7.6
高危
49 个模型检测该样本为恶意!
重新分析
更多

3341e6a26171d78ecf0c2cf73d9a625dddf9bbdd241333565a3fe2378ed00ed2

5b671c773976c8b68b5108937e5d7c7c.exe

分析耗时

93s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 100% 5KXVORFHSDN AI SCORE=81 AIDETECTVM CONFIDENCE DQPPO EMOTET ER0@AKS48SDI GDEO GENCIRC GENERICKD GENETIC HDAI HFXF HIGH CONFIDENCE IRR3U4 KRYPTIK MALWARE1 R + TROJ R002C0DI320 R350033 SCORE SIGGEN10 TDHP TROJANBANKER UNSAFE ZEXTET 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.cef57abb 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent Malware.Win32.Gencirc.10cdfce5 20200908 1.0.0.1
Kingsoft 20200908 2013.8.14.323
McAfee Emotet-FRI!5B671C773976 20200908 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620780737.95725
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1620780724.75425
CryptGenKey
crypto_handle: 0x006c4af8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x006c42b8
flags: 1
key: fãXK]‹>¥‡–ë¾1
success 1 0
1620780739.30125
CryptExportKey
crypto_handle: 0x006c4af8
crypto_export_handle: 0x006c3e78
buffer: f¤¬tÑí9F«d@[ÜÚô“/ ŠW²qïgtʵÆÚÙnµËSdX²½´þ儵~ˆ¾Xñ¹s÷cwRš¬ÇEœC#K†®æ¢Ù¼¦×ü^ÞÖî!D‹kÀ|jÊ·ô]©•-G
blob_type: 1
flags: 64
success 1 0
1620780767.30125
CryptExportKey
crypto_handle: 0x006c4af8
crypto_export_handle: 0x006c3e78
buffer: f¤eIÂ=&;BÕ%ÒoƒôËá$ƒE*#„¡*» u[(oîGj8MØÌí3—¤™QíÒ#$9ñƒ@%¾LL7®d=g÷Có%·üÙ$˜`´“TóíMŠ¿³°+,
blob_type: 1
flags: 64
success 1 0
1620780772.36425
CryptExportKey
crypto_handle: 0x006c4af8
crypto_export_handle: 0x006c3e78
buffer: f¤ 9N‰ã–ï¹­ù‘h¯I4ýus•ez/Õ«Ô±™|ÎÈÄ^‰ùŽ~Bð‘çDI"ôB?½ÅHÙ/sÐ%mÍ}[ô´9£ê¢–†ž€ã€¶2ÍU)©-
blob_type: 1
flags: 64
success 1 0
1620780783.97325
CryptExportKey
crypto_handle: 0x006c4af8
crypto_export_handle: 0x006c3e78
buffer: f¤n¿EÔò)ÃÞMôþaã&/BÏéŒ8]{¸RQŒˆUº¸e#Éá4îFö;ñÄT÷[Y*³qƒ„§˜ûy™Ú~Õ¸ ©7!ì{»~Ç£Ô©Äï?ݤmè_
blob_type: 1
flags: 64
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:217665913&cup2hreq=94df50abca222f875375a035f6161fa7762c59a5c70edf08a1dce26f4c6d6554
Performs some HTTP requests (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:217665913&cup2hreq=94df50abca222f875375a035f6161fa7762c59a5c70edf08a1dce26f4c6d6554
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:217665913&cup2hreq=94df50abca222f875375a035f6161fa7762c59a5c70edf08a1dce26f4c6d6554
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620780724.00425
NtAllocateVirtualMemory
process_identifier: 1432
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00320000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620780740.23925
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process 5b671c773976c8b68b5108937e5d7c7c.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620780739.98925
