9.4
极危
58 个模型检测该样本为恶意!
重新分析
更多

8291494b06fbb37a66987d074f8a906f7c76937c39928edc16d3da8d763f7fce

00244dfad66844a105ad32e36b95f2fd.exe

分析耗时

90s

最近分析

文件大小

68.0KB
静态报毒 动态报毒 AI SCORE=87 AIDETECTVM BEHAVIOR CLASSIC CONFIDENCE DOWNLOADER34 ELDORADO EMOTET EMOTETPMF EQ0@AYHBIOAI GENCIRC GENERICKD GENETIC GENKRYPTIK HFMI HIGH CONFIDENCE HRPGSD KRYPTIK MALWARE2 MALWARE@#113AHH5IRHNH4 R + TROJ R347569 S15420195 SCORE SUSGEN SUSPICIOUS PE THHAEBO TROJANBANKER UNSAFE WACATAC ZAZHU ZEXAE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRT!00244DFAD668 20200928 6.0.6.653
Alibaba Trojan:Win32/Emotet.28408156 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200929 18.4.3895.0
Tencent Malware.Win32.Gencirc.10cde81a 20200929 1.0.0.1
Kingsoft 20200929 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619152554.44225
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619152540.50425
CryptGenKey
crypto_handle: 0x00360fd8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x0033e500
flags: 1
key: fw÷fL10äkãäc9þ
success 1 0
1619152554.45725
CryptExportKey
crypto_handle: 0x00360fd8
crypto_export_handle: 0x00360f58
buffer: f¤»Ú3ƒ†Êø¦ÙRÅ —M¸¼Õþ)D݉ΓºýÌå£XÛ¢ßö\Î8"jão“º£ÉzÛ·¤æ™q}rC—ÑNA¤ë¢Ü7mǖØ%Z"2e‘uZµLhÏ;uGêÃ{†Q
blob_type: 1
flags: 64
success 1 0
1619152590.94225
CryptExportKey
crypto_handle: 0x00360fd8
crypto_export_handle: 0x00360f58
buffer: f¤·½mjv:]«T±­wì®´šd`Jט2RØ8¨mÇ¿šhì'ÊóÝ`{«}¬ü Hd Q’Œsó ¦ƒ6 O—\g{®©*z…A!l*ó—Lè=Æ,)øñè]Òg
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619134519.476262
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x002c8000
success 0 0
1619152599.973125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
1619152539.87925
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00328000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619134521.382262
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00244dfad66844a105ad32e36b95f2fd.exe
newfilepath: C:\Windows\SysWOW64\remotepg\vbscript.exe
newfilepath_r: C:\Windows\SysWOW64\remotepg\vbscript.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00244dfad66844a105ad32e36b95f2fd.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619152554.95725
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.4830969366869375 section {'size_of_data': '0x0000a000', 'virtual_address': '0x00007000', 'entropy': 7.4830969366869375, 'name': '.rsrc', 'virtual_size': '0x00009388'} description A section with a high entropy has been found
entropy 0.625 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process vbscript.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619152554.56725
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 139.99.157.213
host 172.217.24.14
host 202.5.47.71
Installs itself for autorun at Windows startup (1 个事件)
service_name vbscript service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\remotepg\vbscript.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619134522.304262
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02c6da48
display_name: vbscript
error_control: 0
service_name: vbscript
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\remotepg\vbscript.exe"
filepath_r: "C:\Windows\SysWOW64\remotepg\vbscript.exe"
service_manager_handle: 0x02c77e40
desired_access: 2
service_type: 16
password:
success 46586440 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619152557.53625
RegSetValueExA
key_handle: 0x00000398
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619152557.53625
RegSetValueExA
key_handle: 0x00000398
value: ^w Ø7×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619152557.53625
RegSetValueExA
key_handle: 0x00000398
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619152557.53625
RegSetValueExW
key_handle: 0x00000398
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619152557.53625
RegSetValueExA
key_handle: 0x000003b0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619152557.53625
RegSetValueExA
key_handle: 0x000003b0
value: ^w Ø7×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619152557.53625
RegSetValueExA
key_handle: 0x000003b0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619152557.58225
RegSetValueExW
key_handle: 0x00000394
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\remotepg\vbscript.exe:Zone.Identifier
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 202.5.47.71:80
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34339670
FireEye Generic.mg.00244dfad66844a1
CAT-QuickHeal Backdoor.EmotetPMF.S15420195
McAfee Emotet-FRT!00244DFAD668
Cylance Unsafe
Zillya Trojan.Agent.Win32.1368048
K7AntiVirus Trojan ( 0056cf471 )
Alibaba Trojan:Win32/Emotet.28408156
K7GW Trojan ( 0056cf471 )
Cybereason malicious.f1b5fe
Arcabit Trojan.Generic.D20BFB56
Invincea Mal/Generic-R + Troj/Emotet-CKX
BitDefenderTheta Gen:NN.ZexaE.34254.eq0@ayhBioai
Cyren W32/Kryptik.BTH.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.vho
BitDefender Trojan.GenericKD.34339670
NANO-Antivirus Trojan.Win32.Emotet.hrpgsd
Avast Win32:Trojan-gen
Tencent Malware.Win32.Gencirc.10cde81a
Ad-Aware Trojan.GenericKD.34339670
Emsisoft Trojan.Emotet (A)
Comodo Malware@#113ahh5irhnh4
F-Secure Trojan.TR/Kryptik.zazhu
DrWeb Trojan.DownLoader34.21865
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.WACATAC.THHAEBO
McAfee-GW-Edition BehavesLike.Win32.Emotet.kh
Sophos Troj/Emotet-CKX
SentinelOne DFI - Suspicious PE
Jiangmin Backdoor.Emotet.qf
Avira TR/Kryptik.zazhu
MAX malware (ai score=87)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARJ!MTB
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.vho
GData Trojan.GenericKD.34339670
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R347569
VBA32 TrojanBanker.Emotet
ALYac Trojan.Agent.Emotet
TACHYON Trojan/W32.Agent.69632.ENI
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 a variant of Win32/Kryptik.HFMI
TrendMicro-HouseCall Trojan.Win32.WACATAC.THHAEBO
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-11 20:59:05

