VirSCAN VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.
4, Se il tuo browser non può caricare file, per favore scarica uploader VirSCAN per caricare.

Lingua
Carico del server
Server Load
VirSCAN
VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.

Informazioni di base

Nome del file: 00美国队长2
Dimensione del file: 1441056
Tipo di file: application/x-dosexec
MD5: 443b82d5b5977130b5ef04fc57910f95
sha1: b4d6358c9c2b003220d04d50004c270e58853080

 CreateProcess

ApplicationName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
CmdLine: upx.exe -7 "C:\Users\Administrator\AppData\Roaming\winup.exe"
childid: 3004
childname: csc.exe
childpath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
drop_type:
name: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
pid: 2356
ApplicationName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
CmdLine:
childid: 2180
childname: csc.exe
childpath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
drop_type:
name: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
pid: 2356
ApplicationName:
CmdLine:
childid: 2356
childname: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
drop_type:
name:
noNeedLine:
path:
pid: 2652

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: 57b535d4b62320f7e59b318062a61209
name: .Identifier
new_size: 68bytes
operation: 修改文件
path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier
processid: 2180
processname: csc.exe
sha1: 76840a20f6caaa1a7dd5a00bfd376ec86df854b8
sha256: 024320939faa28f72109c43cca48dc5d3b768877dd0827b38f001e02bfbe8e29
size: 68
this_path: /data/cuckoo/storage/analyses/6000076/files/1001/.Identifier
type: data

 Dropped Unsave

analysis_result: HEUR:Trojan.Win32.NetWire.gen
create: 0
how: write
md5: c102896e967826817aee88b4dfe41947
name: winup.exe
new_size: 1411KB (1445152bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\winup.exe
processid: 2356
processname: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
sha1: 7bd8da5f61f98e79278e514895fdefc277bc1a3f
sha256: 56a3f34410fcbdf06fcaf2d7a559835f233cf9a43b3a9a06e751a585d427f629
size: 1445152
this_path: /data/cuckoo/storage/analyses/6000076/files/1000/winup.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 103
process_id: 2356
process_name: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 103
process_id: 2356
process_name: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 135
process_id: 2356
process_name: 1618993804713_443b82d5b5977130b5ef04fc57910f95.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 111
process_id: 3004
process_name: csc.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 131
process_id: 3004
process_name: csc.exe
rulename: 遍历文件
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户磁盘信息的方式,以达到获取敏感信息的目的
num: 26
process_id: 2180
process_name: csc.exe
rulename: 收集磁盘信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 148
process_id: 2180
process_name: csc.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 命令与控制
level: 2
matchedinfo: 恶意程序可能连接非常规端口网络连接进行数据偷取操作
num: 181
process_id: 2180
process_name: csc.exe
rulename: 连接非常规端口
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 181
process_id: 2180
process_name: csc.exe
rulename: 创建网络套接字连接
attck_tactics: 其他恶意行为
level: 3
matchedinfo: 设置socke通讯为SO_KEEPALIVE,达到检测对方主机是否崩溃,避免(服务器)永远阻塞于TCP连接的输入。常被后门用作心跳机制
num: 183
process_id: 2180
process_name: csc.exe
rulename: 设置心跳包机制