分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2021-04-09 01:14:49 2021-04-09 01:15:18 29 秒

魔盾分数

1.4

正常的

文件详细信息

文件名 browsing_data_remover.exe
文件大小 350096 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
MD5 fd123e789e99dff0cf27421a495e2ece
SHA1 629ad539d4cc768aa32e7306bec2dfbe306367e5
SHA256 91a03c8c3ad7c143d312a76218471a7104df682e5a1b9c80fc1e16ce788d9ded
SHA512 d76cb002ec2b8b0a5f59ac6e05cd4ed8b5bc05d9a012dcdef06b93c8b1843fcbb2d90a1f5a6a654e92327b9b6ce10005785af51141ebf64ce8378283d3d49208
CRC32 DCBDA2E0
Ssdeep 6144:NALci/Iq5yeUGIXLfi4EV1izUQ8ns91wS8iqBbcGnFAOECsIPr:iwiP5yYI7fibi2PFXP
Yara
  • Detected a console program sample
  • Detected Digital Signature
  • Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
样本下载 提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 96.7.129.29
CNAME acroipm.adobe.com.edgesuite.net
A 96.7.129.34
CNAME a1983.dscd.akamai.net

摘要

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\api-ms-win-core-datetime-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-datetime-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-datetime-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-datetime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\System32\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\system\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\System32\wbem\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-localization-obsolete-l1-2-0.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCMapStringEx
kernel32.dll.AreFileApisANSI
kernelbase.dll.CompareStringEx
api-ms-win-core-localization-l1-2-1.dll.EnumSystemLocalesEx
kernel32.dll.GetDateFormatEx
api-ms-win-core-localization-l1-2-1.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
api-ms-win-core-localization-l1-2-1.dll.GetUserDefaultLocaleName
api-ms-win-core-localization-l1-2-1.dll.IsValidLocaleName
kernel32.dll.LCIDToLocaleName
api-ms-win-core-localization-l1-2-1.dll.LocaleNameToLCID
kernel32.dll.AcquireSRWLockShared
kernel32.dll.ReleaseSRWLockShared
ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId

PE 信息

初始地址 0x00400000
入口地址 0x0041fe40
声明校验值 0x0006367d
实际校验值 0x0006367d
最低操作系统版本要求 5.1
PDB路径 D:\webapps\b\build\slave\repo\build\src\out\Release\browsing_data_remover.exe.pdb
编译时间 2017-12-11 17:04:35
载入哈希 4eba277eeb54cff81d28cb73860e0334
导出DLL库名称 browsing_data_remover.exe

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
dc36c076b81d34ca7b27365d6493974561f4b382 Mon Dec 11 18:50:12 2017
证书链 Certificate Chain 1
发行给 VeriSign Class 3 Public Primary Certification Authority - G5
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Thu Jul 17 075959 2036
SHA1 哈希 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2010 CA
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Sat Feb 08 075959 2020
SHA1 哈希 495847a93187cfb8c71f840cb7b41497ad95c64f
证书链 Certificate Chain 3
发行给 TAOBAO (CHINA) SOFTWARE CO.,LTD.
发行人 VeriSign Class 3 Code Signing 2010 CA
有效期 Sun Jul 15 075959 2018
SHA1 哈希 51133a37ffad0b668844984e77109f29482d7dab
证书链 Timestamp Chain 1
发行给 GlobalSign Root CA
发行人 GlobalSign Root CA
有效期 Fri Jan 28 200000 2028
SHA1 哈希 b1bc968bd4f49d622aa89a81f2150152a41d829c
证书链 Timestamp Chain 2
发行给 GlobalSign Timestamping CA - G2
发行人 GlobalSign Root CA
有效期 Fri Jan 28 200000 2028
SHA1 哈希 c0e49d2d7d90a5cd427f02d9125694d5d6ec5b71
证书链 Timestamp Chain 3
发行给 GlobalSign TSA for MS Authenticode - G2
发行人 GlobalSign Timestamping CA - G2
有效期 Thu Jun 24 080000 2027
SHA1 哈希 63b82fab61f583909695050b00249c502933ec79

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0003d16a 0x0003d200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.61
.rdata 0x0003f000 0x00010aac 0x00010c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.72
.data 0x00050000 0x00002b68 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.22
.gfids 0x00053000 0x0000032c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.34
.tls 0x00054000 0x00000002 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.reloc 0x00055000 0x00002a5c 0x00002c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.52

