6.8
高危
55 个模型检测该样本为恶意!
重新分析
更多

85b8bea860e8098f268f0ed6a17d94bb939c1b92c3bb27e2a941e9493996c3c5

214b8a7dd5637f12b14dad2e68610797.exe

分析耗时

75s

最近分析

文件大小

276.5KB
静态报毒 动态报毒 100% ACWI AI SCORE=80 ATTRIBUTE BZFSG CLOUD CONFIDENCE DOWNLOADER33 E1PI ELDORADO EMOTET ENCPK GENCIRC GENERICKDZ HDQH HIGH CONFIDENCE HIGHCONFIDENCE HKQFIS KRYPTIK MALICIOUS MALWARE@#WCBHIHXRM2B2 POSSIBLETHREAT R03BC0DEU20 R339599 SCORE UNSAFE UTKFGG ZENPAK 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FQU!214B8A7DD563 20200613 6.0.6.653
Alibaba Backdoor:Win32/Emotet.323171b8 20190527 0.3.0.5
Avast Win32:Malware-gen 20200613 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200613 2013.8.14.323
Tencent Malware.Win32.Gencirc.10cdd122 20200613 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619269243.956924
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619269230.643924
CryptGenKey
crypto_handle: 0x005a49d0
algorithm_identifier: 0x0000660e ()
provider_handle: 0x005a3de0
flags: 1
key: fƒ–Ú! ß3…;·_€
success 1 0
1619269244.096924
CryptExportKey
crypto_handle: 0x005a49d0
crypto_export_handle: 0x005a3ea8
buffer: f¤R5HÑ¿C þƒ "+÷}Î&ª½­ó:TðQ%‹ Øù¶çLºiI8®^¼ªø€Úõ=ØMS"Ï“Yßí0tBO‹§Vì^:ŽnméüIêÕތ²Ô^+¨nkþîT
blob_type: 1
flags: 64
success 1 0
1619269279.690924
CryptExportKey
crypto_handle: 0x005a49d0
crypto_export_handle: 0x005a3ea8
buffer: f¤ÏIã4ýµ7r·Þ¨ev«i¤†€;«Ê «>ó2W6å¸9Uú‘ÈzI–kßùŒ§ôäaô•ªmŠ¹­÷1FœÖ¹±{ŸL3¬!k¡¡Íö®ªtÑ£`Yš
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer InstallShield 2000
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619269223.549924
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619269223.581924
NtProtectVirtualMemory
process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x003d1000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619269244.643924
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.107508245766714 section {'size_of_data': '0x0000fe00', 'virtual_address': '0x0003b000', 'entropy': 7.107508245766714, 'name': '.rsrc', 'virtual_size': '0x0000fc98'} description A section with a high entropy has been found
entropy 0.23049001814882034 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process 214b8a7dd5637f12b14dad2e68610797.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619269244.284924
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 142.105.151.124
host 172.217.24.14
host 95.216.118.202
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619269247.221924
RegSetValueExA
key_handle: 0x00000398
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619269247.221924
RegSetValueExA
key_handle: 0x00000398
value: °ÔžØ9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619269247.221924
RegSetValueExA
key_handle: 0x00000398
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619269247.221924
RegSetValueExW
key_handle: 0x00000398
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619269247.221924
RegSetValueExA
key_handle: 0x000003b0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619269247.221924
RegSetValueExA
key_handle: 0x000003b0
value: °ÔžØ9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619269247.221924
RegSetValueExA
key_handle: 0x000003b0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619269247.252924
RegSetValueExW
key_handle: 0x00000394
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 142.105.151.124:443
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
DrWeb Trojan.DownLoader33.35922
MicroWorld-eScan Trojan.GenericKDZ.67429
FireEye Trojan.GenericKDZ.67429
CAT-QuickHeal Trojan.Zenpak
McAfee Emotet-FQU!214B8A7DD563
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2040303
K7AntiVirus Trojan ( 0056781b1 )
Alibaba Backdoor:Win32/Emotet.323171b8
K7GW Trojan ( 0056781b1 )
Arcabit Trojan.Generic.D10765
Invincea heuristic
F-Prot W32/Kryptik.BNK.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Malware-gen
Kaspersky Trojan.Win32.Zenpak.acwi
BitDefender Trojan.GenericKDZ.67429
NANO-Antivirus Trojan.Win32.Kryptik.hkqfis
Paloalto generic.ml
ViRobot Trojan.Win32.Emotet.283136
Rising Trojan.Kryptik!1.C713 (CLOUD)
Ad-Aware Trojan.GenericKDZ.67429
Sophos Mal/EncPk-APM
Comodo Malware@#wcbhihxrm2b2
F-Secure Trojan.TR/AD.Emotet.bzfsg
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03BC0DEU20
McAfee-GW-Edition Emotet-FQU!214B8A7DD563
Emsisoft Trojan.Emotet (A)
Cyren W32/Kryptik.BNK.gen!Eldorado
Jiangmin Trojan.Zenpak.bwf
Avira TR/AD.Emotet.bzfsg
MAX malware (ai score=80)
Antiy-AVL Trojan/Win32.Zenpak
Microsoft Trojan:Win32/Emotet.DFA!MTB
Endgame malicious (high confidence)
AegisLab Trojan.Win32.Zenpak.4!c
ZoneAlarm Trojan.Win32.Zenpak.acwi
GData Trojan.GenericKDZ.67429
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Emotet.R339599
VBA32 Trojan.Downloader
ALYac Trojan.GenericKDZ.67429
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HDQH
TrendMicro-HouseCall TROJ_GEN.R03BC0DEU20
Tencent Malware.Win32.Gencirc.10cdd122
Yandex Trojan.Kryptik!UtKFgG/e1PI
Ikarus Trojan.Win32.Crypt
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-26 23:55:06

