恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2022-07-06 00:59:23	2022-07-06 01:01:33	130 秒

魔盾分数

0.8375

正常的

文件详细信息

文件名	EPlusCMBSetup.exe
文件大小	3318984 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	cdefb16af2fc6b70244561dd607b07bd
SHA1	5e26a1b84d5ff62d11a31fcd37115275092d19b3
SHA256	b016bc10c1c832bcebbacbd2f89a0868bc11ec1e0cd9debf2f6b880c054dbaa9
SHA512	187348a024dba8a05bed8f821d6cd7f8c739c2035a1a6be634f8c86b00e113ebea3468eff7d765e18ccd54927b2ab1596092d4a813a3c247e48ffb2a139dfdc6
CRC32	5106CA45
Ssdeep	98304:p+/P2KqtvbIOYktxBE9Qg2OeCHVfAqUZ2F1PE8Q9DuJjd:2eKq5cN9Qg2OeWV+Z1hujd
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x0043aef9
声明校验值	0x003376dd
实际校验值	0x003376dd
最低操作系统版本要求	5.1
PDB路径	D:\trunk\2345haozip\bin\Win32\release\pdb\HaoZip7zSetup.pdb
编译时间	2020-04-22 21:03:30
载入哈希	0f60d7fa1afe421bceb1e84afd1374d6

版本信息

FileVersion
ProductVersion
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
9853244a870d0f08927a629e5a0cc92eb2e29a56	Thu Jul 09 11:38:44 2020	是	无

证书链	Certificate Chain 1
发行给	DigiCert Assured ID Root CA
发行人	DigiCert Assured ID Root CA
有效期	Mon Nov 10 080000 2031
SHA1 哈希	0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

证书链	Certificate Chain 2
发行给	DigiCert Assured ID Code Signing CA-1
发行人	DigiCert Assured ID Root CA
有效期	Tue Feb 10 200000 2026
SHA1 哈希	409aa4a74a0cda7c0fee6bd0bb8823d16b5f1875

证书链	Certificate Chain 3
发行给	China Merchants Bank Co., Ltd
发行人	DigiCert Assured ID Code Signing CA-1
有效期	Mon Nov 15 200000 2021
SHA1 哈希	8b346a391b144d31dcb3038e2efe59b7d9f8c23e

证书链	Timestamp Chain 1
发行给	Thawte Timestamping CA
发行人	Thawte Timestamping CA
有效期	Fri Jan 01 075959 2021
SHA1 哈希	be36a4562fb2ee05dbb3d32323adf445084ed656

证书链	Timestamp Chain 2
发行给	Symantec Time Stamping Services CA - G2
发行人	Thawte Timestamping CA
有效期	Thu Dec 31 075959 2020
SHA1 哈希	6c07453ffdda08b83707c09b82fb3d15f35336b1

证书链	Timestamp Chain 3
发行给	Symantec Time Stamping Services Signer - G4
发行人	Symantec Time Stamping Services CA - G2
有效期	Wed Dec 30 075959 2020
SHA1 哈希	65439929b67973eb192d6ff243e6767adf0834e4

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0004d18b	0x0004d200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.64
.rdata	0x0004f000	0x00011d86	0x00011e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.92
.data	0x00061000	0x00008600	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.45
.rsrc	0x0006a000	0x00014064	0x00014200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.46
.reloc	0x0007f000	0x00004de0	0x00004e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.48

导入

库: COMCTL32.dll:

• 0x44f000 InitCommonControlsEx

库: SHELL32.dll:

• 0x44f1d8 SHGetMalloc

• 0x44f1dc ShellExecuteExW

• 0x44f1e0 SHGetFileInfoW

• 0x44f1e4 ShellExecuteW

• 0x44f1e8 CommandLineToArgvW

• 0x44f1ec SHBrowseForFolderW

• 0x44f1f0 SHGetPathFromIDListW

库: KERNEL32.dll:

