分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2024-04-23 11:44:17 | 2024-04-23 11:46:30 | 133 秒 |
魔盾分数
10.0
危险的
文件详细信息
| 文件名 | Favorites.exe |
|---|---|
| 文件大小 | 3884024 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | ebc92c1a7b37aab61cf0f175a47dc638 |
| SHA1 | e32bea5329e2d50cbd621b3467ab99899117d0b9 |
| SHA256 | 47b95062535946d0cb96b3e88929c73ce41ccb0776d273a45e3613ebfc2dd1ef |
| SHA512 | 4aabe42bfc00f87763821cbb95b75e1ae0be3a1db575b881fd75ea70c9c45a193bbc2ceccedc24d86b8ccdd462944add1c46f184c92e3b842f3c73bb8ecf353a |
| CRC32 | 89CA57AF |
| Ssdeep | 24576:Qfs6Ds6e+JmLkMQa7jgLAKWNV96IO4t0drSvc7:Qfs6Ds6rmLbQawAKWRhtuo |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| www.openclose.ir | ||
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 |
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00422be0 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x003bc5b0 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1970-01-01 08:00:00 |
| 载入哈希 | aef439f1829f69458eb455e4017c94f9 |
| 图标 |  |
| 图标精确哈希值 | 48aab7fda2ff09f59edaaacfb14178a1 |
| 图标相似性哈希值 | bc08d13fa07a1d74d59eaf4b149689be |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| \xe2\x17\x930 | 0x00001000 | 0x0001e000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| \xe2\x17\x931 | 0x0001f000 | 0x00004000 | 0x00003e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.87 |
| .rsrc | 0x00023000 | 0x000371ae | 0x000371ae | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.74 |
| dvvehzv | 0x0005b000 | 0x00001000 | 0x00000000 | IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .GA\x17\x931 | 0x0005c000 | 0x0037c9fc | 0x00378ff8 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.96 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0002d23c | 0x000094a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.24 | dBase III DBT, version number 0, next free block index 40 |
| RT_GROUP_ICON | 0x000366e8 | 0x000000bc | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.13 | MS Windows icon resource - 13 icons, 48x48, 16 colors |
| RT_VERSION | 0x000367a8 | 0x00000000 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
导入
库: MSVBVM60.DLL:
• 0x4367f4 None
.rsrc
dvvehzv
@=8-B
lllll
[q~b[Fllll
ha[]dlll
nKB\`lll
nKG[llll
ha[llll
XwwwwwwwwwwwwwwSSSTTpNJBllll
SSSSSSSSSSSSSSTTTTTTTTT:kK^l
<<<<<<<<<<<<<<<<<<<<<<<<<<u9l
DDDDl
[[[[[[[[
[[[[[[[[7
lllll
[fPFMlllll
_glllll
nhGFlllll
IMlll
[i)<<<<<<<<<<<<<<:nK_l
[i}<<<<<<<<<<<<<<<<<wl
[c*(((((((((((((((((wl
[[[[[[
[[[[[[[
rllll
7lllll
h7dllll
[o>wSSTTTw:nLglll
[o2T<<<<<<<11<t9Ll
yyyy3Wq
33$?m[
[[[[[[
[[[[[[
ddddddddddddd
Id7(1IIIIIIIIIIII
IIIII`
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
44444
555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555
??????????????????????????????????????????????????????????????????????????????????????????
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
DBBEBCEBBBCBBBEDDBBBDCCBBBBCBBCBBDDBCBBBCCCBCBBCBBEDBDEBCCBBCDBCEBCBCBBBBBBDCCDCCBDDDCBBD6
EEECEEEEEBCCBCBEBEBECCBEEBCCEDECEEEDDBCDBECBEECECCECEEEBEDDBCEEBBDEEEEBBECCEDEEEEDBCECBBC6
EEEEEEEEEEEEEEEEEEEEECDEEEEEDEECECEEEDEEEEEEEDECEDEEEEEEEECECEEECEEEBEEEECEBECCEEEEEEEEEE7
EEEEEFEGEFFEGFGEEEEEFEGEFHFGGEEEEEGHEFFEFEEFFFEFEEEEHEGFEHEEGEEEFEEEEHEEEEEEFEEEEFGGEFFFE7
FHHHHFGFHGFHFGEFFEFFHEFEFFFFFFFFGHHHFHGHHHFHHHHFGFGFGHGGEHFHFGGHGGGGHHFFHGHGFFEEEHHEHGHHF8
HIHIIIKHJKKHHIHKHKHKIJKHIJHJIHIJHKJHHHHHIJIIIKHIHIIHHIKIKKKIKIJJIIHKIHKJJJIIKKHHHKHKHIIIH:
KKKIKKKKKKKKIKIIKIKKKKKIKKKKKKKIKKKKKKKKKKIIKKKKKKIKKKKKIKKKIIKKKKIKKLKKKKKKKKIKKKKIIKKKK9