Imports

Library KERNEL32.dll:
0x4395d4 ExitProcess
0x4395d8 TerminateProcess
0x4395dc HeapSize
0x4395e0 HeapReAlloc
0x4395e4 GetCPInfo
0x4395e8 GetACP
0x4395ec GetOEMCP
0x439604 SetHandleCount
0x439608 GetStdHandle
0x43960c GetFileType
0x439610 HeapDestroy
0x439614 HeapCreate
0x439618 VirtualFree
0x43961c ExitThread
0x439620 VirtualAlloc
0x439624 LCMapStringA
0x439628 LCMapStringW
0x43962c Sleep
0x439630 GetStringTypeA
0x439634 GetStringTypeW
0x439638 IsBadReadPtr
0x43963c IsBadWritePtr
0x439640 IsBadCodePtr
0x439644 GetLocaleInfoA
0x439648 GetLocaleInfoW
0x43964c SetStdHandle
0x439650 CreateThread
0x439654 HeapFree
0x439658 HeapAlloc
0x43965c RaiseException
0x439660 GetCommandLineA
0x439664 GetStartupInfoA
0x439668 GetModuleHandleA
0x43966c RtlUnwind
0x439670 SetErrorMode
0x439674 InterlockedExchange
0x43967c GetModuleFileNameA
0x439680 GetFullPathNameA
0x439688 FindFirstFileA
0x43968c FindClose
0x439690 FlushFileBuffers
0x439694 SetFilePointer
0x439698 WriteFile
0x43969c ReadFile
0x4396a0 GetVersionExA
0x4396a4 GetProcessVersion
0x4396a8 LoadLibraryA
0x4396ac GetProcAddress
0x4396b0 FreeLibrary
0x4396b4 GlobalFlags
0x4396b8 TlsGetValue
0x4396bc LocalReAlloc
0x4396c0 TlsSetValue
0x4396c8 GlobalReAlloc
0x4396d0 GlobalHandle
0x4396d8 WaitForSingleObject
0x4396dc TlsAlloc
0x4396e4 LocalFree
0x4396e8 LocalAlloc
0x4396ec GetLastError
0x4396f0 SetLastError
0x4396f4 MultiByteToWideChar
0x4396f8 WideCharToMultiByte
0x439700 GlobalAlloc
0x439704 GlobalDeleteAtom
0x439708 lstrcmpA
0x43970c lstrcmpiA
0x439710 GetCurrentThread
0x439714 MulDiv
0x43971c SuspendThread
0x439720 ResumeThread
0x439724 GlobalFree
0x439728 GlobalLock
0x43972c lstrcpynA
0x439730 GlobalUnlock
0x439734 GlobalGetAtomNameA
0x439738 GlobalAddAtomA
0x43973c lstrcpyA
0x439740 lstrlenA
0x439744 LockResource
0x439748 lstrcatA
0x43974c GetCurrentThreadId
0x439750 CloseHandle
0x439754 GetVersion
0x439758 CreateEventA
0x43975c LoadLibraryExW
0x439760 LoadLibraryExA
0x439764 FindResourceA
0x439768 LoadResource
0x43976c SizeofResource
0x439770 GetCurrentProcess
0x439774 SetEvent
Library USER32.dll:
0x43978c GetNextDlgTabItem
0x439790 IsDialogMessageA
0x439794 SetWindowTextA
0x439798 EnableMenuItem
0x43979c CheckMenuItem
0x4397a0 SetMenuItemBitmaps
0x4397a4 ModifyMenuA
0x4397a8 GetMenuState
0x4397ac LoadBitmapA
0x4397b4 GetCursorPos
0x4397b8 ValidateRect
0x4397bc TranslateMessage
0x4397c0 GetMessageA
0x4397c4 BeginPaint
0x4397c8 EndPaint
0x4397cc TabbedTextOutA
0x4397d0 GrayStringA
0x4397d4 ShowOwnedPopups
0x4397d8 MessageBoxA
0x4397dc PostQuitMessage
0x4397e0 LoadStringA
0x4397e4 GetClassNameA
0x4397e8 PtInRect
0x4397ec ClientToScreen
0x4397f0 GetSysColorBrush
0x4397f4 FindWindowA
0x4397f8 CharUpperA
0x4397fc ReuseDDElParam
0x439800 SetMenu
0x439804 ShowWindow
0x439808 GetDesktopWindow
0x43980c SetCursor
0x439810 ReleaseCapture
0x439814 LoadAcceleratorsA
0x439818 SetRectEmpty
0x43981c DestroyMenu
0x439820 GetActiveWindow
0x439824 RedrawWindow
0x439828 DefMDIChildProcA
0x43982c DrawMenuBar
0x439838 DefFrameProcA
