比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2022-07-04 13:01:52 2022-07-04 13:04:01 129 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 RapixGcbScan.1.4.5.exe
文件大小 3149944 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d0f9aab9ad6199a8bc14412dc7116a84
SHA1 690da3855b9e15b7d7b18efc5a6484fb96e8f891
SHA256 6e17daef103e801ce6c2121e9ce7d02d316eefc7059041c5326b1e9818566c55
SHA512 8aa8441d9f2ed38dc1efa6c43666672e1a5266f8d5f327098fc71b58a0fe566d12f3058961f2ce6c366d86dc30a96179d3bb51fbd83d63b1ff1401d888b75144
CRC32 1F62B060
Ssdeep 49152:BQB+PACzLXZlls8wbLUvERT2ttko22vuq7/RnanQbFhJTZAwDo0G1+7gO:+GzLZTZWosRT0tkN2vuq7lhU0G1+7gO
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004117dc
声明校验值 0x0030e5e6
实际校验值 0x0030e5e6
最低操作系统版本要求 5.0
编译时间 2016-04-06 22:39:04
载入哈希 20dd26497880c05caed9305b3c8b9109

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
cdd5658b76e02db779767aec0446757cda996f7c Mon Jun 27 16:23:24 2022
The signing certificate is not valid for the requested usage.
证书链 Certificate Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Certificate Chain 2
发行给 DigiCert Trusted Root G4
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 075959 2031
SHA1 哈希 18c57901aa5ec47719c39400e1239a7ef12e9270
证书链 Certificate Chain 3
发行给 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
发行人 DigiCert Trusted Root G4
有效期 Tue Apr 29 075959 2036
SHA1 哈希 7b0f360b775f76c94a12ca48445aa2d2a875701c
证书链 Certificate Chain 4
发行给
发行人 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
有效期 Sun Dec 17 075959 2023
SHA1 哈希 a56cd01211558482b41ed00f2f93e503f09e5572
证书链 Timestamp Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Timestamp Chain 2
发行给 DigiCert Trusted Root G4
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 075959 2031
SHA1 哈希 18c57901aa5ec47719c39400e1239a7ef12e9270
证书链 Timestamp Chain 3
发行给 DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
发行人 DigiCert Trusted Root G4
有效期 Mon Mar 23 075959 2037
SHA1 哈希 b6c8af834d4e53b673c76872aa8c950c7c54df5f
证书链 Timestamp Chain 4
发行给 DigiCert Timestamp 2022 - 2
发行人 DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
有效期 Tue Mar 15 075959 2033
SHA1 哈希 8508f386515cb3d3077db6b4b7c07f1b4a5e41de

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000f244 0x0000f400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.38
.itext 0x00011000 0x00000f64 0x00001000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.73
.data 0x00012000 0x00000c88 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.30
.bss 0x00013000 0x000056bc 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00019000 0x00000e04 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.60
.tls 0x0001a000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0001b000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.20
.rsrc 0x0001c000 0x0000dfc8 0x0000e000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.38

