魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-12-19 17:07:59	2021-12-19 17:08:00	1 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp02-1	win7-sp1-x64-shaapp02-1	KVM	2021-12-19 17:07:59	2021-12-19 17:08:00

魔盾分数
2.55 可疑的

文件详细信息

文件名	勇者之刃2浮影辅助1.1_.exe
文件大小	2072576 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	1BBABE21
MD5	53844aa9f253a34a2a3aab7ced31b371
SHA1	b12b9c65d7c87568a5bff5777bc72e87f8d7c1c4
SHA256	99b43d3e6154b2b288e005ca8c6096e68a11e12f3646b24b53a42f278b5b30ad
SHA512	6a3db08fada77bc23282e73583207e2c41567d11f0baa7a75409adf4a2a17a09a6fab382cf06ff459c83a701b5f313418d0e47eaf93db4405eb941c0132081b3
Ssdeep	49152:SOXVB7UY4gPjFlLR/Kvyl7ccA/bNQotOxT:lXcY4gbH7l52KT
PEiD	无匹配
Yara	DebuggerCheck__RemoteAPI () DebuggerHiding__Thread () DebuggerTiming__Ticks (Detected timing ticks function) ThreadControl__Context () vmdetect (Possibly employs anti-virtualization techniques) anti_dbg (Detected self protection if being debugged) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasRichSignature (Detected Rich Signature) RijnDael_AES (Look for RijnDael AES)
VirusTotal	VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据

section: name: .text, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0008a000, virtual_size: 0x001fc000

section: name: .sedata, entropy: 7.48, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00102000, virtual_size: 0x00102000

section: name: .sedata, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00001000, virtual_size: 0x00001000

魔盾安全Yara规则检测结果 - 安全告警

Informational: Possibly employs anti-virtualization techniques

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

异常的二进制特征

anomaly: Found duplicated section names

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x006fcf40
声明校验值	0x001fcabd
实际校验值	0x001fcabd
最低操作系统版本要求	4.0
编译时间	2021-12-19 14:21:05
载入哈希	e900636cb94f7c98f338e9f3a4e32fa8

版本信息

LegalCopyright:	\u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion:	1.0.0.0
Comments:	\u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName:	\u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion:	1.0.0.0
FileDescription:	\u6613\u8bed\u8a00\u7a0b\u5e8f
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x001fc000	0x0008a000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.sedata	0x001fd000	0x00102000	0x00102000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.48
.idata	0x002ff000	0x00001000	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.55
.rsrc	0x00300000	0x0006b000	0x0006b000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.27
.sedata	0x0036b000	0x00001000	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.98

导入

库 WINMM.dll:

• 0x6ff33f - midiStreamOut

库 WS2_32.dll:

• 0x6ff34b - WSAAsyncSelect

库 RASAPI32.dll:

• 0x6ff357 - RasHangUpA

库 KERNEL32.dll:

• 0x6ff363 - CreateSemaphoreA

库 USER32.dll:

• 0x6ff36f - LoadBitmapA

库 GDI32.dll:

• 0x6ff37b - PtVisible

库 WINSPOOL.DRV:

• 0x6ff387 - DocumentPropertiesA

库 ADVAPI32.dll:

• 0x6ff393 - RegOpenKeyExA

库 SHELL32.dll:

• 0x6ff39f - SHEmptyRecycleBinA

库 ole32.dll:

• 0x6ff3ab - CoGetClassObject

库 OLEAUT32.dll:

• 0x6ff3b7 - VariantTimeToSystemTime

库 COMCTL32.dll:

• 0x6ff3c3 - None

库 oledlg.dll:

• 0x6ff3cf - None

库 WININET.dll:

• 0x6ff3db - InternetCloseHandle

库 comdlg32.dll:

• 0x6ff3e7 - ChooseColorA

库 MSVCRT.dll:

• 0x6ff3f3 - strncpy

库 IPHLPAPI.DLL:

• 0x6ff3ff - GetInterfaceInfo

库 PSAPI.DLL:

• 0x6ff40b - GetMappedFileNameW

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

无信息

访问的文件 无信息

读取的文件 无信息

修改的文件 无信息

删除的文件 无信息

注册表键 无信息

读取的注册表键 无信息

修改的注册表键 无信息

删除的注册表键 无信息

API解析 无信息