比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2024-04-25 14:39:15 2024-04-25 14:41:26 131 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 setup查看6029 (1).exe
文件大小 50528 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 a922cafbf77c19ebdadec1d8dc83306e
SHA1 0ce902c114e897a5b1deec5d6426e8828d284638
SHA256 d5c297c7df8ada2ad246b947919609b3a67f2236ce3b625e7336aea6ffae0234
SHA512 f0681c8f13e62f677748dcfee39975c81d524d493c646866505dec8714e46ecbe02459047b23e4dc776880a30cb78efe8a318341605de14d4f91934d7a7ade74
CRC32 B5AE8943
Ssdeep 768:m3OaHhxTKQ4HzEurz2lIX3NH3OWyHN9ZuPwkDwXfY1uEFCeFzl6Y:m33hxT6fFHA/N9ZuefcFCSzQY
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
206.238.114.20 美国
8.134.163.184 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
6029.anonymousrat8.com A 206.238.114.20

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x1400017c4
声明校验值 0x00000000
实际校验值 0x00010eae
最低操作系统版本要求 5.2
编译时间 2024-04-25 13:41:53
载入哈希 5c1e1a097c044357c4eefded92c1ce68

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
8d10842fa3fe6e52ae264be98228fd41c692a2ec Wed Oct 21 10:13:07 2015
WinVerifyTrust returned error 0x80096010
证书链 Certificate Chain 1
发行给 VeriSign Class 3 Public Primary Certification Authority - G5
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Thu Jul 17 075959 2036
SHA1 哈希 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2010 CA
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Sat Feb 08 075959 2020
SHA1 哈希 495847a93187cfb8c71f840cb7b41497ad95c64f
证书链 Certificate Chain 3
发行给 Tencent Technology(Shenzhen) Company Limited
发行人 VeriSign Class 3 Code Signing 2010 CA
有效期 Wed Feb 17 075959 2016
SHA1 哈希 2fdd445591cd2eedbef8b8a281896a59c08b3dc9
证书链 Timestamp Chain 1
发行给 Thawte Timestamping CA
发行人 Thawte Timestamping CA
有效期 Fri Jan 01 075959 2021
SHA1 哈希 be36a4562fb2ee05dbb3d32323adf445084ed656
证书链 Timestamp Chain 2
发行给 Symantec Time Stamping Services CA - G2
发行人 Thawte Timestamping CA
有效期 Thu Dec 31 075959 2020
SHA1 哈希 6c07453ffdda08b83707c09b82fb3d15f35336b1
证书链 Timestamp Chain 3
发行给 Symantec Time Stamping Services Signer - G4
发行人 Symantec Time Stamping Services CA - G2
有效期 Wed Dec 30 075959 2020
SHA1 哈希 65439929b67973eb192d6ff243e6767adf0834e4

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000057a2 0x00005800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.21
.rdata 0x00007000 0x0000341c 0x00003600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.48
.data 0x0000b000 0x00002340 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.26
.pdata 0x0000e000 0x000005b8 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.15
.reloc 0x0000f000 0x000003b0 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.69

覆盖

偏移量 0x0000ac00
大小 0x00001960

导入

库: KERNEL32.dll:
0x140007000 GetCurrentThread
0x140007008 LoadLibraryW
0x140007010 GetProcAddress
0x140007018 QueueUserAPC
0x140007020 GetModuleHandleA
0x140007028 VirtualProtect
0x140007030 GetCommandLineW
0x140007038 GetStartupInfoW
0x140007040 GetLastError
0x140007048 HeapFree
0x140007050 EncodePointer
0x140007058 DecodePointer
0x140007060 HeapAlloc
0x140007068 RaiseException
0x140007070 RtlPcToFileHeader
0x140007080 GetModuleHandleW
0x140007088 ExitProcess
0x140007090 WriteFile
0x140007098 GetStdHandle
0x1400070a0 GetModuleFileNameW
0x1400070a8 RtlUnwindEx
0x1400070b0 FreeEnvironmentStringsW
0x1400070b8 GetEnvironmentStringsW
0x1400070c0 SetHandleCount
0x1400070d0 GetFileType
0x1400070d8 DeleteCriticalSection
0x1400070e0 FlsGetValue
0x1400070e8 FlsSetValue
0x1400070f0 FlsFree
0x1400070f8 SetLastError
0x140007100 GetCurrentThreadId
0x140007108 FlsAlloc
0x140007110 HeapSetInformation
0x140007118 GetVersion
0x140007120 HeapCreate
0x140007128 QueryPerformanceCounter
0x140007130 GetTickCount
0x140007138 GetCurrentProcessId
0x140007140 GetSystemTimeAsFileTime
0x140007148 Sleep
0x140007150 HeapSize
0x140007158 LeaveCriticalSection
0x140007160 EnterCriticalSection
0x140007168 UnhandledExceptionFilter
0x140007170 IsDebuggerPresent
0x140007178 RtlVirtualUnwind
0x140007180 RtlLookupFunctionEntry
0x140007188 RtlCaptureContext
0x140007190 TerminateProcess
0x140007198 GetCurrentProcess
0x1400071a0 GetCPInfo
0x1400071a8 GetACP
0x1400071b0 GetOEMCP
0x1400071b8 IsValidCodePage
0x1400071c0 HeapReAlloc
0x1400071c8 WideCharToMultiByte
0x1400071d0 LCMapStringW
0x1400071d8 MultiByteToWideChar
0x1400071e0 GetStringTypeW
库: USER32.dll:
0x1400071f0 MessageBoxW
.text
`.rdata
@.data
.pdata
@.reloc
bad allocation
Unknown exception
CorExitProcess
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
NtTestAlert
ntdll
InternetOpenW
InternetOpenUrlW
InternetReadFile
InternetCloseHandle
GetCurrentThread
LoadLibraryW
GetProcAddress
QueueUserAPC
GetModuleHandleA
VirtualProtect
KERNEL32.dll
MessageBoxW
USER32.dll
GetCommandLineW
GetStartupInfoW
GetLastError
HeapFree
EncodePointer
DecodePointer
HeapAlloc
RaiseException
RtlPcToFileHeader
SetUnhandledExceptionFilter
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
RtlUnwindEx
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
FlsGetValue
FlsSetValue
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
HeapSetInformation
GetVersion
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
Sleep
HeapSize
LeaveCriticalSection
EnterCriticalSection
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
GetCurrentProcess
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
WideCharToMultiByte
LCMapStringW
MultiByteToWideChar
GetStringTypeW
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
mscoree.dll
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
wininet.dll
http://8.134.163.184/123.conf
Error
Failed to download the file!
没有防病毒引擎扫描信息!