0x43983c BringWindowToTop
0x439840 PostMessageA
0x439844 SendDlgItemMessageA
0x43984c MapWindowPoints
0x439850 PeekMessageA
0x439854 DispatchMessageA
0x439858 GetFocus
0x43985c SetActiveWindow
0x439860 EndDialog
0x439864 SetFocus
0x439868 AdjustWindowRectEx
0x43986c EqualRect
0x439870 DeferWindowPos
0x439874 BeginDeferWindowPos
0x439878 CopyRect
0x43987c EndDeferWindowPos
0x439880 IsWindowVisible
0x439884 ScreenToClient
0x439888 ScrollWindow
0x43988c SetScrollInfo
0x439890 ShowScrollBar
0x439894 SetScrollRange
0x439898 SetScrollPos
0x43989c GetTopWindow
0x4398a0 IsWindowEnabled
0x4398a4 IsChild
0x4398a8 GetParent
0x4398ac GetCapture
0x4398b0 WinHelpA
0x4398b4 wsprintfA
0x4398b8 GetClassInfoA
0x4398bc RegisterClassA
0x4398c0 GetMenuItemCount
0x4398c4 GetSubMenu
0x4398c8 GetMenuItemID
0x4398cc GetMenu
0x4398d0 GetDlgItem
0x4398d4 GetWindowTextA
0x4398d8 GetDlgCtrlID
0x4398dc GetKeyState
0x4398e0 DefWindowProcA
0x4398e4 DestroyWindow
0x4398e8 CreateWindowExA
0x4398ec SetWindowsHookExA
0x4398f0 CallNextHookEx
0x4398f4 SetPropA
0x4398f8 UnhookWindowsHookEx
0x4398fc GetLastActivePopup
0x439900 GetForegroundWindow
0x439904 SetForegroundWindow
0x439908 GetPropA
0x43990c CallWindowProcA
0x439910 RemovePropA
0x439914 GetMessageTime
0x439918 GetMessagePos
0x43991c GetWindowRect
0x439920 GetWindowLongA
0x439924 UnregisterClassA
0x439928 SetWindowLongA
0x43992c SetWindowPos
0x439934 GetWindow
0x439938 EnumChildWindows
0x43993c UpdateWindow
0x439940 GetSystemMenu
0x439944 DrawTextA
0x439948 LoadIconA
0x43994c GetClientRect
0x439950 KillTimer
0x439954 InvalidateRect
0x439958 GetSysColor
0x43995c FillRect
0x439960 SetTimer
0x439964 GetDC
0x439968 ReleaseDC
0x43996c EnableWindow
0x439970 LoadCursorA
0x439974 GetSystemMetrics
0x43997c IsIconic
0x439980 IsWindow
0x439984 UnpackDDElParam
0x439988 SendMessageA
0x43998c LoadMenuA
0x439990 GetScrollPos
0x439994 WindowFromPoint
Library GDI32.dll:
0x439558 SetViewportOrgEx
0x43955c OffsetViewportOrgEx
0x439560 SetViewportExtEx
0x439564 ScaleViewportExtEx
0x439568 SetWindowExtEx
0x43956c ScaleWindowExtEx
0x439570 GetClipBox
0x439574 DeleteObject
0x439578 SetMapMode
0x43957c CreateSolidBrush
0x439580 CreateHatchBrush
0x439584 PtVisible
0x439588 RectVisible
0x43958c TextOutA
0x439590 ExtTextOutA
0x439594 Escape
0x439598 GetStockObject
0x43959c SelectObject
0x4395a0 RestoreDC
0x4395a4 SaveDC
0x4395a8 DeleteDC
0x4395ac CreateBitmap
0x4395b0 GetObjectA
0x4395b4 SetBkColor
0x4395b8 SetTextColor
0x4395bc BitBlt
0x4395c0 CreateCompatibleDC
0x4395c8 Ellipse
0x4395cc GetDeviceCaps
Library comdlg32.dll:
0x4399ac ChooseColorA
Library WINSPOOL.DRV:
0x43999c OpenPrinterA
0x4399a0 DocumentPropertiesA
0x4399a4 ClosePrinter
Library ADVAPI32.dll:
0x439534 RegQueryValueExA
0x439538 RegCloseKey
0x43953c RegSetValueExA
0x439540 RegCreateKeyExA
0x439544 RegOpenKeyExA
Library SHELL32.dll:
0x439780 DragQueryFileA
0x439784 DragFinish
Library COMCTL32.dll:
0x43954c
0x439550 ImageList_Destroy

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.