• 0x44f014 VirtualFree

• 0x44f018 WriteConsoleW

• 0x44f01c DecodePointer

• 0x44f020 FlushFileBuffers

• 0x44f024 SetFilePointerEx

• 0x44f028 GetConsoleMode

• 0x44f02c HeapFree

• 0x44f030 GetLastError

• 0x44f034 LoadLibraryW

• 0x44f038 HeapAlloc

• 0x44f03c GetProcAddress

• 0x44f040 GetProcessHeap

• 0x44f044 FreeLibrary

• 0x44f048 GetFileAttributesW

• 0x44f04c CloseHandle

• 0x44f050 GetCurrentProcess

• 0x44f054 GetVersionExW

• 0x44f058 GetModuleHandleW

• 0x44f05c ExpandEnvironmentStringsW

• 0x44f060 InitializeCriticalSectionAndSpinCount

• 0x44f064 WaitForSingleObject

• 0x44f068 CreateProcessW

• 0x44f06c GetModuleFileNameW

• 0x44f070 GetCurrentDirectoryW

• 0x44f074 SetCurrentDirectoryW

• 0x44f078 LocalFree

• 0x44f07c SetFileApisToOEM

• 0x44f080 SetPriorityClass

• 0x44f084 SetThreadPriority

• 0x44f088 GetEnvironmentVariableW

• 0x44f08c GetCurrentThread

• 0x44f090 GetCommandLineW

• 0x44f094 FindFirstFileW

• 0x44f098 FindNextFileW

• 0x44f09c FindClose

• 0x44f0a0 EnterCriticalSection

• 0x44f0a4 LeaveCriticalSection

• 0x44f0a8 InitializeCriticalSection

• 0x44f0ac DeleteCriticalSection

• 0x44f0b0 GetLongPathNameW

• 0x44f0b4 CreateFileW

• 0x44f0b8 GetCurrentThreadId

• 0x44f0bc FindResourceW

• 0x44f0c0 GetCurrentProcessId

• 0x44f0c4 LoadLibraryExW

• 0x44f0c8 WriteFile

• 0x44f0cc SetFileTime

• 0x44f0d0 SetEndOfFile

• 0x44f0d4 FormatMessageW

• 0x44f0d8 InterlockedExchangeAdd

• 0x44f0dc ReadFile

• 0x44f0e0 SetFilePointer

• 0x44f0e4 VirtualAlloc

• 0x44f0e8 ResumeThread

• 0x44f0ec GetACP

• 0x44f0f0 MultiByteToWideChar

• 0x44f0f4 WideCharToMultiByte

• 0x44f0f8 CreateDirectoryW

• 0x44f0fc GetFullPathNameW

• 0x44f100 lstrlenW

• 0x44f104 RemoveDirectoryW

• 0x44f108 GetTempPathW

• 0x44f10c SetFileAttributesW

• 0x44f110 DeleteFileW

• 0x44f114 GetWindowsDirectoryW

• 0x44f118 MoveFileExW

• 0x44f11c GetTempFileNameW

• 0x44f120 MoveFileW

• 0x44f124 FileTimeToSystemTime

• 0x44f128 CreateEventW

• 0x44f12c SetEvent

• 0x44f130 ResetEvent

• 0x44f134 WaitForMultipleObjects

• 0x44f138 GetConsoleCP

• 0x44f13c HeapReAlloc

• 0x44f140 HeapSize

• 0x44f144 SetStdHandle

• 0x44f148 FreeEnvironmentStringsW

• 0x44f14c GetEnvironmentStringsW

• 0x44f150 GetCommandLineA

• 0x44f154 GetCPInfo

• 0x44f158 GetOEMCP

• 0x44f15c IsValidCodePage

• 0x44f160 FindFirstFileExW

• 0x44f164 LCMapStringW

• 0x44f168 GetFileType

• 0x44f16c GetStringTypeW

• 0x44f170 GetStdHandle

• 0x44f174 ExitProcess

• 0x44f178 GetModuleHandleExW

• 0x44f17c FreeLibraryAndExitThread

• 0x44f180 ExitThread

• 0x44f184 GetFileSize

• 0x44f188 CreateThread

• 0x44f18c TlsFree

• 0x44f190 TlsSetValue

• 0x44f194 TlsGetValue

• 0x44f198 TlsAlloc

• 0x44f19c EncodePointer

• 0x44f1a0 SetLastError

• 0x44f1a4 UnhandledExceptionFilter

• 0x44f1a8 SetUnhandledExceptionFilter

• 0x44f1ac TerminateProcess

• 0x44f1b0 IsProcessorFeaturePresent

• 0x44f1b4 WaitForSingleObjectEx

• 0x44f1b8 IsDebuggerPresent

• 0x44f1bc GetStartupInfoW

• 0x44f1c0 QueryPerformanceCounter

• 0x44f1c4 GetSystemTimeAsFileTime

• 0x44f1c8 InitializeSListHead

• 0x44f1cc RtlUnwind

• 0x44f1d0 RaiseException

库: USER32.dll:

