9.6
极危
48 个模型检测该样本为恶意!
重新分析
更多

af4b6a4ed04fe34fa9dbd694f9f7935be86c4e516741cbb7680309866cd7a3ed

043cbd79855b2c8b7159d8f472477555.exe

分析耗时

90s

最近分析

文件大小

156.0KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTGBM BANKERX CONFIDENCE DOWNLOADER34 EMOTET GENERICKD GENETIC HFYG HGIASOYA HIGH CONFIDENCE HUBXZM JQX@ASKH1SMI JZHV JZHVGDN KDISM KRYPTIK LRCWX2OMSGI MALWARE@#1Q85RZTSALMF8 S + TROJ SCORE STATIC AI SUSPICIOUS PE UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.1a6eec7d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20210219 21.1.5827.0
Kingsoft 20210219 2017.9.26.565
McAfee Emotet-FRZ!043CBD79855B 20210219 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619146495.485876
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619146486.689876
CryptGenKey
crypto_handle: 0x022c00e8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x0083e4e0
flags: 1
key: fî ¯>Èó¼n ¥
success 1 0
1619146495.501876
CryptExportKey
crypto_handle: 0x022c00e8
crypto_export_handle: 0x022c0068
buffer: f¤Ã‹bŽ*¹(°$N¸à"–í쌓íÂFm]å©ä4ê¨Y—k˜P݂ãníŠÈ3d¬…[Â`ÕPÕ¨MºûÏ{\{[ ÖÛú«~ó^ðALÝn –äãá­º‘WB½Ê
blob_type: 1
flags: 64
success 1 0
1619146530.814876
CryptExportKey
crypto_handle: 0x022c00e8
crypto_export_handle: 0x022c0068
buffer: f¤G/´ß)ª g‡-¢B%Nô$ˆ|½õc§”H[[p|X Ž­½R ŽXá)H×h¦bŸt•*ן{‹æðŠŠË&P1lÏ3$á¨Éë®Õå‘z{a¸F›i
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (5 个事件)
Time & API Arguments Status Return Repeated
1619134512.546212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d00000
success 0 0
1619134512.562212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d30000
success 0 0
1619146129.521772
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004090000
success 0 0
1619146486.360876
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00320000
success 0 0
1619146486.376876
NtAllocateVirtualMemory
process_identifier: 520
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619134512.577212
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x01d51000
success 0 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619134514.077212
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\043cbd79855b2c8b7159d8f472477555.exe
newfilepath: C:\Windows\SysWOW64\dpnsvr\perfhost.exe
newfilepath_r: C:\Windows\SysWOW64\dpnsvr\perfhost.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\043cbd79855b2c8b7159d8f472477555.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619146495.876876
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process perfhost.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619146495.595876
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 118.2.218.1
host 172.217.24.14
host 51.254.140.91
Installs itself for autorun at Windows startup (1 个事件)
service_name perfhost service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\dpnsvr\perfhost.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619134514.140212
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x00000000
display_name: perfhost
error_control: 0
service_name: perfhost
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\dpnsvr\perfhost.exe"
filepath_r: "C:\Windows\SysWOW64\dpnsvr\perfhost.exe"
service_manager_handle: 0x022548d8
desired_access: 2
service_type: 16
password:
failed 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619146498.454876
RegSetValueExA
key_handle: 0x00000378
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619146498.454876
RegSetValueExA
key_handle: 0x00000378
value: pL×î7×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619146498.454876
RegSetValueExA
key_handle: 0x00000378
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619146498.454876
RegSetValueExW
key_handle: 0x00000378
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619146498.454876
RegSetValueExA
key_handle: 0x00000390
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619146498.454876
RegSetValueExA
key_handle: 0x00000390
value: pL×î7×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619146498.454876
RegSetValueExA
key_handle: 0x00000390
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619146498.485876
RegSetValueExW
key_handle: 0x00000374
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\dpnsvr\perfhost.exe:Zone.Identifier
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
Bkav W32.AIDetectGBM.malware.02
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43777731
FireEye Generic.mg.043cbd79855b2c8b
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Trojan.Emotet.Win32.28373
Sangfor Trojan.Win32.Emotet.ARK
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.1a6eec7d
K7GW Riskware ( 0040eff71 )
Cybereason malicious.9855b2
BitDefenderTheta Gen:NN.ZexaF.34574.jqX@aSkh1Smi
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Emotet-9752361-0
BitDefender Trojan.GenericKD.43777731
NANO-Antivirus Trojan.Win32.Emotet.hubxzm
Avast Win32:BankerX-gen [Trj]
Ad-Aware Trojan.GenericKD.43777731
Sophos Mal/Generic-S + Troj/Emotet-CNC
Comodo Malware@#1q85rztsalmf8
F-Secure Trojan.TR/AD.Emotet.kdism
DrWeb Trojan.DownLoader34.32049
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Emotet.cm
Emsisoft Trojan.GenericKD.43777731 (B)
Ikarus Trojan-Banker.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HFYG
Avira TR/AD.Emotet.kdism
Antiy-AVL Trojan[Banker]/Win32.Emotet
Gridinsoft Trojan.Win32.Emotet.oa
Arcabit Trojan.Generic.D29BFEC3
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
Microsoft Trojan:Win32/Emotet.ARK!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4192122
McAfee Emotet-FRZ!043CBD79855B
MAX malware (ai score=100)
Malwarebytes Trojan.MalPack.TRE
Yandex Trojan.Agent!lRCWX2OMSgI
SentinelOne Static AI - Suspicious PE
eGambit Generic.Malware
Fortinet W32/JZHVGDN.JZHV!tr
AVG Win32:BankerX-gen [Trj]
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Win32/Backdoor.Emotet.HgIASOYA
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 51.254.140.91:7080
dead_host 118.2.218.1:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-04 03:41:24