进程树

setup______6029 _1_.exe, PID: 2620, 上一级进程 PID: 2256
explorer.exe, PID: 1360, 上一级进程 PID: 1328
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
206.238.114.20 美国
8.134.163.184 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49163 206.238.114.20 6029.anonymousrat8.com 6666
192.168.122.201 49164 206.238.114.20 6029.anonymousrat8.com 6666
192.168.122.201 49166 206.238.114.20 6029.anonymousrat8.com 6666
192.168.122.201 49160 23.15.196.139 80
192.168.122.201 49161 8.134.163.184 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
6029.anonymousrat8.com A 206.238.114.20

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49163 206.238.114.20 6029.anonymousrat8.com 6666
192.168.122.201 49164 206.238.114.20 6029.anonymousrat8.com 6666
192.168.122.201 49166 206.238.114.20 6029.anonymousrat8.com 6666
192.168.122.201 49160 23.15.196.139 80
192.168.122.201 49161 8.134.163.184 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
URL专业沙箱检测 -> http://8.134.163.184/123.conf 
GET /123.conf HTTP/1.1
User-Agent: TIME
Host: 8.134.163.184

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2024-04-25 14:39:49.226253+0800 192.168.122.201 49163 206.238.114.20 6666 TCP 2260003 SURICATA Applayer Protocol detection skipped Generic Protocol Command Decode

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 26.975 seconds )

  • 12.603 NetworkAnalysis
  • 11.418 Suricata
  • 2.035 BehaviorAnalysis
  • 0.331 Static
  • 0.283 peid
  • 0.279 TargetInfo
  • 0.018 AnalysisInfo
  • 0.006 Strings
  • 0.002 Memory

Signatures ( 39.408 seconds )

  • 37.295 network_http
  • 1.318 proprietary_url_bl
  • 0.133 api_spamming
  • 0.107 stealth_decoy_document
  • 0.102 stealth_timeout
  • 0.038 antiav_detectreg
  • 0.026 antivm_generic_disk
  • 0.025 hawkeye_behavior
  • 0.023 antivm_generic_scsi
  • 0.022 bootkit
  • 0.021 process_interest
  • 0.02 antivm_generic_services
  • 0.018 injection_runpe
  • 0.016 stealth_file
  • 0.014 vawtrak_behavior
  • 0.014 infostealer_ftp
  • 0.013 anormaly_invoke_kills
  • 0.01 antisandbox_sleep
  • 0.01 proprietary_domain_bl
  • 0.009 process_needed
  • 0.009 ransomware_extensions
  • 0.008 dridex_behavior
  • 0.008 antianalysis_detectreg
  • 0.008 infostealer_im
  • 0.008 ransomware_files
  • 0.007 antiemu_wine_func
  • 0.007 mimics_filetime
  • 0.007 reads_self
  • 0.007 anomaly_persistence_autorun
  • 0.007 virus
  • 0.007 kovter_behavior
  • 0.006 kazybot_behavior
  • 0.006 infostealer_browser_password
  • 0.006 antiav_detectfile
  • 0.005 geodo_banking_trojan
  • 0.005 infostealer_mail
  • 0.004 stealth_network
  • 0.004 hancitor_behavior
  • 0.004 infostealer_bitcoin
  • 0.004 network_torgateway
  • 0.003 proprietary_anomaly_massive_file_ops
  • 0.002 tinba_behavior
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 ispy_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vbox_files
  • 0.002 antivm_xen_keys
  • 0.002 disables_browser_warn
  • 0.001 proprietary_anomaly_terminated_process
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 proprietary_anomaly_write_exe_and_obsfucate_extension
  • 0.001 proprietary_anomaly_write_exe_and_dll_under_winroot_run
  • 0.001 rat_luminosity
  • 0.001 proprietary_malicious_write_executeable_under_temp_to_regrun
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 dead_connect
  • 0.001 cerber_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 office_security
  • 0.001 packer_armadillo_regkey
  • 0.001 ransomware_radamant
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.533 seconds )

  • 0.493 ReportHTMLSummary
  • 0.04 Malheur
Task ID 744304
Mongo ID 6629fb8a7e769a5b6abf316c
Cuckoo release 1.4-Maldun