分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64 | 2016-09-18 13:47:55 | 2016-09-18 13:48:40 | 45 秒 |
魔盾分数
2.0
正常的
文件详细信息
| 文件名 | RsTray.ico |
|---|---|
| 文件大小 | 68248 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 68d18a0915bbda36e573d5dbb9e6ea8e |
| SHA1 | 16a4da44ada8fbe61848c325105d5cc4223c2320 |
| SHA256 | ddd6f70209b2960c838eb152d6e0c3f303fc07f7d5a82eb3c55bbf468527f63b |
| SHA512 | 4a8fa3a413e050e87aa35616ccfb466d8cf7a8cce923edce0211ddfb4d24195bb8dbb513dfc62f411d4783337dc0dfb10d97487f308e6eb2023587b59ebde0a6 |
| CRC32 | 47AA1269 |
| Ssdeep | 768:cZpDTAcCakp1PbfVx/islij4uempE/LWMmVbCoD:cLPAikp1jdhlij4uXpE/aD9CoD |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 23.44.155.27 | 美国 | |
| 否 | 122.228.205.24 | 中国 |
域名解析 (可点击查询WPING实时安全评级)
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0040102a |
| 声明校验值 | 0x000187e9 |
| 实际校验值 | 0x000187e9 |
| 最低操作系统版本要求 | 4.0 |
| PDB路径 | C:\DistributedAutoLink\Temp\CompileOutputDir\RavRsTrayIco.pdb |
| 编译时间 | 2009-07-16 12:35:30 |
| 图标 |  |
| 图标精确哈希值 | 7c6bdac044fcf0fb0466c1d2ea544f07 |
| 图标相似性哈希值 | 446a8997e96fe2b2ed59900f794f8166 |
版本信息
| LegalCopyright | |
|---|---|
| InternalName | |
| FileVersion | |
| CompanyName | |
| SpecialBuild | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename | |
| Translation |
微软证书验证 (Sign Tool)
| SHA1 | 时间戳 | 有效性 | 错误 |
|---|---|---|---|
| 6d2149c2752f1d536d005b4b445033c9f3a78b92 | Fri Jul 17 09:29:23 2009 | 无 |
| 证书链 | Certificate Chain 1 |
| 发行给 | Class 3 Public Primary Certification Authority |
| 发行人 | Class 3 Public Primary Certification Authority |
| 有效期 | Wed Aug 02 075959 2028 |
| SHA1 哈希 | 742c3192e607e424eb4549542be1bbc53e6174e2 |
| 证书链 | Certificate Chain 2 |
| 发行给 | VeriSign Class 3 Code Signing 2009-2 CA |
| 发行人 | Class 3 Public Primary Certification Authority |
| 有效期 | Tue May 21 075959 2019 |
| SHA1 哈希 | 12d4872bc3ef019e7e0b6f132480ae29db5b1ca3 |
| 证书链 | Certificate Chain 3 |
| 发行给 | Beijing Rising Information Technology Corporation Limited |
| 发行人 | VeriSign Class 3 Code Signing 2009-2 CA |
| 有效期 | Mon Jul 23 075959 2012 |
| SHA1 哈希 | 08c44bdde3e6563f92032d65e95bac0844c742e8 |
| 证书链 | Timestamp Chain 1 |
| 发行给 | Thawte Timestamping CA |
| 发行人 | Thawte Timestamping CA |
| 有效期 | Fri Jan 01 075959 2021 |
| SHA1 哈希 | be36a4562fb2ee05dbb3d32323adf445084ed656 |
| 证书链 | Timestamp Chain 2 |
| 发行给 | VeriSign Time Stamping Services CA |
| 发行人 | Thawte Timestamping CA |
| 有效期 | Wed Dec 04 075959 2013 |
| SHA1 哈希 | f46ac0c6efbb8c6a14f55f09e2d37df4c0de012d |
| 证书链 | Timestamp Chain 3 |
| 发行给 | VeriSign Time Stamping Services Signer - G2 |
| 发行人 | VeriSign Time Stamping Services CA |
| 有效期 | Fri Jun 15 075959 2012 |
| SHA1 哈希 | ada8aaa643ff7dc38dd40fa4c97ad559ff4846de |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00003c68 | 0x00004000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.39 |
| .rdata | 0x00005000 | 0x000011da | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.14 |
| .data | 0x00007000 | 0x00000838 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.65 |
| .rsrc | 0x00008000 | 0x00006908 | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.60 |
覆盖
| 偏移量 | 0x0000f000 |
| 大小 | 0x00001a98 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0000e418 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.95 | GLS_BINARY_LSB_FIRST |
| RT_GROUP_ICON | 0x0000e880 | 0x00000084 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.89 | MS Windows icon resource - 9 icons, 48x48, 16-colors |
| RT_VERSION | 0x00008270 | 0x00000424 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.47 | data |
