VirSCAN VirSCAN

1, U kunt elk bestandstype UPLOADEN, bestandsgrootte max. 20 Mb.
2, VirSCAN ondersteunt Rar/Zip decompressie, max. 20 bestanden per Rar/Zip
3, VirSCAN kan Rar/Zip bestanden scannen die beveiligd zijn met wachtwoord 'infected' of 'virus'.
4, Als uw browser geen bestanden kan uploaden, kunt u VirSCAN uploaden.

Taal
Serverbelasting
Server Load
VirSCAN
VirSCAN

1, U kunt elk bestandstype UPLOADEN, bestandsgrootte max. 20 Mb.
2, VirSCAN ondersteunt Rar/Zip decompressie, max. 20 bestanden per Rar/Zip
3, VirSCAN kan Rar/Zip bestanden scannen die beveiligd zijn met wachtwoord 'infected' of 'virus'.

Basis informatie

Bestandsnaam: 00滑头鬼之孙
Bestandsgrootte: 637440
Bestandstype: application/x-dosexec
MD5: de7f5961a9f7fbe7916f29628a8f4edc
sha1: c7b792daeec5c545b964d8f99c5fa0dcb21cf3e7

 CreateProcess

ApplicationName:
CmdLine: C:\Users\Administrator\AppData\Roaming\datainf\1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
childid: 1624
childname: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
childpath: C:\Users\Administrator\AppData\Roaming\datainf\1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
drop_type: 1
name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
pid: 2272
ApplicationName:
CmdLine: C:\Windows\system32\svchost.exe -k RPCSS
childid: 1752
childname: svchost.exe
childpath: C:\Windows\system32\svchost.exe
drop_type:
name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Roaming\datainf\1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
pid: 1624
ApplicationName:
CmdLine:
childid: 2272
childname: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
drop_type:
name:
noNeedLine:
path:
pid: 2340

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: 5e565fd02613980b818ff59c1d8c8754
name: log405E.tmp
new_size: 830bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\log405E.tmp
processid: 2272
processname: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
sha1: 23c286a0f0a5b14a211fdc16397b2cde0f5b9870
sha256: 90d284abba87f1845525c301007fef941b8ec8f87a9f52091c0806359c601ade
size: 830
this_path: /data/cuckoo/storage/analyses/891/files/9374567772/log405E.tmp
type: Non-ISO extended-ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: del
md5: 0d0d88dd2c52561e556ddd5f4019737d
name: log53C7.tmp
new_size: 795bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\log53C7.tmp
processid: 1624
processname: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
sha1: 0af57a39e9c1f02d52dec7617f36b7d3b936ca93
sha256: 7f7246e993d1c7f36a9ee6b41627e0a68302361c2be33077f06566e28c6c3eca
size: 795
this_path: /data/cuckoo/storage/analyses/891/files/7866018558/log53C7.tmp
type: Non-ISO extended-ASCII text, with CRLF line terminators

 Dropped Unsave

analysis_result: Trojan.Win32.Zenpak.aazo
create: 0
how: copy
md5: de7f5961a9f7fbe7916f29628a8f4edc
name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
new_size: 622KB (637440bytes)
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Roaming\datainf\1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
processid: 2272
processname: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
sha1: c7b792daeec5c545b964d8f99c5fa0dcb21cf3e7
sha256: 6817ec36ae827619efc232e480970331f72b34d974d981e030c98f2637ba5f2e
size: 637440
this_path: /data/cuckoo/storage/analyses/891/files/1000/1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 15189
process_id: 2272
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 15189
process_id: 2272
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 15191
process_id: 2272
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 15215
process_id: 2272
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 遍历系统中的进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 16158
process_id: 2272
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 73926
process_id: 1624
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 73926
process_id: 1624
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 73928
process_id: 1624
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 73952
process_id: 1624
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 遍历系统中的进程
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 75093
process_id: 1624
process_name: 1621249204369_de7f5961a9f7fbe7916f29628a8f4edc.exe
rulename: 创建伪装进程