VirSCAN VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.
4, Não FOI possível enviar, por favor use o upload VirSCAN

Idioma
Carga do sistema
Server Load
VirSCAN
VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.

Informação básica

Nome do arquivo: 00烈火战神
Tamanho do arquivo: 41440
Tipo de arquivo: application/x-dosexec
MD5: a7d84c368a53ecc403dbf3a6887d7422
sha1: b35ba45cd34b916650bbb2ae2d39f8b73f8db0ab

 CreateProcess

ApplicationName:
CmdLine: C:\Users\ADMINI~1\AppData\Local\Temp\foodwic.exe
childid: 960
childname: foodwic.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\foodwic.exe
drop_type: 1
name: 1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
pid: 2032
ApplicationName:
CmdLine:
childid: 2032
childname: 1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
drop_type:
name:
noNeedLine:
path:
pid: 2004

 Summary

buffer: 0
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\foodwic_RASMANCS
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\foodwic_RASMANCS
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\foodwic_RASMANCS
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\foodwic_RASMANCS
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\foodwic_RASMANCS
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\foodwic_RASMANCS
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: 1
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x00\x1f\xd0\x9bJB\xd7\x01
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x00\x1f\xd0\x9bJB\xd7\x01
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision
buffer: F\x00\x00\x00\x0e\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\xd9\x0cxJB\xd7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\xc0\xa88\xcf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s\x00-\x008\x002\x009\x009\x002\x002\x002\x007\x004\x00\x00\x005\x00 \x00\x00\x00\x1c\x00\xc0\x00\x00\x00\x00\x00\x00F\x00\x00\x00\x00\x13\x00\x00\x13\x8a\xb3\x00\x00\xe8\xea[\x008\xd8[\x00\x8c\xa3\x00\x80_H\xa1\x92\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00D}\x95 \xe9C\x07\xb4\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
type: REG_BINARY
valuename: DefaultConnectionSettings
buffer: {42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
type: REG_SZ
valuename: WpadLastNetwork
buffer: 1
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \xf0\xecJ+KB\xd7\x01
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 0
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \xf0\xecJ+KB\xd7\x01
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 0
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped Unsave

analysis_result: Trojan-Spy.Win32.Zbot.zpps
create: 0
how: write
md5: 42f710aa485d587b05b7724c263c5c9f
name: foodwic.exe
new_size: 40KB (41626bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\foodwic.exe
processid: 2032
processname: 1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
sha1: cf34fba198044ff42c083f2026bec0c17cce9aa6
sha256: 119bae2b1a51479b011c54a3f3caece1306981d375d60ae10eb5d0c89d079e56
size: 41626
this_path: /data/cuckoo/storage/analyses/6000004/files/1000/foodwic.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 1
process_id: 2032
process_name: 1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 152
process_id: 2032
process_name: 1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 152
process_id: 2032
process_name: 1620250244598_a7d84c368a53ecc403dbf3a6887d7422.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 0
process_id: 960
process_name: foodwic.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 151
process_id: 960
process_name: foodwic.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 490
process_id: 960
process_name: foodwic.exe
rulename: 创建网络套接字连接
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 649
process_id: 960
process_name: foodwic.exe
rulename: 打开服务控制管理器
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 662
process_id: 960
process_name: foodwic.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户网卡信息的方式,以达到获取敏感信息的目的
num: 873
process_id: 960
process_name: foodwic.exe
rulename: 收集电脑网卡信息
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 936
process_id: 960
process_name: foodwic.exe
rulename: 遍历文件
attck_tactics: 命令与控制
level: 1
matchedinfo: 恶意程序通过使用InternetReadFile读取远程文件,以达到读取恶意信息、恶意指令或恶意文件的目的
num: 992
process_id: 960
process_name: foodwic.exe
rulename: 读取远程服务器文件