SmartHawk

3.6

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

1a3964244998c7d09205eac0e22c22692c6e8d9892a0c3b3423521e6719a5ba0

3789e946b17ea891fc124854d2f8b1ee.exe

分析耗时

18s

最近分析

文件大小

327.0KB

静态报毒动态报毒 AI SCORE=82 BNYSQWPN CONFIDENCE EMOTET FJIK GCWR GDPV GENERICKD HGCQ HIGH CONFIDENCE HTVECP KRYPTIK LKNX MALICIOUS PE MALWARE@#24VW03TCDRXNX MNANQ QVM07 SCORE SUSGEN T0AGFFCBBYM THIOIBO TROJANBANKER UNSAFE UQZ@A0BB@JGO ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Emotet-FRZ!3789E946B17E	20201022	6.0.6.653
Alibaba	Trojan:Win32/Emotet.0f8e1197	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201022	18.4.3895.0
Tencent	Win32.Trojan-banker.Emotet.Lknx	20201022	1.0.0.1
Kingsoft		20201022	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726219.673046 __exception__	stacktrace: registers.esp: 1635848 registers.edi: 35631124 registers.eax: 479 registers.ebp: 31391744 registers.edx: 2 registers.ebx: 561003077 registers.esi: 1893988463 registers.ecx: 3648 exception.instruction_r: 66 01 04 31 eb 0f 66 3b c2 75 0a 81 e1 ff 0f 00 exception.instruction: add word ptr [ecx + esi], ax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x21e02ae	success	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726219.673046 NtAllocateVirtualMemory	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x021d0000	success	0	0
1620726219.673046 NtAllocateVirtualMemory	process_identifier: 2240 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x021e0000	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Generates some ICMP traffic

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34507569
FireEye	Generic.mg.3789e946b17ea891
McAfee	Emotet-FRZ!3789E946B17E
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056daf31 )
Alibaba	Trojan:Win32/Emotet.0f8e1197
K7GW	Trojan ( 0056daf31 )
Cybereason	malicious.9a6c5c
Arcabit	Trojan.Generic.D20E8B31
TrendMicro	TrojanSpy.Win32.EMOTET.THIOIBO
Cyren	W32/Trojan.FJIK-2975
Symantec	Trojan.Emotet
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Malware.Emotet-9753021-0
Kaspersky	Trojan-Banker.Win32.Emotet.gdpv
BitDefender	Trojan.GenericKD.34507569
NANO-Antivirus	Trojan.Win32.Emotet.htvecp
Paloalto	generic.ml
ViRobot	Trojan.Win32.Emotet.147456.AA
Tencent	Win32.Trojan-banker.Emotet.Lknx
Ad-Aware	Trojan.GenericKD.34507569
Sophos	Mal/Generic-S
Comodo	Malware@#24vw03tcdrxnx
F-Secure	Trojan.TR/AD.Emotet.mnanq
DrWeb	Trojan.Emotet.1007
Zillya	Trojan.Emotet.Win32.28228
Invincea	Mal/Generic-S
McAfee-GW-Edition	Emotet-FRZ!3789E946B17E
Emsisoft	Trojan.Emotet (A)
Ikarus	Trojan-Banker.Emotet
Avira	TR/AD.Emotet.mnanq
Antiy-AVL	Trojan[Banker]/Win32.Emotet
Microsoft	Trojan:Win32/Emotet.ARJ!MTB
AegisLab	Trojan.Win32.Emotet.L!c
ZoneAlarm	Trojan-Banker.Win32.Emotet.gdpv
GData	Trojan.GenericKD.34507569
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZexaF.34570.uqZ@a0BB@JgO
ALYac	Trojan.Agent.Emotet
MAX	malware (ai score=82)
VBA32	TrojanBanker.Emotet
Malwarebytes	Trojan.MalPack.TRE
ESET-NOD32	a variant of Win32/Kryptik.HGCQ
TrendMicro-HouseCall	TrojanSpy.Win32.EMOTET.THIOIBO
Rising	Trojan.Emotet!8.B95 (TFE:5:t0agffcbBYM)
Yandex	Trojan.Agent!BNYsqWpN/2c

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-02 02:24:07

Imports

Library MFC42.DLL:

