查看: 3801|回复: 12
收起左侧

[可疑文件] 网易账号生成器

[复制链接]
PercyDan
发表于 2018-7-28 16:08:47 | 显示全部楼层 |阅读模式
本帖最后由 PercyDan 于 2018-7-28 16:10 编辑

咖啡主防杀
求大佬们分析下行为,我怕有锁首病毒。。。。
蓝奏云
Jerry.Lin
发表于 2018-7-28 16:15:53 | 显示全部楼层
Emsisoft Anti-Malware - 版本 2018.6
最后更新: 2018/7/28 13:08:50
发起者: DESKTOP-VPBE70N\zhong
电脑名称: DESKTOP-VPBE70N
操作系统版本: Windows 10x64

扫描设置:

扫描方式:
对象: C:\Users\zhong\Downloads\Compressed\VIRUS TEST\卡饭\网易账号生成器.exe

检测流氓软件(PUPs): 开
扫描存档: 开
扫描邮件档案: 关
ADS数据流扫描: 开
文件扩展名过滤: 关
直接磁盘访问: 关

扫描开始:        2018/7/28 16:15:21
C:\Users\zhong\Downloads\Compressed\VIRUS TEST\卡饭\网易账号生成器.exe          Gen:Variant.Symmi.2128 (B) [krnl.xmd]

扫描        1
发现        1

扫描结束:        2018/7/28 16:15:27
扫描时间:        0:00:06
WHALE-FALL
发表于 2018-7-28 16:29:03 | 显示全部楼层
BD好像网页拦了
Infected webpage detected
now

Feature:
Online Threat Prevention

We blocked this dangerous page for your protection:
https://development01.baidupan.c ... ;fi=4262320&up=
Threat name: Gen:Variant.Symmi.2128
Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.
renyifei
发表于 2018-7-28 16:33:30 | 显示全部楼层
ESET 中文版miss,应该是易语言
英文版报潜在不需要
心醉咖啡
发表于 2018-7-28 16:41:59 | 显示全部楼层
火绒扫描miss
stupid1man
发表于 2018-7-28 17:11:08 | 显示全部楼层
Avira

APC報,'HEUR/APC'
275751198
发表于 2018-7-28 19:43:54 | 显示全部楼层
猝不及防的双弹

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
zhoutaoyu
发表于 2018-7-28 19:46:30 | 显示全部楼层
刚下载就被Norton主动查杀。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
www-tekeze
发表于 2018-7-28 19:55:58 | 显示全部楼层
火绒不报,智量报。。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
wk2534425660
发表于 2018-7-28 22:05:20 | 显示全部楼层
本帖最后由 18603867890 于 2018-7-28 22:08 编辑

[td]
IOC 对象
IOC 类型
情报类型
可信度
严重程度
标签
937155d59183e09751a17b70388e24390279309a82660371ee5ec655c4a5c108
file_sha256
malware
75
严重
N/A
  • [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:57
    SetFileAttributesW
    file_attributes :2
    filepath_r :C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    filepath :C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    11
  • 发起了一些ICMP流量

可疑行为(7)

  • 将进程的内存属性修改为可执行,可能进行了代码注入
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x76e2d000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x76e2d000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x76e28000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x76e28000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x7711d000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x7711d000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77127000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77127000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77118000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77118000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :8192
    protection :64
    base_address :0x77116000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :8192
    protection :32
    base_address :0x77116000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77121000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77121000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77121000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77121000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77117000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77117000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77118000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77118000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77117000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77117000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77121000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :32
    base_address :0x77121000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x02099000
    process_handle :0xffffffff
    10
    2018-07-28 16:30:57
    NtProtectVirtualMemory
    process_identifier :2668
    stack_dep_bypass :0
    stack_pivoted :0
    heap_dep_bypass :0
    length :4096
    protection :64
    base_address :0x77124000
    process_handle :0xffffffff
    10
  • 在文件系统上创建可执行文件
    file
    C:\Users\vbccsb\AppData\Local\Temp\go16311\SkinH_EL.dll

