7.4
高危
62 个模型检测该样本为恶意!
重新分析
更多

c8df262987f03eedd7e1361e32af1348fb330fd82c6aefb56705d128ea405779

04be2e93f90ce1e5e92dbfe0f6dfe7c1.exe

分析耗时

90s

最近分析

文件大小

100.7KB
静态报毒 动态报毒 100% AI SCORE=86 CAPG CLOUD CONFIDENCE DANGEROUSSIG DXTP EEEZU ELDORADO EMOTET FQRYJX GDSDA GENCIRC GPWS GQ1@AWI@0AII GRAYWARE GRLK GSYO HIGH CONFIDENCE ICLOADER KRYPTIK LIMPOPO MALICIOUS PE PU@885MTQ R273330 SCORE SIGGEN8 UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FMI!04BE2E93F90C 20200515 6.0.6.653
Alibaba Trojan:Win32/Emotet.1689aacc 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:DangerousSig [Trj] 20200515 18.4.3895.0
Kingsoft 20200515 2013.8.14.323
Tencent Malware.Win32.Gencirc.114b32f8 20200515 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619143335.807875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .tsustu
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1619134513.480812
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619134513.824812
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619134513.824812
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619134513.839812
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619143329.385875
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
1619143330.588875
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619143330.588875
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619143330.588875
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619142972.827271
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004020000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619143336.495875
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x002d0ce8
display_name: tcgmagnify
error_control: 0
service_name: tcgmagnify
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\tcgmagnify.exe"
filepath_r: "C:\Windows\SysWOW64\tcgmagnify.exe"
service_manager_handle: 0x002d7a70
desired_access: 18
service_type: 16
password:
success 2952424 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Public\Desktop\Google Chrome.lnk
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619143336.135875
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04be2e93f90ce1e5e92dbfe0f6dfe7c1.exe
newfilepath: C:\Windows\SysWOW64\tcgmagnify.exe
newfilepath_r: C:\Windows\SysWOW64\tcgmagnify.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04be2e93f90ce1e5e92dbfe0f6dfe7c1.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.537591251905104 section {'size_of_data': '0x00011400', 'virtual_address': '0x00001000', 'entropy': 7.537591251905104, 'name': '.text', 'virtual_size': '0x000113e7'} description A section with a high entropy has been found
entropy 0.7301587301587301 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 170.247.122.37
host 172.217.24.14
host 181.28.144.64
Installs itself for autorun at Windows startup (1 个事件)
service_name tcgmagnify service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\tcgmagnify.exe"
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\tcgmagnify.exe:Zone.Identifier
File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)
MicroWorld-eScan Trojan.Agent.DXTP
FireEye Generic.mg.04be2e93f90ce1e5
McAfee Emotet-FMI!04BE2E93F90C
Cylance Unsafe
Zillya Adware.Generic.Win32.119304
SUPERAntiSpyware Trojan.Agent/Gen-Emotet
Sangfor Malware
K7AntiVirus Trojan ( 0054f2ec1 )
Alibaba Trojan:Win32/Emotet.1689aacc
K7GW Trojan ( 0054f29f1 )
Cybereason malicious.3f90ce
Arcabit Trojan.Agent.DXTP
Invincea heuristic
F-Prot W32/Emotet.AAP.gen!Eldorado
Symantec Packed.Generic.459
APEX Malicious
Avast Win32:DangerousSig [Trj]
ClamAV Win.Malware.Emotet-6983828-0
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Trojan.Agent.DXTP
NANO-Antivirus Trojan.Win32.Kryptik.fqryjx
Paloalto generic.ml
AegisLab Trojan.Win32.Generic.4!c
Rising Trojan.Kryptik!1.B8D2 (CLOUD)
Ad-Aware Trojan.Agent.DXTP
Emsisoft Trojan.Agent.DXTP (B)
Comodo TrojWare.Win32.Emotet.PU@885mtq
F-Secure Trojan.TR/AD.Emotet.capg
DrWeb Trojan.Siggen8.29752
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.SMC
McAfee-GW-Edition BehavesLike.Win32.ICLoader.cc
Trapmine suspicious.low.ml.score
Sophos Mal/Emotet-Q
SentinelOne DFI - Malicious PE
Cyren W32/Emotet.AAP.gen!Eldorado
Jiangmin Trojan.Generic.eeezu
Avira TR/AD.Emotet.capg
Antiy-AVL GrayWare/Win32.Kryptik.gsyo
Microsoft Trojan:Win32/Emotet.PA!MTB
Endgame malicious (high confidence)
ViRobot Trojan.Win32.Z.Emotet.103092
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Trojan.Agent.DXTP
AhnLab-V3 Trojan/Win32.Emotet.R273330
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.34110.gq1@aWi@0aii
ALYac Trojan.Agent.DXTP
MAX malware (ai score=86)
VBA32 Malware-Cryptor.Limpopo
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 181.28.144.64:80
dead_host 170.247.122.37:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-05-30 01:43:10

