分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2022-07-25 11:05:24 | 2022-07-25 11:06:06 | 42 秒 |
魔盾分数
6.8625
危险的
文件详细信息
| 文件名 | CSGO人物透视免费版.exe |
|---|---|
| 文件大小 | 5771776 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 779c27426c80d93fbbf21b8a233ee169 |
| SHA1 | 31703dbc23f77730c6180cca923d5fe4eaddc451 |
| SHA256 | cc081381d90d824e4830ff08e1c75ef9a9394f11bfe53cc7091b95c7f1a5f23c |
| SHA512 | 211e4312e5bc1e8642e60f0f0e01c55420aee346382f18379ae2ddeb9fec9853ae6c9ced7d01fcf32bc566e4698e814da39f3e90c3d5d84e18f2d0eebce57835 |
| CRC32 | 52B6FD6A |
| Ssdeep | 98304:vOnI/+ATHMqXaIDfXRDeF7TAtP8qgRXRfrDWZbJyhUmLrVaLI/0XdtN43wCKe:vO++A9aCpyF7TY0X5rDWXyhgI9wCK |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x008c57d0 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00582d50 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1970-01-01 08:00:00 |
| 载入哈希 | d88419525374520d822b7a560566a98e |
| 图标 |  |
| 图标精确哈希值 | 2b06babd803a0b392668a61ee59d05bc |
| 图标相似性哈希值 | 0e79cdcd4e019e8d38e8cc71fc542eab |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00015682 | 0x00015800 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.31 |
| .rdata | 0x00017000 | 0x0000164e | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.85 |
| .data | 0x00019000 | 0x00019a28 | 0x0000a400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.65 |
| .rsrc | 0x00033000 | 0x00443da8 | 0x00443e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 |
| .svmp | 0x00477000 | 0x0004d000 | 0x0004c600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.88 |
| svmp3 | 0x004c4000 | 0x00059000 | 0x00058200 | IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.29 |
| svmp3 | 0x0051d000 | 0x0007e000 | 0x00076200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.86 |
| svmp3 | 0x0059b000 | 0x00002000 | 0x00001200 | IMAGE_SCN_MEM_READ | 0.70 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x0003683c | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.72 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003683c | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.72 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003683c | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 6.72 | GLS_BINARY_LSB_FIRST |
| RT_RCDATA | 0x00036ca4 | 0x0043fc21 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 8.00 | data |
| RT_GROUP_ICON | 0x004768c8 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 1.92 | MS Windows icon resource - 1 icon, 48x48 |
| RT_VERSION | 0x004768dc | 0x0000029c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.39 | data |
| RT_MANIFEST | 0x00476b78 | 0x0000022e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.14 | XML 1.0 document, ASCII text, with CRLF line terminators |
导入
库: KERNEL32.dll:
• 0x99c000 OpenEventA
库: USER32.dll:
• 0x99c008 PeekMessageA
库: SHLWAPI.dll:
• 0x99c010 PathRemoveExtensionA
库: SHELL32.dll:
• 0x99c018 ShellExecuteA
库: GDI32.dll:
• 0x99c020 DeleteObject
库: MSVCRT.dll:
• 0x99c028 memmove
库: KERNEL32.dll:
• 0x8c9034 GetProcessHeap
• 0x8c9038 Sleep
• 0x8c903c ReadFile
• 0x8c9040 CreateFileW
• 0x8c9044 lstrcatA
• 0x8c9048 SetThreadPriority
• 0x8c904c GetHandleInformation
• 0x8c9050 GetLastError
• 0x8c9054 SetLastError
• 0x8c9058 VirtualAlloc
• 0x8c905c CopyFileA
• 0x8c9060 LoadLibraryA
• 0x8c9064 GetModuleFileNameA
• 0x8c9068 GetModuleHandleA
• 0x8c906c IsDebuggerPresent
• 0x8c9070 VirtualFree
• 0x8c9074 SuspendThread
• 0x8c9078 DeleteFileA
• 0x8c907c CreateThread
• 0x8c9080 InterlockedDecrement
• 0x8c9084 TerminateThread
• 0x8c9088 GetProcAddress
• 0x8c908c VirtualProtect
• 0x8c9090 lstrlenW
• 0x8c9094 GetPrivateProfileIntW
• 0x8c9098 VirtualProtectEx
• 0x8c909c UnhandledExceptionFilter
• 0x8c90a0 TerminateProcess
• 0x8c90a4 RtlUnwind
• 0x8c90a8 GetModuleHandleW
• 0x8c90ac OutputDebugStringW
• 0x8c90b0 SetUnhandledExceptionFilter
• 0x8c90b4 WaitForSingleObject
• 0x8c90b8 SetHandleInformation
• 0x8c90bc HeapFree
• 0x8c90c0 GetCurrentProcess
• 0x8c90c4 HeapAlloc
• 0x8c90c8 lstrlenA
• 0x8c90cc CreateMutexW
• 0x8c90d0 GetFileSize
• 0x8c90d4 CreateFileA
• 0x8c90d8 CloseHandle
• 0x8c90dc ExitProcess
库: USER32.dll:
• 0x8c9104 LoadCursorW
• 0x8c9108 BeginPaint
• 0x8c910c GetDC
• 0x8c9110 RegisterClassExW
• 0x8c9114 KillTimer
• 0x8c9118 EndPaint
• 0x8c911c UnregisterClassW
• 0x8c9120 DefWindowProcW
• 0x8c9124 MessageBoxA
• 0x8c9128 LoadStringW
• 0x8c912c UpdateWindow
• 0x8c9130 PeekMessageW
• 0x8c9134 CreateWindowExW
• 0x8c9138 GetSystemMetrics
• 0x8c913c SetTimer
• 0x8c9140 DispatchMessageW
• 0x8c9144 DestroyWindow
• 0x8c9148 ShowWindow
库: GDI32.dll:
• 0x8c9014 DeleteObject
• 0x8c9018 SelectObject
• 0x8c901c CreateCompatibleDC
• 0x8c9020 BitBlt
• 0x8c9024 DeleteDC
• 0x8c9028 CreateSolidBrush
• 0x8c902c CreateDIBitmap
库: ADVAPI32.dll:
• 0x8c9000 RegCloseKey
库: SHELL32.dll:
• 0x8c90f4 DragQueryFileW
库: ole32.dll:
• 0x8c9160 CoInitialize
库: PSAPI.DLL:
• 0x8c90ec GetModuleFileNameExW
库: imagehlp.dll:
• 0x8c9158 CheckSumMappedFile
库: SHLWAPI.dll:
• 0x8c90fc PathFindExtensionW
库: WS2_32.dll:
• 0x8c9150 send
库: MSWSOCK.dll:
• 0x8c90e4 AcceptEx
4;N+2=NRich*2=N
.text
.rdata
@.data
.rsrc
.svmp
svmp3
svmp3
svmp3
D$$xqA
8`}<j
L$$PQh
F @'A
F$`'A
L$ RUPj
WINMM.dll
QUFBQUFBsKGwobChLmV4ZQ==
Internal Error :-)
|_&_|
Data Error :-)
MITU_BIN
Loading Resource Failure :-)
winver.exe
@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Mitu_Memory_Patch_By_NewType
http://
https://
mailto:
ComSpec
A(!^_^!)