• 0x40602c

• 0x406030

• 0x406034

• 0x406038

• 0x40603c

• 0x406040

• 0x406044

• 0x406048

• 0x40604c

• 0x406050

• 0x406054

• 0x406058

• 0x40605c

• 0x406060

• 0x406064

• 0x406068

• 0x40606c

• 0x406070

• 0x406074

• 0x406078

• 0x40607c

• 0x406080

• 0x406084

• 0x406088

• 0x40608c

• 0x406090

• 0x406094

• 0x406098

• 0x40609c

• 0x4060a0

• 0x4060a4

• 0x4060a8

• 0x4060ac

• 0x4060b0

• 0x4060b4

• 0x4060b8

• 0x4060bc

• 0x4060c0

• 0x4060c4

• 0x4060c8

• 0x4060cc

• 0x4060d0

• 0x4060d4

• 0x4060d8

• 0x4060dc

• 0x4060e0

• 0x4060e4

• 0x4060e8

• 0x4060ec

• 0x4060f0

• 0x4060f4

• 0x4060f8

• 0x4060fc

• 0x406100

• 0x406104

• 0x406108

• 0x40610c

• 0x406110

• 0x406114

• 0x406118

• 0x40611c

• 0x406120

• 0x406124

• 0x406128

• 0x40612c

• 0x406130

• 0x406134

• 0x406138

• 0x40613c

• 0x406140

• 0x406144

• 0x406148

• 0x40614c

• 0x406150

• 0x406154

• 0x406158

• 0x40615c

• 0x406160

• 0x406164

• 0x406168

• 0x40616c

• 0x406170

• 0x406174

• 0x406178

• 0x40617c

• 0x406180

• 0x406184

• 0x406188

• 0x40618c

• 0x406190

• 0x406194

• 0x406198

• 0x40619c

• 0x4061a0

• 0x4061a4

• 0x4061a8

• 0x4061ac

• 0x4061b0

• 0x4061b4

• 0x4061b8

• 0x4061bc

• 0x4061c0

• 0x4061c4

• 0x4061c8

• 0x4061cc

• 0x4061d0

• 0x4061d4

• 0x4061d8

• 0x4061dc

• 0x4061e0

• 0x4061e4

• 0x4061e8

• 0x4061ec

• 0x4061f0

• 0x4061f4

• 0x4061f8

• 0x4061fc

• 0x406200

• 0x406204

• 0x406208

Library MSVCRT.dll:

• 0x406284 wcslen

• 0x406288 __CxxFrameHandler

• 0x40628c _exit

• 0x406290 wcscpy

• 0x406294 atoi

• 0x406298 malloc

• 0x40629c _mbscmp

• 0x4062a0 clock

• 0x4062a4 __dllonexit

• 0x4062a8 _onexit

• 0x4062ac _except_handler3

• 0x4062b0 ?terminate@@YAXXZ

• 0x4062b4 _controlfp

• 0x4062b8 __set_app_type

• 0x4062bc __p__fmode

• 0x4062c0 __p__commode

• 0x4062c4 _adjust_fdiv

• 0x4062c8 __setusermatherr

• 0x4062cc _initterm

• 0x4062d0 __getmainargs

• 0x4062d4 _acmdln

• 0x4062d8 exit

• 0x4062dc _XcptFilter

• 0x4062e0 _setmbcp

Library KERNEL32.dll:

• 0x406000 MultiByteToWideChar

• 0x406004 GetProcAddress

• 0x406008 LoadLibraryW

• 0x40600c GetACP

• 0x406010 IsValidCodePage

• 0x406014 EnumSystemCodePagesA

• 0x406018 VirtualAlloc

• 0x40601c GetModuleHandleA

• 0x406020 GetStartupInfoA

• 0x406024 WideCharToMultiByte

Library USER32.dll:

• 0x4062e8 IsIconic

• 0x4062ec GetSystemMetrics

• 0x4062f0 GetClientRect

• 0x4062f4 DrawIcon

• 0x4062f8 GetSystemMenu

• 0x4062fc AppendMenuA

• 0x406300 SendMessageA

• 0x406304 LoadIconA

• 0x406308 EnableWindow

Library MSVCP60.dll:

• 0x406210 ?max_size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ

• 0x406214 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z

• 0x406218 ?insert@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IPBGI@Z

• 0x40621c ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z

• 0x406220 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z

• 0x406224 ?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IPBDI@Z

• 0x406228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z

• 0x40622c ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

• 0x406230 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

• 0x406234 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

• 0x406238 ?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB

• 0x40623c ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z

• 0x406240 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ

• 0x406244 ?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB

• 0x406248 ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB

• 0x40624c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

• 0x406250 ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z

• 0x406254 ?_Xlen@std@@YAXXZ

• 0x406258 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z

• 0x40625c ?_Copy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z

• 0x406260 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z

• 0x406264 ?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z

• 0x406268 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z

• 0x40626c ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z

• 0x406270 ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z

• 0x406274 ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

• 0x406278 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z

• 0x40627c ?max_size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	57757	239.255.255.250	3702
192.168.56.101	57759	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.