Imports

Library KERNEL32.dll:
0x4130c4 GetPriorityClass
0x4130cc GetProcAddress
0x4130d0 GetProcessHeap
0x4130d4 GetStartupInfoA
0x4130d8 GetStartupInfoW
0x4130e0 GetSystemDirectoryW
0x4130e8 GetTempFileNameA
0x4130ec GetTempPathA
0x4130f0 GetTempPathW
0x4130f4 GetTickCount
0x4130f8 GetVersion
0x4130fc GlobalAlloc
0x413100 GlobalFree
0x413104 GlobalHandle
0x413108 GlobalLock
0x41310c GlobalReAlloc
0x413110 GlobalSize
0x413114 GlobalUnlock
0x413118 HeapAlloc
0x41311c HeapFree
0x413124 InterlockedExchange
0x41312c IsDBCSLeadByte
0x413130 IsDebuggerPresent
0x413134 LoadLibraryA
0x413138 LoadLibraryExW
0x41313c LoadLibraryW
0x413140 LoadResource
0x413144 LocalAlloc
0x413148 LocalFree
0x41314c LocalUnlock
0x413150 GetOEMCP
0x413158 MulDiv
0x41315c MultiByteToWideChar
0x413160 Process32First
0x413168 RaiseException
0x413170 ReadFile
0x413174 ResetEvent
0x413178 SetCommMask
0x41317c SetCommState
0x413180 SetErrorMode
0x413184 SetEvent
0x413188 SetFilePointer
0x413194 SetWaitableTimer
0x413198 SizeofResource
0x41319c Sleep
0x4131a0 TerminateProcess
0x4131a8 UnregisterWait
0x4131ac VirtualProtect
0x4131b0 WaitCommEvent
0x4131b8 WaitForSingleObject
0x4131bc WideCharToMultiByte
0x4131c0 WriteConsoleOutputW
0x4131c4 WriteFile
0x4131c8 lstrcmpA
0x4131cc lstrcmpW
0x4131d0 lstrcmpiA
0x4131d4 lstrlenA
0x4131d8 VirtualAllocEx
0x4131dc GetModuleHandleW
0x4131e0 GetModuleHandleA
0x4131e4 GetModuleFileNameA
0x4131e8 GetLocaleInfoA
0x4131ec GetLocalTime
0x4131f0 GetLastError
0x4131f4 GetFileSize
0x4131f8 GetFileAttributesA
0x4131fc GetCurrentThreadId
0x413200 GetCurrentThread
0x413204 GetCurrentProcessId
0x413208 GetCurrentProcess
0x413210 GetCurrencyFormatA
0x413218 GetComputerNameW
0x41321c GetCommModemStatus
0x413220 GetCPInfo
0x413224 GetACP
0x413228 FreeResource
0x413230 FreeLibrary
0x413234 FreeConsole
0x413238 FormatMessageW
0x41323c FormatMessageA
0x413240 FlushViewOfFile
0x413244 FindResourceA
0x413248 FindNextFileA
0x41324c FindFirstFileA
0x413250 FindClose
0x41325c ExitProcess
0x413260 EscapeCommFunction
0x41326c EnumDateFormatsExW
0x413274 DeleteFileA
0x413278 CreateThread
0x41327c CreateProcessW
0x413280 CreateProcessA
0x413284 CreateFileW
0x413288 CreateFileA
0x41328c CreateEventW
0x413290 CloseHandle
0x413294 CancelWaitableTimer
0x413298 LockResource
0x41329c CancelIo
Library USER32.dll:
0x4132dc ExcludeUpdateRgn
0x4132e0 ExitWindowsEx
0x4132e4 FillRect
0x4132e8 FindWindowExA
0x4132ec FlashWindow
0x4132f0 FrameRect
0x4132f4 GetActiveWindow
0x4132f8 GetAsyncKeyState
0x4132fc GetCapture
0x413300 GetCaretPos
0x413304 GetClassInfoA
0x413308 GetClassInfoExA
0x41330c GetClassLongA
0x413310 GetClientRect
0x413314 GetClipboardData
0x413320 GetDC
0x413324 GetDialogBaseUnits
0x413328 GetDlgCtrlID
0x41332c GetDlgItem