worked
@0123456789ABCDEF
Handle Failure Memory Address
MiTu_DrawPanel
Static
user32.dll
ntdll.dll
shlwapi.dll
user32
shell32.dll
kernel32.dll
kernel32
ole32
olepro32
MessageBoxTimeoutA
RtlAdjustPrivilege
PathRemoveExtensionA
PathIsDirectoryA
GetInputState
OpenEventA
CreateEventA
ShellExecuteA
GetModuleHandleA
FindResourceA
SizeofResource
LoadResource
LockResource
GetTempPathA
SHGetSpecialFolderPathA
CreateProcessA
LocalSize
RtlMoveMemory
GetThreadContext
ReadProcessMemory
ZwUnmapViewOfSection
VirtualAllocEx
WriteProcessMemory
VirtualProtectEx
SetThreadContext
ResumeThread
WaitForSingleObject
CloseHandle
GetEnvironmentVariableA
TerminateProcess
lstrcpyn
SendMessageA
FindWindowExA
GetWindowThreadProcessId
GetClassNameA
IsWindowVisible
GetWindowRect
CreateToolhelp32Snapshot
Process32First
Process32Next
OpenProcess
ZwOpenProcess
ZwQuerySystemInformation
ZwDuplicateObject
ZwQueryInformationProcess
ZwClose
VirtualQueryEx
GetDlgCtrlID
InvalidateRect
EnumChildWindows
GetParent
ShowWindow
DestroyWindow
SetWindowLongA
ScreenToClient
CreateWindowExA
GlobalAlloc
GlobalLock
GlobalUnlock
CreateStreamOnHGlobal
CLSIDFromString
OleLoadPicture
CopyImage
DeleteObject
GlobalFree
lstrcatA
CallWindowProcA
IsWindowEnabled
EnableWindow
MoveWindow
PostMessageA
GetCurrentThreadId
AttachThreadInput
SetFocus
GetFocus
GetExitCodeThread
error
%I64d
blackmoon
ERROR
DLL ERROR
1.1.3
1.1.3
1.1.3
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
{7BF80980-BF32-101A-8BBB-00AA00300CAB}
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49158 | 23.56.4.82 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49158 | 23.56.4.82 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 22.459 seconds )
- 12.884 Suricata
- 5.327 Static
- 1.404 TargetInfo
- 1.137 VirusTotal
- 1.052 NetworkAnalysis
- 0.405 peid
- 0.113 BehaviorAnalysis
- 0.111 config_decoder
- 0.014 Strings
- 0.01 AnalysisInfo
- 0.002 Memory
Signatures ( 1.638 seconds )
- 1.505 md_url_bl
- 0.021 antiav_detectreg
- 0.009 infostealer_ftp
- 0.009 md_domain_bl
- 0.006 api_spamming
- 0.006 anomaly_persistence_autorun
- 0.006 antiav_detectfile
- 0.005 geodo_banking_trojan
- 0.005 infostealer_im
- 0.005 ransomware_extensions
- 0.005 ransomware_files
- 0.004 stealth_decoy_document
- 0.004 stealth_timeout
- 0.004 antianalysis_detectreg
- 0.004 infostealer_bitcoin
- 0.004 network_http
- 0.003 infostealer_mail
- 0.002 tinba_behavior
- 0.002 rat_nanocore
- 0.002 kovter_behavior
- 0.002 antivm_vbox_files
- 0.002 bot_drive
- 0.002 browser_security
- 0.002 disables_browser_warn
- 0.001 antiemu_wine_func
- 0.001 mimics_filetime
- 0.001 betabot_behavior
- 0.001 reads_self
- 0.001 kibex_behavior
- 0.001 antivm_generic_scsi
- 0.001 shifu_behavior
- 0.001 infostealer_browser_password
- 0.001 cerber_behavior
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 banker_zeus_mutex
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 modify_proxy
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 md_bad_drop
- 0.001 network_cnc_http
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.581 seconds )
- 0.58 ReportHTMLSummary
- 0.001 Malheur
| Task ID | 700579 |
|---|---|
| Mongo ID | 62de08c17e769a70cca32eb4 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号