LMLLLKKNKKNLMKKLKKLLKLKKLKNLLKLLLKKLLMKKNKLNKKNLLKLNMKKLKLKKNNMMLMLLNLKMKKLMKLKLLNKLKLNNL;
NNNNMNNNNNLNLLNNNNLLNNLLNNLNNNNLLNLLNLNLNNLLLLNNMNLLNLLNNNNLNLNLLLNNNNLLLNLNNNNNNNLNNLLLN>
OOONOOONOQNONONOOONONONOONONNORONOQNONOOOONRNORNNQNNOOONOOOONOOOQOQONOQNNRONQNNOORNOONNNN<
RRRRRRRROORORRROOORRRORROORRRRRORRRORROOPRRRRORROORRRRRRROROROOSRRRRRRORRRRRRRROORRORRRRR<
RSSRRRRSSSRRSVRSRRRSSSSRVSSRRSRRSRSSSSSSUURSSRRRSSRSUSUSVSRSSRURSRRSSUSVURSSSSSRRVRSRRVVS=
SSVVVVSVVTSSTVTVTSTVVVVWTSTVVWTVVVVVVVVSVSSSSSVSWSSWWVVVVSSVVVVVSVVVSVVVVVWVSSVVVWSVVSSSS@
WVZWWWVWWZZWWWVWWWWWWVWWWYZWWWWWVWVWWVWWVZZZWWWWWWWZWZWWWVWWVZWWWWWWYYWVWWVWWWWZZZWWYVWWV@
Z[Z[WWZZWWZZZXXZZZZWZXZZ[X[[[ZZWZZZZZWZZXWWZXZWZWZZZZZZZZZ[ZW[ZZ[ZZ[ZWWZ[[ZZWZZZZ[[WZZZZZA
[[^[^[^[[]^[^[[[[[[[[[^^[[[[^^[[[[[^^[[[^^[[[[[[[^]^[[[[^[[^^[[[^ZZ[[^[[[^^^^[[ZZ[[][[[[^-
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
ba_`__aa_____aaaab__a_aa``ab__a__a___b__a____`___a__a______a_a_b_a__a__`_aa`a__aa_abaa``a.
abbbbbbbababbabebababbbbbbbbbbbbbbbbbabaaababbabbbbbbaabbabbaabbabbdbabbbaaabbabbabababbb.
eeebeccbefbefefeffbbbeffeecbfbeeeebefebebefbceefeceefefffffbfebeebeeebebfeebfecbbbeeecffc/
ffiffffffffififfffffffffffffieffffffffffiifffiiffffiffiifffffffiffffffiffffffhffffffffiif/
ijjgijggjfifjjgijijjjjigjijgjiiijijjiiiffjijjjjjjijjijijjiijiijjjiigfijjjjjijjjjjjjgijjjj0
jjmjjjjjllllljjjkljlkjjmljljljjjkkjjjmkljjjjkjjjmljjklljljljjjkllkjmjjlljlkllmkllkklljllj1
mmlmmlmmmmlmmmmmkmmlmmlmmmmmmmmmmmmmmmmmlmmmmlmmlmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm2
npoppnomnomnmppnopomopommmnopmpnmonpppomopmooopmoppponpppmmpnompmompopnnompnopmmmmmoopoom2
ppppppqpppppppppsqpqprpppppppprpqppqrrprpqspppqrppprpppprqqrppppqpppprprpqpppqppppppppppr'
pssssssqrssssssspqssssssprqsssssssqrqssqsrrsqssrrqrsssrqsspsqqsspsqqsssspsssssqqqrrsqssss(
vtwvtvvttstvwwvtwsvsswvtsvtsvtwstwvsssvvtsssssswvswsssswsttvsssswwsssvwstwvswvssswtvvsvvv(
wwwwwwwwwwwwxwwwxwwwwwwwwwwtwwwwwwxwwwwwuwwwwwwxtwwwwwwwwwwwwwwwwwwxwxwwwwwwwwwwwwwxwwwww)
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxxyxxxzzzzxyyyywzzzxyyxzzxzxzxyywyzzzwxxzxzyyxzzxwzzz*
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxzz|zz|{zzz{|zzz{z{zzzzzzz|z{z{z{{z{zzzzzz{{{zzz{z{{{+
zz{{zz|{zzzzzz|}zzzzzzzzzz{z{|zz{zzz|{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
}}}{{{}}}{{}{{{}}{}}{{}}}{}}}{z}{}}{}{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
44444
333333333333333333333333333333333333333333333333333333333333333333333
4444444
333333333333333
444444444
33333333333333
4444444444444444444444444444444444444444444444444444444444444444
KERNEL32.DLL
MSVBVM60.DLL
LoadLibraryA
GetProcAddress
ExitProcess
进程树
-
Favorites.exe id: 2672
- explorer.exe id: 2832
-
msng.exe id: 2912
- explorer.exe id: 2432
- explorer.exe id: 2888
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49158 | 23.194.202.24 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49532 | 192.168.122.1 | 53 |
| 192.168.122.201 | 52179 | 192.168.122.1 | 53 |
| 192.168.122.201 | 52207 | 192.168.122.1 | 53 |
| 192.168.122.201 | 53125 | 192.168.122.1 | 53 |
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59906 | 192.168.122.1 | 53 |
| 192.168.122.201 | 60465 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65178 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65180 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| www.openclose.ir | ||
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49158 | 23.194.202.24 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49532 | 192.168.122.1 | 53 |