0x413330 GetDlgItemInt
0x413334 GetDlgItemTextA
0x413338 GetDoubleClickTime
0x41333c GetFocus
0x413340 GetForegroundWindow
0x413344 GetKeyState
0x413348 GetLastActivePopup
0x41334c GetMenu
0x413350 GetMenuItemCount
0x413354 GetMenuItemID
0x413358 GetMenuStringA
0x41335c GetMessageA
0x413360 GetMessagePos
0x413364 GetMessageTime
0x413368 GetParent
0x413370 GetPropA
0x413374 GetScrollInfo
0x413378 GetScrollPos
0x41337c GetScrollRange
0x413380 GetSubMenu
0x413384 GetSysColor
0x413388 GetSystemMenu
0x41338c GetSystemMetrics
0x413390 GetTopWindow
0x413394 GetUpdateRect
0x413398 GetUpdateRgn
0x41339c GetWindow
0x4133a0 GetWindowDC
0x4133a4 GetWindowLongA
0x4133a8 GetWindowPlacement
0x4133ac GetWindowRect
0x4133b0 GetWindowTextA
0x4133b8 HideCaret
0x4133bc InSendMessage
0x4133c0 InflateRect
0x4133c4 InsertMenuA
0x4133c8 IntersectRect
0x4133cc InvalidateRect
0x4133d0 InvalidateRgn
0x4133d4 InvertRect
0x4133d8 IsCharAlphaA
0x4133dc IsCharAlphaNumericA
0x4133e0 IsChild
0x4133e8 IsDialogMessageA
0x4133ec IsDlgButtonChecked
0x4133f0 IsIconic
0x4133f4 IsRectEmpty
0x4133f8 IsWindow
0x4133fc IsWindowEnabled
0x413400 IsWindowVisible
0x413404 IsZoomed
0x413408 KillTimer
0x41340c LoadBitmapA
0x413410 LoadCursorA
0x413414 LoadIconA
0x413418 LoadMenuA
0x41341c MessageBeep
0x413420 MessageBoxA
0x413424 ModifyMenuA
0x413428 MoveWindow
0x41342c OemToCharA
0x413430 OffsetRect
0x413434 OpenClipboard
0x413438 PeekMessageA
0x41343c PostMessageA
0x413440 PostQuitMessage
0x413444 PtInRect
0x413448 RegisterClassA
0x41344c RegisterClassExA
0x413458 EqualRect
0x41345c ReleaseDC
0x413460 RemoveMenu
0x413464 RemovePropA
0x413468 ReplyMessage
0x41346c ScreenToClient
0x413470 ScrollWindow
0x413474 SendDlgItemMessageA
0x413478 SendMessageA
0x41347c SetActiveWindow
0x413480 SetCapture
0x413484 SetCaretPos
0x413488 SetClassLongA
0x41348c SetClipboardData
0x413490 SetCursor
0x413494 SetDlgItemTextA
0x413498 SetFocus
0x41349c SetForegroundWindow
0x4134a0 SetMenu
0x4134a4 SetMessageQueue
0x4134a8 SetParent
0x4134ac SetPropA
0x4134b0 SetRect
0x4134b4 SetScrollInfo
0x4134b8 SetScrollPos
0x4134bc SetScrollRange
0x4134c0 SetTimer
0x4134c8 SetWindowLongA
0x4134cc SetWindowPos
0x4134d0 SetWindowTextA
0x4134d4 SetWindowsHookExA
0x4134d8 ShowCaret
0x4134dc ShowCursor
0x4134e0 ShowScrollBar
0x4134e4 ShowWindow
0x4134e8 ToAsciiEx
0x4134ec TrackPopupMenu
0x4134f4 TranslateMessage
0x4134f8 UnhookWindowsHookEx
0x4134fc UnregisterClassA
0x413500 UpdateWindow
0x413504 ValidateRect
0x413508 VkKeyScanA
0x41350c WaitMessage
0x413510 WindowFromPoint
0x413514 DestroyWindow
0x413518 DestroyMenu
0x41351c DestroyCursor
0x413520 DestroyCaret
0x413524 DeleteMenu
0x413528 DeferWindowPos
0x41352c DefWindowProcA
0x413530 DefMDIChildProcA
0x413534 DefFrameProcA
0x413538 DdeUninitialize
