Setup exe 文件恶意软件分析

技术分析

文件名	Setup.exe
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
扫描器版本	1.0.231.174
数据库版本	2026-01-01 22:00:33 UTC

扫描另一个文件

文件识别

哈希类型	值	操作
MD5	63a1a5750ce5d56251aafcb5eb71518f
SHA1	3bdd5de67d5ddcc5fb0b44f2922b261cd5f9bd28
SHA256	5ec3662c723b1b385162631f158340de02acc6a164c927a02f48a6b2edbaa972
SHA512	ab5a51ee58bd26b0b56fe4ac0041ea8d54837becae828420556de0ddc88233c82386035bab91fe65c5d46b7fb9fc1a9a3954aa891532e0fa198683d362c0b7d0
ImpHash	366e3564447291961cf29e95c3b6a35d

PE 分析

基本信息

▼

图标	哈希: d84ee41df74bfdac63236c5e6230bcdc 模糊: 2056fd547d9c5e01ccf89a02dcfb5807 dHash: 42b96ce4e0e1e2e4
映像基址	`0x00010000`
入口点	`0x00078014`
编译时间	1992-06-19 22:22:17
校验和	0x000906f9 (实际: 0x000906f9)
操作系统版本	1.0
PEiD 签名	`PE32 executable (GUI) Intel 80386, for MS Windows`
数字签名	Chain verification from CN=SweetLow, [email protected] (serial:83630978287610595496085376937295927342, sha1:c415cbf62af1b513b81ed7b707bde0a954e2b813) failed: The X.509 certificate provided is self-signed - "Common Name: SweetLow, Email Address: [email protected]"
导入	11 库
导出	0 函数
资源	34 资源
节	8 节

PE 节

▼

名称	虚拟地址	虚拟大小	原始大小	熵	特征	MD5
`CODE`	`0x00001000`	422,020 bytes	422,400 bytes	6.54 (压缩)	`IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ`	`F9C56FF2069337E2B091612EF470439C`
`DATA`	`0x00069000`	18,320 bytes	18,432 bytes	6.59 (压缩)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`981CDDCF245B67DF508807E5985EF398`
`BSS`	`0x0006e000`	3,137 bytes	0 bytes	0.00 (正常)	`IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`D41D8CD98F00B204E9800998ECF8427E`
`.idata`	`0x0006f000`	9,808 bytes	10,240 bytes	4.94 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`4CF4EE63E1493D2ACB33AB571F7C1606`
`.tls`	`0x00072000`	16 bytes	0 bytes	0.00 (正常)	`IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`D41D8CD98F00B204E9800998ECF8427E`
`.rdata`	`0x00073000`	24 bytes	512 bytes	0.21 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_SHARED\|IMAGE_SCN_MEM_READ`	`B37CEDCA1F54FA31CDD2456444A0B8C3`
`.reloc`	`0x00074000`	25,792 bytes	26,112 bytes	6.64 (压缩)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_SHARED\|IMAGE_SCN_MEM_READ`	`9BD3E4BC4510F50FACF3A7365849D32D`
`.rsrc`	`0x0007b000`	95,744 bytes	95,744 bytes	7.50 (打包/加密)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_SHARED\|IMAGE_SCN_MEM_READ`	`41EBAD506AA7BA1E4ADCA3011A821325`

熵分析警报

1 检测到高熵（≥7.5）的节 - 可能存在打包/加密

3 检测到较高熵（≥6.5）的节 - 可能存在压缩

资源分析

▼

资源总数: 34 (93,726 字节)

资源类型	数量	总大小	百分比
RT_CURSOR	7	2,156 字节	2.3%
RT_ICON	1	744 字节	0.8%
RT_STRING	13	11,140 字节	11.9%
RT_RCDATA	4	78,161 字节	83.4%
RT_GROUP_CURSOR	7	140 字节	0.1%
RT_GROUP_ICON	1	20 字节	0%
RT_MANIFEST	1	1,365 字节	1.5%

证书链分析

▼

证书 Information

验证状态	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
签名者	SweetLow

证书链摘要

SweetLow #1 主要

有效期: 1973-06-05 21:00:00 → 2999-12-30 21:00:00

签名算法: 1.3.14.3.2.29

序列号: 3E EA BD 93 C8 A2 B0 9B 4D E3 C9 0E 3D 28 D8 2E

✓ 此文件已进行数字签名，证书链已验证。

签名确保文件的完整性和发布者的真实性。
时间戳证明签名的应用时间。

证书验证状态

Chain verification from CN=SweetLow, [email protected] (serial:83630978287610595496085376937295927342, sha1:c415cbf62af1b513b81ed7b707bde0a954e2b813) failed: The X.509 certificate provided is self-signed - "Common Name: SweetLow, Email Address: [email protected]"

建议: 验证文件来源并确保它来自可信的发布者.

Setup.exe 文件分析

技术分析

干净文件