比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2024-04-26 15:52:49 2024-04-26 15:53:23 34 秒

魔盾分数

0.05

正常的

文件详细信息

文件名 php-cgi.exe
文件大小 72656 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 70a1a1487f39a4e25330f02e2870c3a6
SHA1 63dd944d89cdd8bad66d4f6261a8d24b5b169e76
SHA256 fc4d3aa4ca04ba8bbe0f0fdd8c17ab17b5eb279b45b419bdd3975ec45e096b92
SHA512 ede97f9485f1d9b9afd097d2d8758b8bc92d198b581393ab942c18a678f13bdd25d0bcbd50470c64ba4285c2567c9d24c0685e94d381a36b68a940ea0976b9ca
CRC32 545B79CA
Ssdeep 1536:zP66qgNJ6dpMt9b786h+wixsjo4+Eju/UmVepeI5AsJjIxNH:zPg+J6dYdSsjo4+Eju/UmYeI5As1U
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0040a13d
声明校验值 0x0001b1b6
实际校验值 0x0001b1b6
最低操作系统版本要求 5.1
PDB路径 D:\\xe4\xb8\xb4\xe6\x97\xb6\xe5\xad\x98\xe6\x94\xbe\2024\xe5\xb9\xb4C++\xe5\xad\xa6\xe4\xb9\xa0\xe6\xba\x90\xe7\xa0\x81\xe3\x80\x903-20\xe3\x80\x91\copy\xe3\x80\x902024-3-20\xe6\x96\xb0\xe7\x89\x88\xe3\x80\x91\Release\php-cgi.pdb
编译时间 2024-03-23 11:29:25
载入哈希 b0deee85a0475c8e031cbd2d0844bf32
图标
图标精确哈希值 acc665f56aa42d5cc27a6698b63f3ad0
图标相似性哈希值 7d25c8a5a1d886abc6e4aead4b14e5a5

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
04941dd1101a8db097854286a5345c62f52b474c Sat Mar 23 11:37:59 2024
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
证书链 Certificate Chain 1
发行给 AAA Certificate Services
发行人 AAA Certificate Services
有效期 Mon Jan 01 075959 2029
SHA1 哈希 d1eb23a46d17d68fd92564c2f1f1601764d8e349
证书链 Certificate Chain 2
发行给 Sectigo Public Code Signing Root R46
发行人 AAA Certificate Services
有效期 Mon Jan 01 075959 2029
SHA1 哈希 329b78a5c9ebc2043242de90ce1b7c6b1ba6c692
证书链 Certificate Chain 3
发行给 Sectigo Public Code Signing CA R36
发行人 Sectigo Public Code Signing Root R46
有效期 Sat Mar 22 075959 2036
SHA1 哈希 0bc5e76773d2e44fc9903d4dfefe451553bbec4a
证书链 Certificate Chain 4
发行给
发行人 Sectigo Public Code Signing CA R36
有效期 Sun Mar 22 075959 2026
SHA1 哈希 c26c07a0bc6aea3866472a8323f93477dd87e2dc
证书链 Timestamp Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Timestamp Chain 2
发行给 DigiCert Trusted Root G4
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 075959 2031
SHA1 哈希 a99d5b79e9f1cda59cdab6373169d5353f5874c6
证书链 Timestamp Chain 3
发行给 DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
发行人 DigiCert Trusted Root G4
有效期 Mon Mar 23 075959 2037
SHA1 哈希 b6c8af834d4e53b673c76872aa8c950c7c54df5f
证书链 Timestamp Chain 4
发行给 DigiCert Timestamp 2023
发行人 DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
有效期 Sat Oct 14 075959 2034
SHA1 哈希 66f02b32c2c2c90f825dceaa8ac9c64f199ccf40

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000a27c 0x0000a400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.43
.rdata 0x0000c000 0x0000275a 0x00002800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.78
.data 0x0000f000 0x000006d8 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.41
.rsrc 0x00010000 0x00000c68 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.96
.reloc 0x00011000 0x00000864 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.92