导入
库: KERNEL32.dll:
• 0x405000 GetModuleHandleA
• 0x405004 GetStartupInfoA
• 0x405008 GetCommandLineA
• 0x40500c GetVersionExA
• 0x405010 ExitProcess
• 0x405014 GetProcAddress
• 0x405018 TerminateProcess
• 0x40501c GetCurrentProcess
• 0x405020 WriteFile
• 0x405024 GetStdHandle
• 0x405028 GetModuleFileNameA
• 0x40502c UnhandledExceptionFilter
• 0x405030 FreeEnvironmentStringsA
• 0x405034 GetEnvironmentStrings
• 0x405038 FreeEnvironmentStringsW
• 0x40503c WideCharToMultiByte
• 0x405040 GetLastError
• 0x405044 GetEnvironmentStringsW
• 0x405048 SetHandleCount
• 0x40504c GetFileType
• 0x405050 HeapDestroy
• 0x405054 HeapCreate
• 0x405058 VirtualFree
• 0x40505c HeapFree
• 0x405060 LoadLibraryA
• 0x405064 GetACP
• 0x405068 GetOEMCP
• 0x40506c GetCPInfo
• 0x405070 HeapAlloc
• 0x405074 VirtualAlloc
• 0x405078 HeapReAlloc
• 0x40507c RtlUnwind
• 0x405080 InterlockedExchange
• 0x405084 VirtualQuery
• 0x405088 HeapSize
• 0x40508c QueryPerformanceCounter
• 0x405090 GetTickCount
• 0x405094 GetCurrentThreadId
• 0x405098 GetCurrentProcessId
• 0x40509c GetSystemTimeAsFileTime
• 0x4050a0 LCMapStringA
• 0x4050a4 MultiByteToWideChar
• 0x4050a8 LCMapStringW
• 0x4050ac GetStringTypeA
• 0x4050b0 GetStringTypeW
• 0x4050b4 GetLocaleInfoA
• 0x4050b8 VirtualProtect
• 0x4050bc GetSystemInfo
.text
`.rdata
@.data
.rsrc
9=,x@
9=,x@
SVWUj
FVh|\@
GWh|\@
CorExitProcess
mscoree.dll
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
Program:
Buffer overrun detected!
Unknown security failure detected!
C:\DistributedAutoLink\Temp\CompileOutputDir\RavRsTrayIco.pdb
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersionExA
ExitProcess
GetProcAddress
TerminateProcess
GetCurrentProcess
WriteFile
GetStdHandle
GetModuleFileNameA
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
LoadLibraryA
GetACP
GetOEMCP
GetCPInfo
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
InterlockedExchange
VirtualQuery
HeapSize
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
VirtualProtect
GetSystemInfo
KERNEL32.dll
bwf'p
gv&fp
v'ggx
LN@9L!#-#PTGCj
13(+25DOBL@R
9:UJ=EGVQPM?
HSXXXYWN8R
T>6.I
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
Beijing Rising Information Technology Co., Ltd.
FileDescription
RsTrayIco
FileVersion
22.0.0.2
InternalName
Beijing Rising Information Technology Co., Ltd.
LegalCopyright
Copyright(C) 2009-2010 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.
OriginalFilename
RsTray.ico
ProductName
Rising AntiVirus 2010
ProductVersion
22.00
SpecialBuild
833445108750000
VarFileInfo
Translation
| 防病毒引擎/厂商 | 病毒名/规则匹配 | 病毒库日期 |
|---|---|---|
| Bkav | 未发现病毒 | 20160827 |
| MicroWorld-eScan | 未发现病毒 | 20160827 |
| nProtect | 未发现病毒 | 20160827 |
| CMC | 未发现病毒 | 20160824 |
| CAT-QuickHeal | 未发现病毒 | 20160826 |
| McAfee | 未发现病毒 | 20160827 |
| Malwarebytes | 未发现病毒 | 20160827 |
| Zillya | 未发现病毒 | 20160826 |
| TheHacker | 未发现病毒 | 20160826 |
| BitDefender | 未发现病毒 | 20160827 |
| K7GW | 未发现病毒 | 20160827 |
| K7AntiVirus | 未发现病毒 | 20160827 |
| TrendMicro | 未发现病毒 | 20160827 |
| Baidu | 未发现病毒 | 20160827 |
| F-Prot | 未发现病毒 | 20160827 |
| Symantec | 未发现病毒 | 20160827 |
| TotalDefense | 未发现病毒 | 20160827 |
| TrendMicro-HouseCall | 未发现病毒 | 20160827 |
| Avast | 未发现病毒 | 20160827 |
| ClamAV | 未发现病毒 | 20160827 |
| Kaspersky | 未发现病毒 | 20160827 |
| Alibaba | 未发现病毒 | 20160826 |
| NANO-Antivirus | 未发现病毒 | 20160827 |
| ViRobot | 未发现病毒 | 20160827 |
| AegisLab | 未发现病毒 | 20160827 |
| Rising | 未发现病毒 | 20160827 |
| Ad-Aware | 未发现病毒 | 20160827 |
| Sophos | 未发现病毒 | 20160827 |
| Comodo | 未发现病毒 | 20160827 |
| F-Secure | 未发现病毒 | 20160827 |
