比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2024-04-25 14:10:36 2024-04-25 14:11:23 47 秒

魔盾分数

4.325

可疑的

文件详细信息

文件名 小米球客户端.exe
文件大小 7282502 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 0ee60f94852ef1ecbb41bcd7aca890e3
SHA1 d03e3ddea2ccada2ab763a5bcd04cd6078906c6c
SHA256 e6510b71c9b9bb75437e803e93a01708516fdb8e96f2c14f22f572c74e9cb7e1
SHA512 43e79fe30733a5e25aad8287ab0b126a9ade571f2470b70cd056067cb6d336264b116d2d90f5b448cfa0033085c00a6642cdf0895bd97df22534c24129b50569
CRC32 5FD1C37D
Ssdeep 196608:phLZMmm/gjT4v4xV94u6obLfSeJBNrvcU21tkh7RrCyz3z4Y9u:agwv4X9MobLfSUHXaadZCyz3z4
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x14000c540
声明校验值 0x006f96dd
实际校验值 0x006f96dd
最低操作系统版本要求 5.2
编译时间 2024-04-24 17:14:53
载入哈希 f4f2e2b03fe5666a721620fcea3aea9b
图标
图标精确哈希值 f0232b070553a3138f353c6672e0d651
图标相似性哈希值 b3a97d1ed52ee9a05e784e084d46fde2

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0002afb0 0x0002b000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.50
.rdata 0x0002c000 0x00012f36 0x00013000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.83
.data 0x0003f000 0x000033b8 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.83
.pdata 0x00043000 0x0000231c 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.38
_RDATA 0x00046000 0x000001f4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.71
.rsrc 0x00047000 0x00002bb4 0x00002c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.63
.reloc 0x0004a000 0x00000758 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.25

覆盖

偏移量 0x00044c00
大小 0x006ad346

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x000470e8 0x000025a8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.76 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON 0x00049690 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 1.92 MS Windows icon resource - 1 icon, 48x48
RT_MANIFEST 0x000496a4 0x0000050d LANG_NEUTRAL SUBLANG_NEUTRAL 5.26 XML 1.0 document, ASCII text

