分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-09-25 03:35:30 2022-09-25 03:36:40 70 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 CBAIDE-V2.0.exe
文件大小 28823552 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cab033deb1cca30909cbaeb24b6e038a
SHA1 90a104c1c542013e29409ab12ecdd5fa6fb46284
SHA256 bd415a063526f28c5f6c6411779776c033e3d2d3c550a492ae2a4dbcd135f2b2
SHA512 642dda56390a5334f25703540aa16187b31d88d833a142b43070b1568d3fef34efc67e4a9c55e3f11cbfe007ededa057260869b008a5a99dc86264eec0e04843
CRC32 F8EE24F4
Ssdeep 786432:paLg+moS9iEkJjnvwaEqANGJeyNsJkZwXD:paL5mD9iXRnIaZNsJkZ
Yara 登录查看Yara规则
找不到该样本 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
180.97.105.13 中国
66.70.229.50 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
fmd-data.gz.bcebos.com 未知 A 180.97.105.13
CNAME gz.bcebos.com
CNAME bos.gz.bcebos.n.shifen.com
activate.htsoft.com 未知 A 66.70.229.50

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x01eb9628
声明校验值 0x00000000
实际校验值 0x01b81900
最低操作系统版本要求 5.0
编译时间 2021-12-28 20:00:13
载入哈希 61dfbc7d3afe009a71d057c42fa99ec4
图标
图标精确哈希值 ddea6aed184e5f40c47b4f8604799be3
图标相似性哈希值 d8a0ba9ab3d18f8a88c48ff3a55f7629

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000a1416 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x000a3000 0x018d5f00 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x01979000 0x0004e14a 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp0 0x019c8000 0x000dd5cd 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp1 0x01aa6000 0x01b79884 0x01b7a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.82
.rsrc 0x03620000 0x00001d91 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.23

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x03621024 0x000008a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.27 data
RT_ICON 0x03621024 0x000008a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.27 data
RT_ICON 0x03621024 0x000008a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.27 data
RT_ICON 0x03621024 0x000008a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.27 data
RT_ICON 0x03621024 0x000008a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.27 data
RT_ICON 0x03621024 0x000008a8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.27 data
RT_GROUP_ICON 0x03621920 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x03621920 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x03621920 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION 0x03621934 0x00000290 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.34 MS Windows COFF PA-RISC object file
RT_MANIFEST 0x03621bc4 0x000001cd LANG_NEUTRAL SUBLANG_NEUTRAL 5.08 XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库: WINMM.dll:
0x3a11000 waveOutWrite
库: WS2_32.dll:
0x3a11008 WSAAsyncSelect
库: VERSION.dll:
0x3a11010 VerLanguageNameA
库: KERNEL32.dll:
0x3a11018 GetVersionExA
0x3a1101c GetVersion
0x3a11020 EnumResourceNamesA
库: USER32.dll:
0x3a11028 WinHelpA
库: GDI32.dll:
0x3a11030 SetBkColor
库: WINSPOOL.DRV:
0x3a11038 DocumentPropertiesA
库: ADVAPI32.dll:
0x3a11040 RegSetValueExA
库: SHELL32.dll:
0x3a11048 ShellExecuteA
库: ole32.dll:
0x3a11050 CLSIDFromString
库: OLEAUT32.dll:
0x3a11058 RegisterTypeLib
库: COMCTL32.dll:
0x3a11060 ImageList_Destroy
库: comdlg32.dll:
0x3a11068 ChooseColorA
库: KERNEL32.dll:
0x3a11070 GetModuleFileNameW
库: KERNEL32.dll:
0x3a11078 GetModuleHandleA
0x3a1107c LoadLibraryA
0x3a11080 LocalAlloc
0x3a11084 LocalFree
0x3a11088 GetModuleFileNameA
0x3a1108c ExitProcess

.text
`.rdata
@.data
.vmp0
.vmp1
.rsrc
ExitProcess
EnumResourceNamesA
WinHelpA
USER32.dll
&Op#}
comdlg32.dll
SHELL32.dll
1L`}p
RegSetValueExA
LoadLibraryA
,gu`)
LocalFree
没有防病毒引擎扫描信息!