覆盖

偏移量 0x00052400
大小 0x00003390

导入

库: KERNEL32.dll:
0x43f00c GetOEMCP
0x43f010 IsValidCodePage
0x43f014 FindNextFileA
0x43f018 FindFirstFileExA
0x43f01c GetTickCount
0x43f020 SetDllDirectoryW
0x43f024 HeapAlloc
0x43f028 HeapReAlloc
0x43f02c HeapFree
0x43f030 HeapSize
0x43f038 CreateFileW
0x43f03c DeleteFileW
0x43f040 WriteFile
0x43f044 OutputDebugStringA
0x43f048 CloseHandle
0x43f04c GetLastError
0x43f050 SetLastError
0x43f054 GetCurrentProcessId
0x43f058 GetModuleFileNameW
0x43f05c GetCommandLineW
0x43f060 LocalFree
0x43f064 GetModuleHandleW
0x43f068 GetProcAddress
0x43f06c FindClose
0x43f070 FindFirstFileW
0x43f074 FindFirstFileExW
0x43f078 FindNextFileW
0x43f07c GetFileAttributesW
0x43f080 CreateDirectoryW
0x43f084 ReadFile
0x43f088 RemoveDirectoryW
0x43f08c SetFileAttributesW
0x43f090 GetCurrentProcess
0x43f094 CopyFileW
0x43f098 MoveFileExW
0x43f09c WaitForSingleObject
0x43f0a0 TerminateProcess
0x43f0a4 GetExitCodeProcess
0x43f0a8 OpenProcess
0x43f0ac IsDebuggerPresent
0x43f0b0 RaiseException
0x43f0b4 Sleep
0x43f0b8 GetCurrentThreadId
0x43f0c8 GetVersionExW
0x43f0cc GetNativeSystemInfo
0x43f0d0 FlushFileBuffers
0x43f0d4 SetFilePointerEx
0x43f0d8 GetProcessId
0x43f0dc GetModuleHandleExW
0x43f0fc TlsAlloc
0x43f100 TlsGetValue
0x43f104 TlsSetValue
0x43f108 TlsFree
0x43f10c ReadConsoleW
0x43f110 GetDriveTypeW
0x43f114 WriteConsoleW
0x43f11c EnumSystemLocalesW
0x43f120 GetUserDefaultLCID
0x43f124 IsValidLocale
0x43f128 GetACP
0x43f12c GetCommandLineA
0x43f130 GetStdHandle
0x43f134 GetModuleFileNameA
0x43f138 ExitProcess
0x43f13c GetFileType
0x43f140 SetStdHandle
0x43f144 GetFullPathNameW
0x43f148 GetConsoleMode
0x43f14c GetConsoleCP
0x43f150 GetProcessHeap
0x43f154 LoadLibraryExW
0x43f160 GetStartupInfoW
0x43f164 InitializeSListHead
0x43f168 WideCharToMultiByte
0x43f16c MultiByteToWideChar
0x43f170 EncodePointer
0x43f174 DecodePointer
0x43f178 CompareStringW
0x43f17c LCMapStringW
0x43f180 GetLocaleInfoW
0x43f184 GetStringTypeW
0x43f188 GetCPInfo
0x43f18c RtlUnwind
0x43f190 FreeLibrary
库: SHELL32.dll:
0x43f198 CommandLineToArgvW
库: WINMM.dll:
0x43f1a0 timeGetTime

导出

序列 地址 名称
1 0x412c50 GetHandleVerifier
.text
`.rdata
@.data
.gfids
@.tls
.reloc
QQVWj
QQVWj
QQVWj
没有防病毒引擎扫描信息!

进程树


browsing_data_remover.exe, PID: 2556, 上一级进程 PID: 2216

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49160 96.7.129.34 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 96.7.129.29
CNAME acroipm.adobe.com.edgesuite.net
A 96.7.129.34
CNAME a1983.dscd.akamai.net

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49160 96.7.129.34 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 15.629 seconds )

  • 10.93 Suricata
  • 1.672 NetworkAnalysis
  • 1.439 VirusTotal
  • 0.845 Static
  • 0.337 peid
  • 0.336 TargetInfo
  • 0.046 BehaviorAnalysis
  • 0.011 AnalysisInfo
  • 0.011 Strings
  • 0.002 Memory

Signatures ( 1.48 seconds )

  • 1.382 md_url_bl
  • 0.012 antiav_detectreg
  • 0.01 md_domain_bl
  • 0.007 antiav_detectfile
  • 0.006 geodo_banking_trojan
  • 0.006 infostealer_ftp
  • 0.005 anomaly_persistence_autorun
  • 0.005 infostealer_bitcoin
  • 0.004 infostealer_im
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 antivm_vbox_files
  • 0.003 disables_browser_warn
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 api_spamming
  • 0.002 antianalysis_detectreg
  • 0.002 infostealer_mail
  • 0.002 network_torgateway
  • 0.001 stealth_decoy_document
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antidbg_devices
  • 0.001 banker_zeus_mutex
  • 0.001 bot_athenahttp
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.468 seconds )

  • 0.466 ReportHTMLSummary
  • 0.002 Malheur
Task ID 628829
Mongo ID 606f3a427e769a06aceb2bb2
Cuckoo release 1.4-Maldun