    file
    C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
  • 搜索并加载模块资源
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:55
    FindResourceExW
    module_handle :0x00400000
    type :#129
    name :#14
    language_identifier :0
    15136640
    2018-07-28 16:30:55
    LoadResource
    pointer :0x004e86d8
    resource_handle :0x004e6100
    module_handle :0x00400000
    15146328
  • 获取按键信息
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:31:23
    GetKeyState
    key_code :17
    10
    2018-07-28 16:31:23
    GetKeyState
    key_code :16
    10
    2018-07-28 16:31:23
    GetKeyState
    key_code :18
    10
    2018-07-28 16:31:23
    GetKeyState
    key_code :17
    10
    2018-07-28 16:31:23
    GetKeyState
    key_code :16
    10
    2018-07-28 16:31:23
    GetKeyState
    key_code :18
    10
    2018-07-28 16:32:13
    GetKeyState
    key_code :17
    10
    2018-07-28 16:32:13
    GetKeyState
    key_code :16
    10
    2018-07-28 16:32:13
    GetKeyState
    key_code :18
    10
    2018-07-28 16:32:13
    GetKeyState
    key_code :17
    10
    2018-07-28 16:32:13
    GetKeyState
    key_code :16
    10
    2018-07-28 16:32:13
    GetKeyState
    key_code :18
    10
    2018-07-28 16:32:38
    GetKeyState
    key_code :17
    10
    2018-07-28 16:32:38
    GetKeyState
    key_code :16
    10
    2018-07-28 16:32:38
    GetKeyState
    key_code :18
    10
    2018-07-28 16:32:41
    GetKeyState
    key_code :17
    10
    2018-07-28 16:32:41
    GetKeyState
    key_code :16
    10
    2018-07-28 16:32:41
    GetKeyState
    key_code :18
    10
    2018-07-28 16:33:03
    GetKeyState
    key_code :17
    10
    2018-07-28 16:33:03
    GetKeyState
    key_code :16
    10
    2018-07-28 16:33:03
    GetKeyState
    key_code :18
    10
  • 这个二进制可能包含被加密或被压缩的数据,可能被加壳
    section:
    size_of_data:"0x000dd000"
    virtual_address:"0x00009000"
    entropy:7.947815265719768
    name:".data"
    virtual_size:"0x000dd000"
    entropy:
    7.947815265719768

    entropy:
    0.9525862068965517
  • 进程内存转储中发现了潜在的恶意URL
    url
    http://dywt.com.cn
  • 样本的时间戳异常
    pe_timestamp
    1972-12-25 13:33:23

正常行为(7)

  • 在临时目录中创建可写的文件
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:54
    NtCreateFile
    create_disposition :5
    file_handle :0x00000070
    filepath :C:\Users\vbccsb\AppData\Local\Temp\go16311\krnln.fnr
    desired_access :0x40100080
    file_attributes :128
    filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\go16311\krnln.fnr
    create_options :96
    status_info :2
    share_access :0
    10
    2018-07-28 16:30:55
    NtCreateFile
    create_disposition :5
    file_handle :0x00000070
    filepath :C:\Users\vbccsb\AppData\Local\Temp\go16311\iext.fnr
    desired_access :0x40100080
    file_attributes :128
    filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\go16311\iext.fnr
    create_options :96
    status_info :2
    share_access :0
    10
    2018-07-28 16:30:55
    NtCreateFile
    create_disposition :5
    file_handle :0x00000070
    filepath :C:\Users\vbccsb\AppData\Local\Temp\go16311\shell.fne
    desired_access :0x40100080
    file_attributes :128
    filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\go16311\shell.fne
    create_options :96
    status_info :2
    share_access :0
    10
    2018-07-28 16:30:55
    NtCreateFile
    create_disposition :5
    file_handle :0x00000070
    filepath :C:\Users\vbccsb\AppData\Local\Temp\go16311\SkinH_EL.dll
    desired_access :0x40100080
    file_attributes :128
    filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\go16311\SkinH_EL.dll
    create_options :96
    status_info :2
    share_access :0
    10
    2018-07-28 16:30:57
    NtCreateFile
    create_disposition :5
    file_handle :0x00000124
    filepath :C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    desired_access :0x40100080
    file_attributes :128
    filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    create_options :96
    status_info :2
    share_access :0
    10
  • 样本释放的文件
    file
    C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll

    file
    C:\Users\vbccsb\AppData\Local\Temp\go16311\iext.fnr

    file
    C:\Users\vbccsb\AppData\Local\Temp\go16311\krnln.fnr

    file
    C:\Users\vbccsb\AppData\Local\Temp\go16311\SkinH_EL.dll

    file
    C:\Users\vbccsb\AppData\Local\Temp\go16311\shell.fne
  • 枚举文件和目录
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:57
    FindFirstFileExW
    filepath_r :C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    filepath :C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    04294967295
  • 获取系统信息
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:55
    GetSystemInfo
    processor_count :2
    10
  • 初始化COM组件
    [td]
    Time & API
    Arguments
    Status
    Return
    2018-07-28 16:30:59
    CoInitializeEx
    options :2
    01
  • 发起了一些ICMP流量
  • 该可执行文件使用了已经公开的软件保护壳
    packer
    Armadillo v1.71





情报判定系统
威胁情报订阅(0)URL 判别系统(0)异常流量检测系统(0)狩猎系统(0)DGA 域名识别系统(0)