0x41353c DdeUnaccessData
0x413540 DdeQueryStringA
0x413544 DdePostAdvise
0x413548 DdeNameService
0x41354c DdeKeepStringHandle
0x413550 DdeInitializeA
0x413554 DdeGetLastError
0x413558 DdeGetData
0x41355c DdeFreeStringHandle
0x413560 DdeFreeDataHandle
0x413564 DdeEnableCallback
0x413568 DdeDisconnect
0x413570 DdeCreateDataHandle
0x413574 DdeConnectList
0x413578 DdeConnect
0x41357c DdeCmpStringHandles
0x413584 DdeAddData
0x413588 DdeAccessData
0x41358c CreateWindowExA
0x413590 CreateMenu
0x413594 CreateDialogParamA
0x413598 CreateCaret
0x41359c CloseClipboard
0x4135a0 ClientToScreen
0x4135a4 CheckRadioButton
0x4135a8 CheckMenuItem
0x4135ac CheckDlgButton
0x4135b0 CharUpperA
0x4135b4 CharPrevW
0x4135b8 CharLowerA
0x4135bc CallWindowProcA
0x4135c0 CallNextHookEx
0x4135c4 BringWindowToTop
0x4135c8 BeginPaint
0x4135cc BeginDeferWindowPos
0x4135d0 EnumThreadWindows
0x4135d4 EnumChildWindows
0x4135d8 EndPaint
0x4135dc EndDialog
0x4135e0 EndDeferWindowPos
0x4135e4 EnableWindow
0x4135e8 EnableMenuItem
0x4135ec EmptyClipboard
0x4135f0 DrawTextExA
0x4135f4 DrawTextA
0x4135f8 DrawMenuBar
0x4135fc DrawFocusRect
0x413600 AppendMenuA
0x413604 ReleaseCapture
0x413608 DispatchMessageA
0x41360c GetCursorPos
Library GDI32.dll:
0x413070 GetTextAlign
0x413074 bMakePathNameW
0x413078 SetBrushOrgEx
0x413080 RectVisible
0x413084 GetGlyphOutlineWow
0x41308c GetCharWidth32A
0x413090 GdiSetPixelFormat
0x413094 GdiEntry6
0x4130a0 GdiAlphaBlend
0x4130a4 FONTOBJ_pfdg
0x4130a8 EnumMetaFile
0x4130ac EnumICMProfilesA
0x4130b4 CreateColorSpaceA
0x4130b8 GetCharWidthFloatA
0x4130bc CheckColorsInGamut
Library COMDLG32.dll:
0x41305c GetOpenFileNameA
0x413064 ChooseFontA
0x413068 GetSaveFileNameA
Library ADVAPI32.dll:
0x413000 RegQueryValueExA
0x413004 RegOpenKeyA
0x41300c SetServiceStatus
0x413010 ReportEventW
0x41301c RegSetValueExW
0x413020 RegSetValueExA
0x413024 RegQueryValueExW
0x41302c RegOpenKeyExW
0x413030 RegOpenKeyExA
0x413034 RegEnumValueA
0x413038 RegDeleteValueW
0x41303c RegDeleteKeyW
0x413040 RegCreateKeyExW
0x413044 RegCloseKey
0x413048 OpenProcessToken
Library SHELL32.dll:
0x4132a4 SHAppBarMessage
0x4132a8 DoEnvironmentSubstW
0x4132ac DragAcceptFiles
0x4132b0 DragFinish
0x4132b4 SHAddToRecentDocs
0x4132b8 ShellAboutW
0x4132bc SHChangeNotify
0x4132c0 SHEmptyRecycleBinA
0x4132c4 SHFileOperationA
0x4132c8 SHGetDiskFreeSpaceA
Library ole32.dll:
0x413614 CoUninitialize
0x413618 OleInitialize
0x41361c OleUninitialize
0x413620 StringFromGUID2
0x413624 CoGetMalloc
0x413628 CoCreateInstance
0x41362c BindMoniker
0x413630 CoInitialize
Library SHLWAPI.dll:
0x4132d4 wnsprintfA
Library COMCTL32.dll:
0x413054 PropertySheetA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 51811 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.