导入

库: oleaut32.dll:
0x419304 SysFreeString
0x419308 SysReAllocStringLen
0x41930c SysAllocStringLen
库: advapi32.dll:
0x419314 RegQueryValueExW
0x419318 RegOpenKeyExW
0x41931c RegCloseKey
库: user32.dll:
0x419324 GetKeyboardType
0x419328 LoadStringW
0x41932c MessageBoxA
0x419330 CharNextW
库: kernel32.dll:
0x419338 GetACP
0x41933c Sleep
0x419340 VirtualFree
0x419344 VirtualAlloc
0x419348 GetSystemInfo
0x41934c GetTickCount
0x419354 GetVersion
0x419358 GetCurrentThreadId
0x41935c VirtualQuery
0x419360 WideCharToMultiByte
0x419364 MultiByteToWideChar
0x419368 lstrlenW
0x41936c lstrcpynW
0x419370 LoadLibraryExW
0x419374 GetThreadLocale
0x419378 GetStartupInfoA
0x41937c GetProcAddress
0x419380 GetModuleHandleW
0x419384 GetModuleFileNameW
0x419388 GetLocaleInfoW
0x41938c GetCommandLineW
0x419390 FreeLibrary
0x419394 FindFirstFileW
0x419398 FindClose
0x41939c ExitProcess
0x4193a0 WriteFile
0x4193a8 RtlUnwind
0x4193ac RaiseException
0x4193b0 GetStdHandle
0x4193b4 CloseHandle
库: kernel32.dll:
0x4193bc TlsSetValue
0x4193c0 TlsGetValue
0x4193c4 LocalAlloc
0x4193c8 GetModuleHandleW
库: user32.dll:
0x4193d0 CreateWindowExW
0x4193d4 TranslateMessage
0x4193d8 SetWindowLongW
0x4193dc PeekMessageW
0x4193e4 MessageBoxW
0x4193e8 LoadStringW
0x4193ec GetSystemMetrics
0x4193f0 ExitWindowsEx
0x4193f4 DispatchMessageW
0x4193f8 DestroyWindow
0x4193fc CharUpperBuffW
0x419400 CallWindowProcW
库: kernel32.dll:
0x419408 WriteFile
0x41940c WideCharToMultiByte
0x419410 WaitForSingleObject
0x419414 VirtualQuery
0x419418 VirtualProtect
0x41941c VirtualFree
0x419420 VirtualAlloc
0x419424 SizeofResource
0x419428 SignalObjectAndWait
0x41942c SetLastError
0x419430 SetFilePointer
0x419434 SetEvent
0x419438 SetErrorMode
0x41943c SetEndOfFile
0x419440 ResetEvent
0x419444 RemoveDirectoryW
0x419448 ReadFile
0x41944c MultiByteToWideChar
0x419450 LockResource
0x419454 LoadResource
0x419458 LoadLibraryW
0x419460 GetVersionExW
0x419464 GetVersion
0x41946c GetThreadLocale
0x419470 GetSystemInfo
0x419474 GetSystemDirectoryW
0x419478 GetStdHandle
0x41947c GetProcAddress
0x419480 GetModuleHandleW
0x419484 GetModuleFileNameW
0x419488 GetLocaleInfoW
0x41948c GetLastError
0x419490 GetFullPathNameW
0x419494 GetFileSize
0x419498 GetFileAttributesW
0x41949c GetExitCodeProcess
0x4194a4 GetDiskFreeSpaceW
0x4194a8 GetCurrentProcess
0x4194ac GetCommandLineW
0x4194b0 GetCPInfo
0x4194b4 InterlockedExchange
0x4194bc FreeLibrary
0x4194c0 FormatMessageW
0x4194c4 FindResourceW
0x4194c8 EnumCalendarInfoW
0x4194cc DeleteFileW
0x4194d0 CreateProcessW
0x4194d4 CreateFileW
0x4194d8 CreateEventW
0x4194dc CreateDirectoryW
0x4194e0 CloseHandle
库: advapi32.dll:
0x4194e8 RegQueryValueExW
0x4194ec RegOpenKeyExW
0x4194f0 RegCloseKey
0x4194f4 OpenProcessToken
库: comctl32.dll:
0x419500 InitCommonControls
库: kernel32.dll:
0x419508 Sleep
库: advapi32.dll:
.text
`.itext
`.data
.idata
.rdata
@.rsrc
AnsiString
FastMM Borland Edition (c) 2004 - 2008 Pierre le Riche / Professional Software Development
An unexpected memory leak has occurred.
The sizes of unexpected leaked medium and large blocks are:
bytes:
Unknown
AnsiString
UnicodeString
Unexpected Memory Leak
#5@:A
)=<:A
Uhk:@
PhT>@
VWUUh(?@
PhbA@
UhMB@
Uh`C@
0123456789ABCDEF
UhJT@
GetLongPathNameW
Uhhb@
Uh>j@
Uh j@
Exception0n@
t&f=0
r@f=9
WVUSj
TSetupLanguageEntry=
SetDefaultDllDirectories
SetDllDirectoryW
SetSearchPathMode
SetProcessDEPPolicy
Error
Runtime error at 00000000
Inno Setup Setup Data (5.5.7) (u)
Inno Setup Messages (5.5.3) (u)
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
advapi32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