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 113.108.239.196
host 118.110.236.121
host 149.202.5.139
host 153.92.4.96
host 172.217.24.14
host 51.75.163.68
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620780742.89525
RegSetValueExA
key_handle: 0x000003ac
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620780742.89525
RegSetValueExA
key_handle: 0x000003ac
value: ë{ÃF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620780742.89525
RegSetValueExA
key_handle: 0x000003ac
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620780742.89525
RegSetValueExW
key_handle: 0x000003ac
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620780742.91025
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620780742.91025
RegSetValueExA
key_handle: 0x000003c4
value: ë{ÃF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620780742.91025
RegSetValueExA
key_handle: 0x000003c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620780742.92625
RegSetValueExW
key_handle: 0x000003a8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34469849
CAT-QuickHeal Trojan.Emotet
ALYac Trojan.Agent.Emotet
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.cef57abb
K7GW Riskware ( 0040eff71 )
TrendMicro TROJ_GEN.R002C0DI320
BitDefenderTheta Gen:NN.Zextet.34216.er0@aKs48sdi
Cyren W32/Trojan.TDHP-3379
Symantec Trojan.Emotet
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Banker.Win32.Emotet.gdeo
BitDefender Trojan.GenericKD.34469849
SUPERAntiSpyware Trojan.Agent/Gen-Dropper
Tencent Malware.Win32.Gencirc.10cdfce5
Ad-Aware Trojan.GenericKD.34469849
TACHYON Banker/W32.Emotet.1122304
F-Secure Trojan.TR/Crypt.Agent.dqppo
DrWeb Trojan.Siggen10.11107
Invincea Mal/Generic-R + Troj/Emotet-CMW
Sophos Troj/Emotet-CMW
Ikarus Trojan-Banker.Emotet
Jiangmin Trojan.Banker.Emotet.ohb
Webroot W32.Trojan.Gen
Avira TR/Crypt.Agent.dqppo
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARK!MTB
ViRobot Trojan.Win32.Emotet.1122304
ZoneAlarm Trojan-Banker.Win32.Emotet.gdeo
GData Win32.Trojan.PSE.IRR3U4
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.RL_Generic.R350033
McAfee Emotet-FRI!5B671C773976
MAX malware (ai score=81)
VBA32 TrojanBanker.Emotet
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HFXF
TrendMicro-HouseCall TROJ_GEN.R002C0DI320
Rising Trojan.Kryptik!8.8 (TFE:5:5kXVoRFHSDN)
Fortinet W32/Kryptik.HDAI!tr
AVG Win32:Trojan-gen
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Trojan.6d1
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 149.202.5.139:443
dead_host 192.168.56.101:49180
dead_host 118.110.236.121:8080
dead_host 172.217.24.14:443
dead_host 153.92.4.96:8080
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-02 22:45:58