Imports

Library MFC42.DLL:
0x405018
0x40501c
0x405020
0x405024
0x405028
0x40502c
0x405030
0x405034
0x405038
0x40503c
0x405040
0x405044
0x405048
0x40504c
0x405050
0x405054
0x405058
0x40505c
0x405060
0x405064
0x405068
0x40506c
0x405070
0x405074
0x405078
0x40507c
0x405080
0x405084
0x405088
0x40508c
0x405090
0x405094
0x405098
0x40509c
0x4050a0
0x4050a4
0x4050a8
0x4050ac
0x4050b0
0x4050b4
0x4050b8
0x4050bc
0x4050c0
0x4050c4
0x4050c8
0x4050cc
0x4050d0
0x4050d4
0x4050d8
0x4050dc
0x4050e0
0x4050e4
0x4050e8
0x4050ec
0x4050f0
0x4050f4
0x4050f8
0x4050fc
0x405100
0x405104
0x405108
0x40510c
0x405110
0x405114
0x405118
0x40511c
0x405120
0x405124
0x405128
0x40512c
0x405130
0x405134
0x405138
0x40513c
0x405140
0x405144
0x405148
0x40514c
0x405150
0x405154
0x405158
0x40515c
0x405160
0x405164
0x405168
0x40516c
0x405170
0x405174
0x405178
0x40517c
0x405180
0x405184
0x405188
0x40518c
0x405190
0x405194
0x405198
0x40519c
0x4051a0
0x4051a4
0x4051a8
0x4051ac
0x4051b0
0x4051b4
Library MSVCRT.dll:
0x4051dc _adjust_fdiv
0x4051e0 __p__commode
0x4051e4 __p__fmode
0x4051e8 __set_app_type
0x4051ec _except_handler3
0x4051f0 __setusermatherr
0x4051f4 strstr
0x4051f8 strchr
0x4051fc isspace
0x405200 _wcslwr
0x405204 __CxxFrameHandler
0x405208 __p___argv
0x40520c _setmbcp
0x405210 _initterm
0x405214 __getmainargs
0x405218 _acmdln
0x40521c exit
0x405220 _XcptFilter
0x405224 _exit
0x405228 _onexit
0x40522c _controlfp
0x405230 __dllonexit
Library KERNEL32.dll:
0x405000 ExitProcess
0x405004 DeleteFileA
0x405008 GetModuleHandleA
0x40500c GetStartupInfoA
0x405010 MoveFileA
Library USER32.dll:
0x405238 EnableWindow
0x40523c IsIconic
0x405240 GetSystemMetrics
0x405244 GetClientRect
0x405248 DrawIcon
0x40524c GetSystemMenu
0x405250 AppendMenuA
0x405254 SendMessageA
0x405258 LoadIconA
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702
192.168.56.101 65005 239.255.255.250 3702
192.168.56.101 65007 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.