Imports

Library KERNEL32.dll:
0x408058 GetModuleFileNameA
0x408060 VirtualFree
0x408064 HeapCreate
0x408068 HeapDestroy
0x40806c HeapSize
0x408070 GetCurrentProcess
0x408078 HeapReAlloc
0x40807c HeapFree
0x408080 ExitProcess
0x408084 GetVersion
0x408088 GetCommandLineA
0x40808c GetStartupInfoA
0x408090 GetModuleHandleA
0x408094 HeapAlloc
0x408098 WideCharToMultiByte
0x4080a4 SetHandleCount
0x4080a8 GetStdHandle
0x4080ac GetFileType
0x4080b0 RtlUnwind
0x4080b4 WriteFile
0x4080b8 MultiByteToWideChar
0x4080bc GetStringTypeA
0x4080c0 GetStringTypeW
0x4080c4 GetProcAddress
0x4080c8 GetCPInfo
0x4080cc GetACP
0x4080d0 GetOEMCP
0x4080d4 LoadLibraryA
0x4080d8 LCMapStringA
0x4080dc VirtualAlloc
0x4080e0 LoadLibraryW
0x4080e4 TerminateProcess
0x4080e8 LCMapStringW
Library USER32.dll:
0x4080f0 DefWindowProcA
0x4080f4 GetClientRect
0x4080f8 InvalidateRect
0x4080fc DestroyWindow
0x408100 BeginPaint
0x408104 DrawTextA
0x408108 EndPaint
0x40810c PostQuitMessage
0x408110 CreateWindowExA
0x408114 ShowWindow
0x408118 LoadIconA
0x40811c RegisterClassExA
0x408120 LoadStringA
0x408124 LoadAcceleratorsA
0x408128 GetMessageA
0x408130 TranslateMessage
0x408134 DispatchMessageA
0x408138 GetSysColorBrush
0x40813c GetSysColor
0x408140 FillRect
0x408144 ReleaseCapture
0x408148 PtInRect
0x40814c LoadCursorA
0x408150 SetCursor
0x408154 UpdateWindow
0x408158 SetCapture
0x40815c CheckRadioButton
0x408160 SetDlgItemInt
0x408164 GetSystemMenu
0x408168 AppendMenuA
0x40816c SetMenuDefaultItem
0x408170 GetDC
0x408174 DrawEdge
0x408178 IsDlgButtonChecked
0x40817c ReleaseDC
0x408180 EndDialog
0x408184 DialogBoxParamA
Library GDI32.dll:
0x408000 Rectangle
0x408004 BeginPath
0x408008 MoveToEx
0x40800c LineTo
0x408010 EndPath
0x408014 StrokeAndFillPath
0x408018 CreateBrushIndirect
0x40801c Ellipse
0x408020 CreatePen
0x408024 SetROP2
0x408028 CreateSolidBrush
0x40802c SelectObject
0x408030 SetBkColor
0x408034 DeleteObject
0x408038 LPtoDP
0x40803c GetPixel
0x408040 RealizePalette
0x408044 SelectPalette
0x40804c StretchDIBits

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.