| 192.168.122.201 | 52179 | 192.168.122.1 | 53 |
| 192.168.122.201 | 52207 | 192.168.122.1 | 53 |
| 192.168.122.201 | 53125 | 192.168.122.1 | 53 |
| 192.168.122.201 | 56270 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 59906 | 192.168.122.1 | 53 |
| 192.168.122.201 | 60465 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65178 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65180 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 49.536 seconds )
- 21.297 NetworkAnalysis
- 13.248 BehaviorAnalysis
- 11.109 Suricata
- 2.454 Static
- 1.047 TargetInfo
- 0.348 peid
- 0.011 AnalysisInfo
- 0.011 Strings
- 0.009 config_decoder
- 0.002 Memory
Signatures ( 6.314 seconds )
- 1.433 proprietary_url_bl
- 0.775 api_spamming
- 0.595 stealth_timeout
- 0.584 stealth_decoy_document
- 0.392 mimics_filetime
- 0.384 reads_self
- 0.315 infostealer_browser
- 0.259 stealth_file
- 0.176 bootkit
- 0.126 infostealer_browser_password
- 0.118 virus
- 0.116 ipc_namedpipe
- 0.114 antivm_generic_scsi
- 0.091 antivm_generic_disk
- 0.077 antivm_generic_services
- 0.074 anormaly_invoke_kills
- 0.069 hancitor_behavior
- 0.05 antiav_detectreg
- 0.047 antidbg_windows
- 0.037 injection_createremotethread
- 0.024 injection_runpe
- 0.02 proprietary_anomaly_massive_file_ops
- 0.019 infostealer_ftp
- 0.018 packer_themida
- 0.018 injection_explorer
- 0.017 anomaly_persistence_autorun
- 0.015 kovter_behavior
- 0.014 ransomware_dmalocker
- 0.014 proprietary_anomaly_write_exe_and_obsfucate_extension
- 0.014 disables_wfp
- 0.013 proprietary_malicious_write_executeable_under_temp_to_regrun
- 0.013 antivm_vbox_window
- 0.013 sets_autoconfig_url
- 0.013 proprietary_domain_bl
- 0.011 proprietary_anomaly_write_exe_and_dll_under_winroot_run
- 0.011 antisandbox_script_timer
- 0.011 infostealer_im
- 0.01 browser_needed
- 0.01 vawtrak_behavior
- 0.01 antianalysis_detectreg
- 0.01 infostealer_bitcoin
- 0.009 banker_prinimalka
- 0.009 kelihos_behavior
- 0.009 h1n1_behavior
- 0.008 antiemu_wine_func
- 0.008 hawkeye_behavior
- 0.008 rat_luminosity
- 0.008 anomaly_persistence_bootexecute
- 0.008 creates_largekey
- 0.008 antiav_detectfile
- 0.007 proprietary_anomaly_terminated_process
- 0.007 anomaly_reset_winsock
- 0.007 pony_behavior
- 0.007 infostealer_mail
- 0.006 antisandbox_sleep
- 0.005 geodo_banking_trojan
- 0.005 ransomware_extensions
- 0.004 removes_zoneid_ads
- 0.004 deletes_self
- 0.004 ransomware_files
- 0.003 upatre_behavior
- 0.003 kibex_behavior
- 0.003 antivm_vbox_files
- 0.003 network_http
- 0.002 tinba_behavior
- 0.002 antivm_vbox_libs
- 0.002 betabot_behavior
- 0.002 exec_crash
- 0.002 antivm_parallels_keys
- 0.002 antivm_xen_keys
- 0.002 disables_browser_warn
- 0.002 darkcomet_regkeys
- 0.002 network_torgateway
- 0.001 network_tor
- 0.001 rat_nanocore
- 0.001 antiav_avast_libs
- 0.001 dridex_behavior
- 0.001 stealth_network
- 0.001 antisandbox_sunbelt_libs
- 0.001 antisandbox_sboxie_libs
- 0.001 antiav_bitdefender_libs
- 0.001 shifu_behavior
- 0.001 cerber_behavior
- 0.001 bypass_firewall
- 0.001 antidbg_devices
- 0.001 antisandbox_productid
- 0.001 antivm_generic_diskreg
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
- 0.001 proprietary_bad_drop
- 0.001 network_cnc_http
- 0.001 recon_fingerprint
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.942 seconds )
- 0.579 ReportHTMLSummary
- 0.363 Malheur
| Task ID | 744231 |
|---|---|
| Mongo ID | 66272f997e769a1b248efe64 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号