进程树


CBAIDE-V2.0.exe, PID: 2752, 上一级进程 PID: 2352
cmd.exe, PID: 2932, 上一级进程 PID: 2752
explorer.exe, PID: 3008, 上一级进程 PID: 2932

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
180.97.105.13 中国
66.70.229.50 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49164 180.97.105.13 fmd-data.gz.bcebos.com 443
192.168.122.201 49157 23.192.228.89 80
192.168.122.201 49166 66.70.229.50 activate.htsoft.com 80
192.168.122.201 49167 66.70.229.50 activate.htsoft.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
fmd-data.gz.bcebos.com 未知 A 180.97.105.13
CNAME gz.bcebos.com
CNAME bos.gz.bcebos.n.shifen.com
activate.htsoft.com 未知 A 66.70.229.50

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49164 180.97.105.13 fmd-data.gz.bcebos.com 443
192.168.122.201 49157 23.192.228.89 80
192.168.122.201 49166 66.70.229.50 activate.htsoft.com 80
192.168.122.201 49167 66.70.229.50 activate.htsoft.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 59906 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://activate.htsoft.com/activate/test.html
GET /activate/test.html HTTP/1.1
User-Agent: URL_download
Host: activate.htsoft.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2022-09-25 03:36:29.872622+0800 192.168.122.201 49164 180.97.105.13 443 TLS 1.2 C=US, O=DigiCert Inc, CN=DigiCert Secure Site Pro CN CA G3 C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, CN=*.gz.bcebos.com 0d:96:eb:5c:1d:29:c7:88:ff:7c:79:74:a5:8d:ed:23:9a:df:e0:89
2022-09-25 03:36:38.065351+0800 192.168.122.201 49167 66.70.229.50 443 TLS 1.2 C=US, O=Let's Encrypt, CN=R3 CN=htsoft.com a6:41:81:aa:56:06:55:eb:da:58:57:02:35:a4:78:ab:3d:42:ae:ea

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 54.833 seconds )

  • 19.431 Static
  • 13.794 Suricata
  • 12.683 NetworkAnalysis
  • 6.094 TargetInfo
  • 1.945 VirusTotal
  • 0.421 peid
  • 0.244 BehaviorAnalysis
  • 0.186 config_decoder
  • 0.013 AnalysisInfo
  • 0.013 Strings
  • 0.009 Memory

Signatures ( 42.993 seconds )

  • 40.925 network_http
  • 1.704 md_url_bl
  • 0.088 ransomware_extensions
  • 0.043 md_domain_bl
  • 0.033 antiav_detectreg
  • 0.016 stealth_file
  • 0.015 api_spamming
  • 0.014 infostealer_ftp
  • 0.012 stealth_decoy_document
  • 0.012 stealth_timeout
  • 0.008 infostealer_im
  • 0.007 anomaly_persistence_autorun
  • 0.007 antiav_detectfile
  • 0.007 antianalysis_detectreg
  • 0.006 ransomware_files
  • 0.005 mimics_filetime
  • 0.005 geodo_banking_trojan
  • 0.005 infostealer_bitcoin
  • 0.005 infostealer_mail
  • 0.004 reads_self
  • 0.004 antivm_generic_disk
  • 0.004 virus
  • 0.003 bootkit
  • 0.003 antivm_generic_scsi
  • 0.003 hancitor_behavior
  • 0.003 antivm_vbox_files
  • 0.003 disables_browser_warn
  • 0.003 network_torgateway
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 injection_createremotethread
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 cerber_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 browser_security
  • 0.002 md_bad_drop
  • 0.001 antiemu_wine_func
  • 0.001 antivm_vbox_libs
  • 0.001 maldun_anomaly_massive_file_ops
  • 0.001 antivm_generic_services
  • 0.001 process_interest
  • 0.001 ursnif_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 infostealer_browser_password
  • 0.001 antidbg_windows
  • 0.001 anormaly_invoke_kills
  • 0.001 vawtrak_behavior
  • 0.001 injection_runpe
  • 0.001 kovter_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 network_cnc_http
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.626 seconds )

  • 0.623 ReportHTMLSummary
  • 0.003 Malheur
Task ID 710649
Mongo ID 632f5cb37e769a059be15ff9
Cuckoo release 1.4-Maldun