LoadStringW
MessageBoxA
CharNextW
kernel32.dll
GetACP
Sleep
VirtualFree
VirtualAlloc
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
lstrcpynW
LoadLibraryExW
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetCommandLineW
FreeLibrary
FindFirstFileW
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
CloseHandle
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleW
user32.dll
CreateWindowExW
TranslateMessage
SetWindowLongW
PeekMessageW
MsgWaitForMultipleObjects
MessageBoxW
LoadStringW
GetSystemMetrics
ExitWindowsEx
DispatchMessageW
DestroyWindow
CharUpperBuffW
CallWindowProcW
kernel32.dll
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
SizeofResource
SignalObjectAndWait
SetLastError
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
RemoveDirectoryW
ReadFile
MultiByteToWideChar
LockResource
LoadResource
LoadLibraryW
GetWindowsDirectoryW
GetVersionExW
GetVersion
GetUserDefaultLangID
GetThreadLocale
GetSystemInfo
GetSystemDirectoryW
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLastError
GetFullPathNameW
GetFileSize
GetFileAttributesW
GetExitCodeProcess
GetEnvironmentVariableW
GetDiskFreeSpaceW
GetCurrentProcess
GetCommandLineW
GetCPInfo
InterlockedExchange
InterlockedCompareExchange
FreeLibrary
FormatMessageW
FindResourceW
EnumCalendarInfoW
DeleteFileW
CreateProcessW
CreateFileW
CreateEventW
CreateDirectoryW
CloseHandle
advapi32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
comctl32.dll
InitCommonControls
kernel32.dll
Sleep
advapi32.dll
AdjustTokenPrivileges
//0^000
///5110
HF;!LJ>
IG<,OM@
KI>6VSD
LK>?XVE
MK>Hb`L
///.///
::57=<6
//+M22/
///f000
./*%/0/
///'///
A?8'EC:
../1///
3/OP6.g
./*711/
DC:T_\I
73Il@6h
...X///
+,*,//0
CB:>KJ>
=98}dUU
---6///
0/0R321
A@9*FE<
.-.]///
'(/3///
DD;WcaK
/+*,0/.
+,/O124
%'1,///
+,/&//0
/+*A1/.
')1G///
/23n/56
*+0l//0
/+*D/00
/+*]>86
/+*/0/.
)*1O///
.AGp-Xf
/*(,/23
++0)///
/+*F20/
/+*!//.
-CJ@-OZ
,,/)NH+
+S`5)i~
+,0'54/
/+)c222
/'%4122
SetupLdr
RedirFunc
7PathFunc
SysUtils
eCharacter
KWindows
UTypes
SysInit
System
"RTLConsts
SysConst
YStrUtils
ImageHlp
CmnFunc2
VerInfo
AFileClass
Int64Em
cInstFunc
6MsgIDs
Compress
Struct
*ShellAPI
3Messages
SetupEnt
JLZMADecompSmall
SXPTheme
SafeDLLPath
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
kernel32.dll
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExW
USERPROFILE
GetUserDefaultUILanguage
kernel32.dll
.DEFAULT\Control Panel\International
Locale
Control Panel\Desktop\ResourceLocale
[ExceptObject=nil]
File I/O error %d
Compressed block is corrupted
Compressed block is corrupted
Compressed block is corrupted
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
Unknown
Itanium
The setup files are corrupted. Please obtain a new copy of the program.
SeShutdownPrivilege
/SPAWNWND=
/Lang=
/HELP
The setup files are corrupted. Please obtain a new copy of the program.
For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Setup
kernel32.dll
uxtheme.dll
userenv.dll
setupapi.dll
apphelp.dll
propsys.dll
dwmapi.dll
cryptbase.dll
oleacc.dll
version.dll
profapi.dll
comres.dll
clbcatq.dll
Wow64DisableWow64FsRedirection
kernel32.dll
Wow64RevertWow64FsRedirection
shell32.dll
InnoSetupLdrWindow
STATIC
/SL5="$%x,%d,%d,
MAINICON(
Invalid file name - %s
Thursday
Write$Error creating variant or safe array)Variant or safe array index out of bounds
Invalid pointer operation
0@P`
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
This installation was built with Inno Setup.
CompanyName
Rapixus Info, Inc.
FileDescription
RapixGcbScan Setup
FileVersion
1.4.5
LegalCopyright
没有防病毒引擎扫描信息!