基本信息
样本名称
937155d59183e09751a17b70388e24390279309a82660371ee5ec655c4a5c108

样本类型
PE32 executable (GUI) Intel 80386, for MS Windows

样本大小
1764648

MD5
11aac21cb00a240cf33cb6396ce28d92

SHA1
84da7d9e4fcc05847f292930420bd588d724af34

SHA256
937155d59183e09751a17b70388e24390279309a82660371ee5ec655c4a5c108

SSDeep
49152:khvTZaqdwk0c05HGizv0oDPhWKkvKi9/Mn:yYqdwkLcHHj0obhWKptn



静态信息
PE 基本信息

入口所在段
.text

PEID
  • PE: compiler: Microsoft Visual C/C++(5.0)[libc]
  • PE: linker: unknown(5.6)[EXE32]




镜像基地址
0x400000

附加数据
810280

入口点(OEP)
0x3861

导入表HASH
9165ea3e914e03bda3346f13edbd6ccd

编译时间戳
1972-12-25 13:33:23




PE 文件签名



第三方检测信息

加密指纹

findcrypt




tag









PE 节表信息

[td]
节名
虚拟地址
虚拟大小
物理地址
物理大小
节权限
熵值
.text0x000010000x00004dcc0x000010000x00005000R-E6.521928998085425
.rdata0x000060000x00000a4a0x000060000x00001000R--3.559834390888599
.data0x000070000x00001f580x000070000x00002000RW-2.8621523029872007
.data0x000090000x000dd0000x000090000x000dd000RWE7.947815265719768
.rsrc0x000e60000x00002aec0x000e60000x00003000R--4.273169287337295



PE 资源信息

[td]
资源名
语言
资源类型
子语言
偏移地址
资源大小
RT_ICONLANG_CHINESEdBase IV DBT of `.DBF, blocks size 48, block length 9216, next free block index 40SUBLANG_CHINESE_SIMPLIFIED0x000e61300x000025a8
RT_GROUP_ICONLANG_CHINESEMS Windows icon resource - 1 iconSUBLANG_CHINESE_SIMPLIFIED0x000e86d80x00000014
RT_VERSIONLANG_CHINESEdataSUBLANG_CHINESE_SIMPLIFIED0x000e86ec0x00000230
RT_MANIFESTLANG_CHINESEXML document textSUBLANG_CHINESE_SIMPLIFIED0x000e891c0x000001cd
版权
\x5251\x5ba2\x7f51 \x7248\x6743\x6240\x6709

文件版本
1.1.0.0

公司名称
\x5251\x5ba2\x7f51

注释
\x7f51\x6613\x8d26\x53f7\x751f\x6210\x5668

产品名称
\x7f51\x6613\x8d26\x53f7\x751f\x6210\x5668

产品版本
1.1.0.0

文件说明
\x7f51\x6613\x8d26\x53f7\x751f\x6210\x5668

语言
0x0804 0x04b0


收起全部



PE 导入表
  • KERNEL32.dll
    [td]
    函数名
    函数地址
    GetProcAddress0x406000
    LoadLibraryA0x406004

    显示剩余40条
  • USER32.dll
    [td]
    函数名
    函数地址
    MessageBoxA0x4060ac
    wsprintfA0x4060b0
    网络行为
    Domains (0)DNS (0)HTTP (0)TCP (0)UDP (1)SMTP (0)ICMP (1)IRC (0)Hosts (0)Dead-Hosts (0)
    [td]
    源地址
    目标地址
    192.168.122.208:5355





    释放文件
    [td]
    文件名称
    文件信息
    iext.fnr文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    文件大小 : 208896
    MD5 : 856495a1605bfc7f62086d482b502c6f
    SHA256 : 8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf
    文件路径 : C:\Users\vbccsb\AppData\Local\Temp\go16311\iext.fnr
    skinh_el.dll文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
    文件大小 : 88576
    MD5 : 147127382e001f495d1842ee7a9e7912
    SHA256 : edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
    文件路径 : C:\Users\vbccsb\AppData\Local\Temp\SkinH_EL.dll
    krnln.fnr文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    文件大小 : 1290240
    MD5 : 142aeebfe85bde2a411116e39d8fd505
    SHA256 : c77a0f67c3392dee0fb04f0544d8fd8a3b6ef072d371303afd3a2c468dda7a35
    文件路径 : C:\Users\vbccsb\AppData\Local\Temp\go16311\krnln.fnr
    shell.fne文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    文件大小 : 61440
    MD5 : 98174c8c2995000efbda01e1b86a1d4d
    SHA256 : 90284c2ead0598faa715cc90c1f53b83b916099c918ce7f816f0b4550ff55ac6
    文件路径 : C:\Users\vbccsb\AppData\Local\Temp\go16311\shell.fne
    网址:https://s.threatbook.cn/report/f ... p1_enx64_office2013
  • 中间url            http://dywt.com.cn说明了是易语言








您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-28 17:56 , Processed in 0.152979 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表