• 0x44f1f8 ScreenToClient

• 0x44f1fc DispatchMessageW

• 0x44f200 SetTimer

• 0x44f204 IsDialogMessageW

• 0x44f208 TranslateMessage

• 0x44f20c LoadIconW

• 0x44f210 KillTimer

• 0x44f214 PostQuitMessage

• 0x44f218 EnableWindow

• 0x44f21c DestroyIcon

• 0x44f220 IsWindow

• 0x44f224 IsWindowVisible

• 0x44f228 ShowWindow

• 0x44f22c PostMessageW

• 0x44f230 GetWindowRect

• 0x44f234 SetWindowPos

• 0x44f238 GetSystemMetrics

• 0x44f23c DialogBoxParamW

• 0x44f240 SendMessageW

• 0x44f244 EndDialog

• 0x44f248 SetWindowTextW

• 0x44f24c SetFocus

• 0x44f250 GetDlgItem

• 0x44f254 GetWindowTextW

• 0x44f258 CreateDialogParamW

• 0x44f25c GetMessageW

• 0x44f260 GetDesktopWindow

• 0x44f264 LoadStringW

• 0x44f268 MessageBoxW

库: GDI32.dll:

• 0x44f008 CreateSolidBrush

• 0x44f00c DeleteObject

库: ole32.dll:

• 0x44f270 CoCreateInstance

• 0x44f274 CoInitializeEx

• 0x44f278 CoUninitialize

• 0x44f27c CoInitialize

.text
`.rdata
@.data
.rsrc
@.reloc
tPjdj
Ph@[E
WhmP@
7hpME
7hpME
Vhh]E
Vhh]E
Php]E

没有防病毒引擎扫描信息!

进程树

EPlusCMBSetup.exe id: 2592
- CMBSetup.exe id: 2808

EPlusCMBSetup.exe, PID: 2592, 上一级进程 PID: 2240

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

CMBSetup.exe, PID: 2808, 上一级进程 PID: 2592

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	23.37.124.88	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	23.37.124.88	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 20.293 seconds )

10.341 Suricata
6.432 Static
1.063 VirusTotal
1.045 NetworkAnalysis
0.818 TargetInfo
0.304 peid
0.26 BehaviorAnalysis
0.011 Strings
0.01 AnalysisInfo
0.007 config_decoder
0.002 Memory

Signatures ( 1.487 seconds )

1.319 md_url_bl
0.022 antiav_detectreg
0.012 api_spamming
0.01 infostealer_ftp
0.009 stealth_timeout
0.008 stealth_decoy_document
0.008 antiav_detectfile
0.007 infostealer_bitcoin
0.007 md_domain_bl
0.006 infostealer_im
0.005 anomaly_persistence_autorun
0.004 antianalysis_detectreg
0.004 geodo_banking_trojan
0.004 infostealer_mail
0.004 ransomware_extensions
0.004 ransomware_files
0.003 bootkit
0.003 mimics_filetime
0.003 virus
0.003 antivm_vbox_files
0.003 network_http
0.002 tinba_behavior
0.002 stealth_file
0.002 antivm_generic_disk
0.002 disables_browser_warn
0.001 antiemu_wine_func
0.001 network_tor
0.001 rat_nanocore
0.001 maldun_malicious_write_executeable_under_temp_to_regrun
0.001 dridex_behavior
0.001 maldun_anomaly_write_exe_and_obsfucate_extension
0.001 maldun_anomaly_massive_file_ops
0.001 antivm_generic_services
0.001 ransomware_message
0.001 sets_autoconfig_url
0.001 betabot_behavior
0.001 ipc_namedpipe
0.001 kibex_behavior
0.001 antivm_generic_scsi
0.001 shifu_behavior
0.001 infostealer_browser_password
0.001 cerber_behavior
0.001 kovter_behavior
0.001 hancitor_behavior
0.001 securityxploded_modules
0.001 antidbg_devices
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 browser_security
0.001 modify_proxy
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 md_bad_drop
0.001 network_cnc_http

Reporting ( 0.462 seconds )

0.461 ReportHTMLSummary
0.001 Malheur


Task ID	698092
Mongo ID	62c46e8cdc327b14ec5afd6d
Cuckoo release	1.4-Maldun