进程树

RapixGcbScan.1.4.5.exe, PID: 2552, 上一级进程 PID: 2172
RapixGcbScan.1.4.5.tmp, PID: 2728, 上一级进程 PID: 2552
RapixusGcb.exe, PID: 2764, 上一级进程 PID: 2728
LGPO.exe, PID: 2940, 上一级进程 PID: 2764
SecEdit.exe, PID: 3064, 上一级进程 PID: 2940
auditpol.exe, PID: 2584, 上一级进程 PID: 2940
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.80.89.81 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.80.89.81 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 22.06 seconds )

  • 10.644 Suricata
  • 5.509 Static
  • 2.762 BehaviorAnalysis
  • 1.067 VirusTotal
  • 0.943 NetworkAnalysis
  • 0.801 TargetInfo
  • 0.301 peid
  • 0.016 Strings
  • 0.009 AnalysisInfo
  • 0.006 config_decoder
  • 0.002 Memory

Signatures ( 2.734 seconds )

  • 1.309 md_url_bl
  • 0.155 antiav_detectreg
  • 0.149 api_spamming
  • 0.119 stealth_timeout
  • 0.112 stealth_decoy_document
  • 0.06 infostealer_ftp
  • 0.056 mimics_filetime
  • 0.038 stealth_file
  • 0.037 antivm_generic_scsi
  • 0.036 antianalysis_detectreg
  • 0.035 infostealer_im
  • 0.032 reads_self
  • 0.03 antiav_detectfile
  • 0.029 antivm_generic_services
  • 0.027 bootkit
  • 0.023 anormaly_invoke_kills
  • 0.023 virus
  • 0.02 infostealer_bitcoin
  • 0.02 infostealer_mail
  • 0.016 injection_createremotethread
  • 0.016 antivm_generic_disk
  • 0.015 ransomware_extensions
  • 0.013 infostealer_browser_password
  • 0.013 kovter_behavior
  • 0.012 antiemu_wine_func
  • 0.012 process_interest
  • 0.012 antivm_vbox_files
  • 0.01 infostealer_browser
  • 0.01 injection_runpe
  • 0.01 hancitor_behavior
  • 0.01 geodo_banking_trojan
  • 0.01 ransomware_files
  • 0.009 kibex_behavior
  • 0.008 antiav_avast_libs
  • 0.008 maldun_anomaly_massive_file_ops
  • 0.008 betabot_behavior
  • 0.008 antisandbox_sunbelt_libs
  • 0.008 ipc_namedpipe
  • 0.008 anomaly_persistence_autorun
  • 0.008 vawtrak_behavior
  • 0.008 antivm_xen_keys
  • 0.008 md_domain_bl
  • 0.007 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.007 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.007 sets_autoconfig_url
  • 0.007 securityxploded_modules
  • 0.007 antivm_parallels_keys
  • 0.007 darkcomet_regkeys
  • 0.006 ransomware_message
  • 0.006 antisandbox_sboxie_libs
  • 0.006 antiav_bitdefender_libs
  • 0.006 antidbg_windows
  • 0.006 antivm_generic_diskreg
  • 0.005 process_needed
  • 0.005 antidbg_devices
  • 0.005 recon_fingerprint
  • 0.004 disables_wfp
  • 0.003 network_tor
  • 0.003 antivm_vbox_libs
  • 0.003 disables_spdy
  • 0.003 antisandbox_productid
  • 0.003 disables_browser_warn
  • 0.003 network_http
  • 0.003 rat_pcclient
  • 0.002 tinba_behavior
  • 0.002 hawkeye_behavior
  • 0.002 rat_nanocore
  • 0.002 office_dl_write_exe
  • 0.002 office_write_exe
  • 0.002 kazybot_behavior
  • 0.002 ransomware_file_modifications
  • 0.002 shifu_behavior
  • 0.002 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.002 exec_crash
  • 0.002 cerber_behavior
  • 0.002 bypass_firewall
  • 0.002 antivm_generic_bios
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 antivm_vbox_acpi
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_files
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_vpc_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 codelux_behavior
  • 0.002 maldun_anomaly_invoke_vb_vba
  • 0.002 packer_armadillo_regkey
  • 0.001 maldun_anomaly_terminated_process
  • 0.001 rat_luminosity
  • 0.001 antivm_vmware_libs
  • 0.001 antivm_vbox_window
  • 0.001 injection_explorer
  • 0.001 antisandbox_script_timer
  • 0.001 sniffer_winpcap
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_system
  • 0.001 antivm_vpc_files
  • 0.001 banker_cridex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 malicous_targeted_flame
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 network_tor_service
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.641 seconds )

  • 0.624 ReportHTMLSummary
  • 0.017 Malheur
Task ID 697846
Mongo ID 62c274ecdc327b97d50509e2
Cuckoo release 1.4-Maldun