 0x14043f620 FindClose

• 0x14043f628 FindFirstFileExW

• 0x14043f630 FindFirstFileW

• 0x14043f638 FindNextFileW

• 0x14043f640 FlushFileBuffers

• 0x14043f648 FormatMessageA

• 0x14043f650 FreeLibrary

• 0x14043f658 GetCommandLineW

• 0x14043f660 GetConsoleMode

• 0x14043f668 GetConsoleScreenBufferInfo

• 0x14043f670 GetCurrentDirectoryW

• 0x14043f678 GetCurrentProcess

• 0x14043f680 GetCurrentProcessId

• 0x14043f688 GetCurrentThread

• 0x14043f690 GetCurrentThreadId

• 0x14043f698 GetDriveTypeW

• 0x14043f6a0 GetEnvironmentVariableW

• 0x14043f6a8 GetExitCodeProcess

• 0x14043f6b0 GetFileAttributesW

• 0x14043f6b8 GetFileInformationByHandle

• 0x14043f6c0 GetFileType

• 0x14043f6c8 GetFinalPathNameByHandleW

• 0x14043f6d0 GetLastError

• 0x14043f6d8 GetLogicalProcessorInformationEx

• 0x14043f6e0 GetLongPathNameW

• 0x14043f6e8 GetModuleFileNameW

• 0x14043f6f0 GetModuleHandleW

• 0x14043f6f8 GetNativeSystemInfo

• 0x14043f700 GetProcAddress

• 0x14043f708 GetProcessAffinityMask

• 0x14043f710 GetProcessGroupAffinity

• 0x14043f718 GetProcessTimes

• 0x14043f720 GetStdHandle

• 0x14043f728 GetSystemInfo

• 0x14043f730 GetSystemTime

• 0x14043f738 GetSystemTimeAsFileTime

• 0x14043f740 GetVolumePathNameW

• 0x14043f748 InitializeCriticalSection

• 0x14043f750 InitializeCriticalSectionAndSpinCount

• 0x14043f758 InitializeSListHead

• 0x14043f760 IsDebuggerPresent

• 0x14043f768 IsProcessorFeaturePresent

• 0x14043f770 K32GetProcessMemoryInfo

• 0x14043f778 LeaveCriticalSection

• 0x14043f780 LoadLibraryExA

• 0x14043f788 LoadLibraryW

• 0x14043f790 LocalFree

• 0x14043f798 MapViewOfFile

• 0x14043f7a0 MultiByteToWideChar

• 0x14043f7a8 QueryPerformanceCounter

• 0x14043f7b0 RaiseException

• 0x14043f7b8 ReadFile

• 0x14043f7c0 ReleaseSRWLockExclusive

• 0x14043f7c8 ReleaseSRWLockShared

• 0x14043f7d0 ResetEvent

• 0x14043f7d8 ResumeThread

• 0x14043f7e0 RtlCaptureContext

• 0x14043f7e8 RtlLookupFunctionEntry

• 0x14043f7f0 RtlVirtualUnwind

• 0x14043f7f8 SearchPathW

• 0x14043f800 SetConsoleCtrlHandler

• 0x14043f808 SetConsoleTextAttribute

• 0x14043f810 SetCurrentDirectoryW

• 0x14043f818 SetErrorMode

• 0x14043f820 SetEvent

• 0x14043f828 SetFileTime

• 0x14043f830 SetInformationJobObject

• 0x14043f838 SetLastError

• 0x14043f840 SetProcessAffinityMask

• 0x14043f848 SetThreadGroupAffinity

• 0x14043f850 SetUnhandledExceptionFilter

• 0x14043f858 SystemTimeToFileTime

• 0x14043f860 TerminateProcess

• 0x14043f868 UnhandledExceptionFilter

• 0x14043f870 UnmapViewOfFile

• 0x14043f878 VirtualProtect

• 0x14043f880 VirtualQuery

• 0x14043f888 WaitForSingleObject

• 0x14043f890 WaitForSingleObjectEx

• 0x14043f898 WideCharToMultiByte

• 0x14043f8a0 WriteConsoleW

库: ADVAPI32.dll:

• 0x14043f8b0 CryptAcquireContextW

• 0x14043f8b8 CryptGenRandom

• 0x14043f8c0 CryptReleaseContext

• 0x14043f8c8 RegCloseKey

• 0x14043f8d0 RegGetValueW

• 0x14043f8d8 RegOpenKeyExA

!This program cannot be run in DOS mode.$
.text
`.rdata
@.data
.pdata
@.00cfg
@.tls
.voltbl
@.rsrc
@.reloc
o5Lr6

没有防病毒引擎扫描信息!

进程树

____________.exe id: 2608

搜索
____________.exe (2608)

____________.exe, PID: 2608, 上一级进程 PID: 2268

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49158	23.45.12.147	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49158	23.45.12.147	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 43.138 seconds )

16.018 VirusTotal
12.417 Static
11.086 Suricata
1.844 NetworkAnalysis
1.414 TargetInfo
0.317 peid
0.012 config_decoder
0.011 Strings
0.01 AnalysisInfo
0.007 BehaviorAnalysis
0.002 Memory

Signatures ( 1.372 seconds )

1.301 proprietary_url_bl
0.011 antiav_detectreg
0.007 proprietary_domain_bl
0.005 anomaly_persistence_autorun
0.005 infostealer_ftp
0.004 antiav_detectfile
0.004 ransomware_extensions
0.004 ransomware_files
0.003 geodo_banking_trojan
0.003 infostealer_bitcoin
0.003 infostealer_im
0.003 network_http
0.002 tinba_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.001 rat_nanocore
0.001 cerber_behavior
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http

Reporting ( 0.552 seconds )

0.515 ReportHTMLSummary
0.037 Malheur


Task ID	744214
Mongo ID	6626478cdc327b2dffad97eb
Cuckoo release	1.4-Maldun