覆盖

偏移量 0x0000ec00
大小 0x00002fd0

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00010288 0x00000568 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.46 GLS_BINARY_LSB_FIRST
RT_ICON 0x00010288 0x00000568 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.46 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x000107f0 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.30 MS Windows icon resource - 2 icons, 16x16, 16 colors
RT_VERSION 0x00010818 0x000002c8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.48 data
RT_MANIFEST 0x00010ae0 0x00000188 LANG_ENGLISH SUBLANG_ENGLISH_US 4.90 XML 1.0 document text

导入

库: KERNEL32.dll:
0x40c000 GlobalLock
0x40c004 GlobalAlloc
0x40c008 GlobalUnlock
0x40c00c CreateMutexW
0x40c010 GetLastError
0x40c014 CloseHandle
0x40c018 GetTickCount
0x40c01c Sleep
0x40c020 GetSystemInfo
0x40c028 GetCurrentProcess
0x40c02c TerminateProcess
0x40c034 IsDebuggerPresent
0x40c038 GetModuleHandleW
0x40c040 GetCurrentProcessId
0x40c044 GetCurrentThreadId
0x40c04c InitializeSListHead
库: MSVCP140.dll:
0x40c094 _Strcoll
0x40c098 _Strxfrm
0x40c0ac _Xtime_get_ticks
0x40c0b0 _Thrd_sleep
库: VCRUNTIME140.dll:
0x40c0c0 memcpy
0x40c0c8 memset
0x40c0cc _CxxThrowException
0x40c0d0 memmove
0x40c0d8 __std_terminate
0x40c0dc strchr
0x40c0e0 memchr
0x40c0e4 __CxxFrameHandler3
库: api-ms-win-crt-heap-l1-1-0.dll:
0x40c0f0 _set_new_mode
0x40c0f4 realloc
0x40c0f8 malloc
0x40c0fc _callnewh
0x40c100 free
库: api-ms-win-crt-runtime-l1-1-0.dll:
0x40c11c __p___argc
0x40c120 __p___argv
0x40c124 _c_exit
0x40c12c _initterm_e
0x40c130 _exit
0x40c134 _set_app_type
0x40c138 terminate
0x40c13c _controlfp_s
0x40c140 _seh_filter_exe
0x40c144 _cexit
0x40c148 exit
0x40c14c _initterm
0x40c150 _crt_atexit
库: api-ms-win-crt-stdio-l1-1-0.dll:
0x40c174 _set_fmode
0x40c178 __p__commode
库: api-ms-win-crt-math-l1-1-0.dll:
0x40c110 __setusermatherr
库: api-ms-win-crt-locale-l1-1-0.dll:
0x40c108 _configthreadlocale
.text
`.rdata
@.data
.rsrc
@.reloc
bad allocation
bad array new length
Unknown exception
bad cast
72d33d1a0b25380e034c0a093b0143e17eda60e068ea5ce66cc64cf1242ee664e35db472c19d6dee58cc5e
a085b759e93b094fda5ac949e45cd12f080d191c1efe00180e0239f6420ef7080a0402
b292b970a89f6bbf67b976c15fd74cd74412272f122cf152e43d1a222bed53fc2bea44
e065de54c25ec942e02e123cd24bee4bdf43f92dd469a59b7282aa7c87be86af6a9670
0b1c0e48ce62b354b36fd544d53c060417280f4fb0977f95bb45cf4c0d05014cc080cd50d558e52f1536ef
qqwweerrttyyuuiioopp
83a683bc98bc76929a88a09f68b98fbc6cde49e73aff160d35e228e328291b26200cf5
3de040e02fff2ed64ae4231eec37f925fc50e643c168d06ed249ef360a002ddc3ffe1d
9f82bc73c87aa5848c75b753e2261cfb3c1a0909f21ce02c0157ab62e62aee3ed458b2
e761e02edd6ba6bd6bef69db44041f095fca47b296b744
c451d445d77ccc55c068ec63e5322acd66fc38e5113516e4
a875d742ea49131f223b002406124adc233fd668e55fd871c87ccc55f456fb20e263e037
c550f227f5521a0645064bd154c0986db38f65d674cd69e147f245ed6dee5cc0450d4aae
ad78ab7eae77b17fc254db34e831e77c9fa0a2ab7985c97585
string too long
invalid string position
vector<bool> too long
vector<T> too long
alnum
alpha
blank
cntrl
digit
graph
lower
print
punct
space
upper
xdigit
GetClipboardDataSetClipboardData
\Release\php-cgi.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIZ
