VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :50
基本信息
MD5:b927b65ea304989415e1d7156c5130d9
文件类型:EXE
出品公司:
版本:1.0.0.0---1.0.0.0
壳或编译器信息:PACKER:UPolyX v0.5
关键行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0069699F
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0069699F
行为描述:直接获取CPU时钟
详情信息:EAX = 0x500eb2c4, EDX = 0x000000b5
EAX = 0xa71b58dc, EDX = 0x000000b5
EAX = 0xa71b5928, EDX = 0x000000b5
EAX = 0xa71b5974, EDX = 0x000000b5
EAX = 0xa71b59c0, EDX = 0x000000b5
EAX = 0xa71b5a0c, EDX = 0x000000b5
EAX = 0xa71b5a58, EDX = 0x000000b5
EAX = 0xa71b5aa4, EDX = 0x000000b5
EAX = 0xa71b5af0, EDX = 0x000000b5
EAX = 0xa71b5b3c, EDX = 0x000000b5
行为描述:自删除
详情信息:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = c:\Del.bat
行为描述:创建进程
详情信息:[0x00000aa0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c c:\Del.bat
[0x00000b24]ImagePath = C:\WINDOWS\system32\wscript.exe, CmdLine = "C:\WINDOWS\System32\WScript.exe" "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\delay.vbs"
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2668, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: wscript.exe, InheritedFromPID = 2720, ProcessID = 2852, ThreadID = 2860, StartAddress = 01002FD4, Parameter = 008E4078
TargetProcess: wscript.exe, InheritedFromPID = 2720, ProcessID = 2852, ThreadID = 2864, StartAddress = 765E964D, Parameter = 001BCB80
文件行为
行为描述:创建文件
详情信息:C:\Del.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\delay.vbs
行为描述:修改脚本文件
详情信息:C:\Del.bat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\delay.vbs ---> Offset = 0
行为描述:删除文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\delay.vbs
C:\Del.bat
行为描述:自删除
详情信息:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
行为描述:查找文件
详情信息:FileName = c:\Del.bat
FileName = C:\Del.bat
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\delay.vbs
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
网络行为
行为描述:连接指定站点
详情信息:WinHttpConnect: ServerName = lo****om, PORT = 4300, UserName = , Password = , hSession = 0x012d3100, hConnect = 0x012d3200, Flags = 0x00000000
行为描述:打开HTTP连接
详情信息:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x012d3100
行为描述:建立到一个指定的套接字连接
详情信息:URL: lo****om, IP: **.133.40.**:4300, SOCKET = 0x000001b8
行为描述:发送HTTP包
详情信息:GET /pt_get_uins?callback=ptui_getuins_CB&r=0.3924898656297480&pt_local_tk=0.0841995584797301 HTTP/1.1 Cookie: pt_local_token=0.0841995584797301; Accept: */* Referer: http://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.3924898656297480&pt_local_tk=0.0841995584797301 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: lo****om:4300 Connection: Keep-Alive
行为描述:打开HTTP请求
详情信息:WinHttpOpenRequest: lo****om:4300/pt_get_uins?callback=ptui_getuins_cb&r=0.3924898656297480&pt_local_tk=0.0841995584797301, hConnect = 0x012d3200, hRequest = 0x01360000, Verb: GET, Referer: , Flags = 0x00000080
行为描述:按名称获取主机地址
详情信息:GetAddrInfoW: lo****om
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\System32\WScript.exe
其他行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0069699F
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0069699F
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
行为描述:打开互斥体
详情信息:RasPbFile
ShimCacheMutex
Local\!IETld!Mutex
行为描述:调整进程token权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2852
MSFT.VSA.IEC.STATUS.6c736db0
Global\crypt32LogoffEvent
行为描述:直接获取CPU时钟
详情信息:EAX = 0x500eb2c4, EDX = 0x000000b5
EAX = 0xa71b58dc, EDX = 0x000000b5
EAX = 0xa71b5928, EDX = 0x000000b5
EAX = 0xa71b5974, EDX = 0x000000b5
EAX = 0xa71b59c0, EDX = 0x000000b5
EAX = 0xa71b5a0c, EDX = 0x000000b5
EAX = 0xa71b5a58, EDX = 0x000000b5
EAX = 0xa71b5aa4, EDX = 0x000000b5
EAX = 0xa71b5af0, EDX = 0x000000b5
EAX = 0xa71b5b3c, EDX = 0x000000b5
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号