导入

库: USER32.dll:
0x14002c398 CreateWindowExW
0x14002c3a0 PostMessageW
0x14002c3a8 GetMessageW
0x14002c3b0 MessageBoxW
0x14002c3b8 MessageBoxA
0x14002c3c0 SystemParametersInfoW
0x14002c3c8 DestroyIcon
0x14002c3d0 SetWindowLongPtrW
0x14002c3d8 GetWindowLongPtrW
0x14002c3e0 GetClientRect
0x14002c3e8 InvalidateRect
0x14002c3f0 ReleaseDC
0x14002c3f8 GetDC
0x14002c400 DrawTextW
0x14002c408 GetDialogBaseUnits
0x14002c410 EndDialog
0x14002c418 DialogBoxIndirectParamW
0x14002c420 MoveWindow
0x14002c428 SendMessageW
库: COMCTL32.dll:
0x14002c028 None
库: KERNEL32.dll:
0x14002c058 IsValidCodePage
0x14002c060 GetStringTypeW
0x14002c068 GetFileAttributesExW
0x14002c070 HeapReAlloc
0x14002c078 FlushFileBuffers
0x14002c080 GetCurrentDirectoryW
0x14002c088 GetACP
0x14002c090 GetOEMCP
0x14002c098 GetModuleHandleW
0x14002c0a0 MulDiv
0x14002c0a8 GetLastError
0x14002c0b0 SetDllDirectoryW
0x14002c0b8 CreateFileW
0x14002c0c8 CloseHandle
0x14002c0d0 GetModuleFileNameW
0x14002c0d8 CreateSymbolicLinkW
0x14002c0e0 GetCPInfo
0x14002c0e8 GetCommandLineW
0x14002c0f0 GetEnvironmentVariableW
0x14002c0f8 SetEnvironmentVariableW
0x14002c108 CreateDirectoryW
0x14002c110 GetTempPathW
0x14002c118 WaitForSingleObject
0x14002c120 Sleep
0x14002c128 GetExitCodeProcess
0x14002c130 CreateProcessW
0x14002c138 GetStartupInfoW
0x14002c140 FreeLibrary
0x14002c148 LoadLibraryExW
0x14002c150 SetConsoleCtrlHandler
0x14002c158 FindClose
0x14002c160 FindFirstFileExW
0x14002c168 GetCurrentProcess
0x14002c170 LocalFree
0x14002c178 FormatMessageW
0x14002c180 MultiByteToWideChar
0x14002c188 WideCharToMultiByte
0x14002c190 GetEnvironmentStringsW
0x14002c198 FreeEnvironmentStringsW
0x14002c1a0 GetProcessHeap
0x14002c1a8 GetTimeZoneInformation
0x14002c1b0 HeapSize
0x14002c1b8 WriteConsoleW
0x14002c1c0 SetEndOfFile
0x14002c1c8 GetProcAddress
0x14002c1d0 GetSystemTimeAsFileTime
0x14002c1d8 RtlCaptureContext
0x14002c1e0 RtlLookupFunctionEntry
0x14002c1e8 RtlVirtualUnwind
0x14002c1f0 UnhandledExceptionFilter
0x14002c200 TerminateProcess
0x14002c210 QueryPerformanceCounter
0x14002c218 GetCurrentProcessId
0x14002c220 GetCurrentThreadId
0x14002c228 InitializeSListHead
0x14002c230 IsDebuggerPresent
0x14002c238 RtlUnwindEx
0x14002c240 SetLastError
0x14002c248 EnterCriticalSection
0x14002c250 LeaveCriticalSection
0x14002c258 DeleteCriticalSection
0x14002c268 TlsAlloc
0x14002c270 TlsGetValue
0x14002c278 TlsSetValue
0x14002c280 TlsFree
0x14002c288 EncodePointer
0x14002c290 RaiseException
0x14002c298 RtlPcToFileHeader
0x14002c2a0 GetCommandLineA
0x14002c2a8 GetDriveTypeW
0x14002c2b8 GetFileType
0x14002c2c0 PeekNamedPipe
0x14002c2d0 FileTimeToSystemTime
0x14002c2d8 GetFullPathNameW
0x14002c2e0 RemoveDirectoryW
0x14002c2e8 FindNextFileW
0x14002c2f0 SetStdHandle
0x14002c2f8 DeleteFileW
0x14002c300 ReadFile
0x14002c308 GetStdHandle
0x14002c310 WriteFile
0x14002c318 ExitProcess
0x14002c320 GetModuleHandleExW
0x14002c328 HeapFree
0x14002c330 GetConsoleMode
0x14002c338 ReadConsoleW
0x14002c340 SetFilePointerEx
0x14002c348 GetConsoleOutputCP
0x14002c350 GetFileSizeEx
0x14002c358 HeapAlloc
0x14002c360 FlsAlloc
0x14002c368 FlsGetValue
0x14002c370 FlsSetValue
0x14002c378 FlsFree
0x14002c380 CompareStringW
0x14002c388 LCMapStringW
库: ADVAPI32.dll:
0x14002c000 OpenProcessToken
0x14002c008 GetTokenInformation
0x14002c018 ConvertSidToStringSidW
库: GDI32.dll:
0x14002c038 SelectObject
0x14002c040 DeleteObject
0x14002c048 CreateFontIndirectW
.text
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
D$ P%
没有防病毒引擎扫描信息!

进程树

__________________.exe, PID: 2668, 上一级进程 PID: 2348
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 23.194.202.11 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 23.194.202.11 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 26.996 seconds )

  • 11.332 Suricata
  • 10.42 NetworkAnalysis
  • 3.196 Static
  • 1.56 TargetInfo
  • 0.378 peid
  • 0.068 BehaviorAnalysis
  • 0.017 AnalysisInfo
  • 0.012 config_decoder
  • 0.011 Strings
  • 0.002 Memory

Signatures ( 1.49 seconds )

  • 1.381 proprietary_url_bl
  • 0.018 antiav_detectreg
  • 0.008 infostealer_ftp
  • 0.008 proprietary_domain_bl
  • 0.006 network_http
  • 0.005 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_im
  • 0.004 api_spamming
  • 0.004 antianalysis_detectreg
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 stealth_decoy_document
  • 0.003 stealth_timeout
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 proprietary_bad_drop
  • 0.002 network_cnc_http
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 reads_self
  • 0.001 kibex_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder

Reporting ( 0.474 seconds )

  • 0.467 ReportHTMLSummary
  • 0.007 Malheur
Task ID 744303
Mongo ID 6629f4567e769a5b69bf30e8
Cuckoo release 1.4-Maldun