.CRT$XPA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.rsrc$01
.rsrc$02
GlobalLock
GlobalAlloc
GlobalUnlock
CreateMutexW
GetLastError
CloseHandle
GetTickCount
Sleep
GetSystemInfo
KERNEL32.dll
?_Xbad_alloc@std@@YAXXZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
_Strcoll
_Strxfrm
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?_Xout_of_range@std@@YAXPBD@Z
_Xtime_get_ticks
_Thrd_sleep
?_Xlength_error@std@@YAXPBD@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z
?tolower@?$ctype@D@std@@QBEDD@Z
??1facet@locale@std@@MAE@XZ
??0facet@locale@std@@IAE@I@Z
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UAEXXZ
??Bid@locale@std@@QAEIXZ
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
??1_Locinfo@std@@QAE@XZ
??0_Locinfo@std@@QAE@PBD@Z
MSVCP140.dll
__CxxFrameHandler3
memchr
strchr
__std_terminate
__std_exception_copy
__std_exception_destroy
memmove
_CxxThrowException
memset
_except_handler4_common
VCRUNTIME140.dll
_invalid_parameter_noinfo_noreturn
__stdio_common_vsprintf
__stdio_common_vsscanf
malloc
realloc
_callnewh
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
__setusermatherr
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_set_fmode
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_configthreadlocale
_set_new_mode
__p__commode
terminate
_controlfp_s
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
memcpy
.?AVtype_info@@
.?AVbad_alloc@std@@
.?AVbad_array_new_length@std@@
.?AV?$_Node_str@D@std@@
.?AV?$_Node_class@DV?$regex_traits@D@std@@@std@@
.?AV_Node_end_rep@std@@
.?AV_Node_rep@std@@
.?AV_Node_if@std@@
.?AV_Node_endif@std@@
.?AV_Node_back@std@@
.?AV_Node_capture@std@@
.?AV_Node_assert@std@@
.?AV_Node_end_group@std@@
.?AV_Root_node@std@@
.?AV_Node_base@std@@
.?AV?$collate@D@std@@
.?AVfacet@locale@std@@
.?AU_Crt_new_delete@std@@
.?AV_Facet_base@std@@
.?AVbad_cast@std@@
.?AVexception@std@@
wwwwwwwwwwwwwwwwwwwwwwwwwwww
=(?,?0?4?8?<?@?D?
:):4:}?
?I?Z?
2+282C2T2^2h2s2
< <(<<<D<L<T<h<
run_php
alnum
alpha
blank
cntrl
digit
graph
lower
print
punct
space
upper
xdigit
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
The PHP Group
FileDescription
FileVersion
7.2.34.0
InternalName
CLI_WIN32 SAPI
LegalCopyright
Copyright 1997-2018 The PHP Group
OriginalFilename
php-cgi.exe
ProductName
ProductVersion
7.2.34.0
VarFileInfo
Translation
没有防病毒引擎扫描信息!
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 72.247.211.224 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 72.247.211.224 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 12.968 seconds )

  • 10.92 Suricata
  • 1.044 NetworkAnalysis
  • 0.402 Static
  • 0.303 peid
  • 0.278 TargetInfo
  • 0.01 AnalysisInfo
  • 0.007 Strings
  • 0.002 BehaviorAnalysis
  • 0.002 Memory

Signatures ( 1.389 seconds )

  • 1.308 proprietary_url_bl
  • 0.013 antiav_detectreg
  • 0.008 proprietary_domain_bl
  • 0.007 antiav_detectfile
  • 0.005 anomaly_persistence_autorun
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 cerber_behavior
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.492 seconds )

  • 0.456 ReportHTMLSummary
  • 0.036 Malheur
Task ID 744343
Mongo ID 662b5dad7e769a5b68bf3138
Cuckoo release 1.4-Maldun