| DrWeb | 未发现病毒 | 20160827 |
| VIPRE | 未发现病毒 | 20160827 |
| Invincea | 未发现病毒 | 20160826 |
| McAfee-GW-Edition | 未发现病毒 | 20160827 |
| Emsisoft | 未发现病毒 | 20160827 |
| Cyren | 未发现病毒 | 20160827 |
| Jiangmin | 未发现病毒 | 20160827 |
| Avira | 未发现病毒 | 20160827 |
| Antiy-AVL | 未发现病毒 | 20160827 |
| Kingsoft | 未发现病毒 | 20160827 |
| Microsoft | 未发现病毒 | 20160827 |
| Arcabit | 未发现病毒 | 20160827 |
| SUPERAntiSpyware | 未发现病毒 | 20160826 |
| GData | 未发现病毒 | 20160827 |
| AhnLab-V3 | 未发现病毒 | 20160826 |
| ALYac | 未发现病毒 | 20160827 |
| AVware | 未发现病毒 | 20160827 |
| VBA32 | 未发现病毒 | 20160826 |
| Zoner | 未发现病毒 | 20160827 |
| ESET-NOD32 | 未发现病毒 | 20160827 |
| Tencent | 未发现病毒 | 20160827 |
| Yandex | 未发现病毒 | 20160826 |
| Ikarus | 未发现病毒 | 20160827 |
| Fortinet | 未发现病毒 | 20160827 |
| AVG | 未发现病毒 | 20160827 |
| Panda | 未发现病毒 | 20160827 |
| CrowdStrike | 未发现病毒 | 20160826 |
| Qihoo-360 | 未发现病毒 | 20160827 |
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 23.44.155.27 | 美国 | |
| 否 | 122.228.205.24 | 中国 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.69 | 59209 | 122.228.205.24 www.download.windowsupdate.com | 80 |
| 192.168.122.69 | 59208 | 192.168.122.1 | 53 |
| 192.168.122.69 | 59210 | 23.44.155.27 ocsp.verisign.com | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.69 | 52766 | 192.168.122.1 | 53 |
| 192.168.122.69 | 54419 | 192.168.122.1 | 53 |
| 192.168.122.69 | 57129 | 192.168.122.1 | 53 |
| 192.168.122.69 | 58396 | 192.168.122.1 | 53 |
| 192.168.122.69 | 59029 | 192.168.122.1 | 53 |
| 192.168.122.69 | 62204 | 192.168.122.1 | 53 |
| 192.168.122.69 | 63333 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.69 | 59209 | 122.228.205.24 www.download.windowsupdate.com | 80 |
| 192.168.122.69 | 59208 | 192.168.122.1 | 53 |
| 192.168.122.69 | 59210 | 23.44.155.27 ocsp.verisign.com | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.69 | 52766 | 192.168.122.1 | 53 |
| 192.168.122.69 | 54419 | 192.168.122.1 | 53 |
| 192.168.122.69 | 57129 | 192.168.122.1 | 53 |
| 192.168.122.69 | 58396 | 192.168.122.1 | 53 |
| 192.168.122.69 | 59029 | 192.168.122.1 | 53 |
| 192.168.122.69 | 62204 | 192.168.122.1 | 53 |
| 192.168.122.69 | 63333 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 86402 Connection: Keep-Alive Accept: */* If-Modified-Since: Thu, 14 Jan 2016 00:22:10 GMT If-None-Match: "0e59c9b614ed11:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com |
| URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
| URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
| URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 27.409 seconds )
- 25.266 NetworkAnalysis
- 1.292 VirusTotal
- 0.325 Static
- 0.22 peid
- 0.186 TargetInfo
- 0.038 BehaviorAnalysis
- 0.027 Debug
- 0.025 AnalysisInfo
- 0.013 Strings
- 0.01 config_decoder
- 0.003 Dropped
- 0.002 Memory
- 0.002 ProcessMemory
Signatures ( 0.059 seconds )
- 0.011 antiav_detectreg
- 0.005 persistence_autorun
- 0.005 infostealer_ftp
- 0.004 antiav_detectfile
- 0.004 geodo_banking_trojan
- 0.004 ransomware_files
- 0.003 infostealer_bitcoin
- 0.003 infostealer_im
- 0.002 tinba_behavior
- 0.002 antianalysis_detectreg
- 0.002 antivm_vbox_files
- 0.002 disables_browser_warn
- 0.002 infostealer_mail
- 0.002 network_torgateway
- 0.001 betabot_behavior
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 modify_proxy
- 0.001 browser_security
- 0.001 md_domain_bl
- 0.001 network_http
Reporting ( 2.638 seconds )
- 2.122 ReportPDF
- 0.503 ReportHTMLSummary
- 0.013 Malheur
| Task ID | 18332 |
|---|---|
| Mongo ID | 57de2ad74d3bd0391814b42e |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号