Imports

Library KERNEL32.dll:
0x4310b4 GetSystemInfo
0x4310b8 VirtualQuery
0x4310bc GetStartupInfoA
0x4310c0 GetCommandLineA
0x4310c4 ExitProcess
0x4310c8 TerminateProcess
0x4310cc HeapReAlloc
0x4310d0 HeapSize
0x4310d4 LCMapStringA
0x4310d8 LCMapStringW
0x4310dc HeapDestroy
0x4310e0 HeapCreate
0x4310e4 VirtualFree
0x4310e8 IsBadWritePtr
0x4310ec GetStdHandle
0x4310fc VirtualAlloc
0x431104 SetHandleCount
0x431108 GetFileType
0x431110 GetCurrentProcessId
0x431118 GetStringTypeA
0x43111c GetStringTypeW
0x431124 GetUserDefaultLCID
0x431128 EnumSystemLocalesA
0x43112c IsValidLocale
0x431130 IsValidCodePage
0x431134 IsBadReadPtr
0x431138 IsBadCodePtr
0x43113c SetStdHandle
0x431140 GetLocaleInfoW
0x431148 VirtualProtect
0x43114c HeapFree
0x431150 HeapAlloc
0x431158 RtlUnwind
0x43115c GetTickCount
0x431160 GetFileTime
0x431164 GetFileAttributesA
0x43116c SetErrorMode
0x431174 GetOEMCP
0x431178 GetCPInfo
0x43117c CreateFileA
0x431180 GetFullPathNameA
0x431188 FindFirstFileA
0x43118c FindClose
0x431190 GetCurrentProcess
0x431194 DuplicateHandle
0x431198 GetFileSize
0x43119c SetEndOfFile
0x4311a0 UnlockFile
0x4311a4 LockFile
0x4311a8 FlushFileBuffers
0x4311ac SetFilePointer
0x4311b0 WriteFile
0x4311b4 ReadFile
0x4311b8 TlsFree
0x4311bc LocalReAlloc
0x4311c0 TlsSetValue
0x4311c4 TlsAlloc
0x4311c8 TlsGetValue
0x4311d0 GlobalHandle
0x4311d4 GlobalReAlloc
0x4311dc LocalAlloc
0x4311e8 RaiseException
0x4311ec GlobalFlags
0x4311fc SetLastError
0x431200 MulDiv
0x431204 FormatMessageA
0x431208 LocalFree
0x43120c GlobalGetAtomNameA
0x431210 GlobalFindAtomA
0x431214 lstrcatA
0x431218 lstrcmpW
0x43121c lstrcpynA
0x431220 GlobalUnlock
0x431224 GlobalFree
0x431228 FreeResource
0x43122c CloseHandle
0x431230 GlobalAddAtomA
0x431234 GetCurrentThread
0x431238 GetCurrentThreadId
0x43123c GlobalLock
0x431240 GlobalAlloc
0x431244 FreeLibrary
0x431248 GlobalDeleteAtom
0x43124c lstrcmpA
0x431250 GetModuleFileNameA
0x431254 GetModuleHandleA
0x431258 GetProcAddress
0x431264 lstrcpyA
0x431268 LoadLibraryA
0x43126c CompareStringW
0x431270 CompareStringA
0x431274 lstrlenA
0x431278 lstrcmpiA
0x43127c GetVersion
0x431280 GetLastError
0x431284 MultiByteToWideChar
0x431288 WideCharToMultiByte
0x43128c FindResourceA
0x431290 LoadResource
0x431294 LockResource
0x431298 SizeofResource
0x43129c GetVersionExA
0x4312a0 GetThreadLocale
0x4312a4 GetLocaleInfoA
0x4312a8 GetACP
0x4312ac InterlockedExchange
0x4312b4 LoadLibraryExA
Library USER32.dll:
0x431304 PostThreadMessageA
0x43130c WinHelpA
0x431310 GetCapture
0x431314 CreateWindowExA
0x431318 GetClassLongA
0x43131c GetClassInfoExA
0x431320 GetClassNameA
0x431324 SetPropA
0x431328 GetPropA
0x43132c RemovePropA
0x431330 SendDlgItemMessageA
0x431334 SetFocus
0x431338 IsChild
0x431340 GetWindowTextA
0x431344 GetForegroundWindow
0x431348 GetTopWindow
0x43134c UnhookWindowsHookEx
0x431350 GetMessageTime
0x431354 GetMessagePos
0x431358 MapWindowPoints
0x43135c SetForegroundWindow
0x431360 UpdateWindow
0x431364 GetMenu
0x431368 GetSubMenu
0x43136c GetMenuItemID
0x431370 GetMenuItemCount
0x431374 GetSysColor
0x431378 AdjustWindowRectEx
0x43137c EqualRect
0x431380 GetClassInfoA
0x431384 RegisterClassA
0x431388 UnregisterClassA
0x43138c GetDlgCtrlID
0x431390 MessageBeep
0x431394 CallWindowProcA
0x431398 SetWindowLongA
0x43139c OffsetRect
0x4313a0 IntersectRect
0x4313a8 GetWindowPlacement
0x4313ac CopyRect
0x4313b0 PtInRect
0x4313b4 GetWindow
0x4313bc MapDialogRect
0x4313c0 SetWindowPos
0x4313c4 GetDesktopWindow
0x4313c8 SetActiveWindow
0x4313d0 DestroyWindow
0x4313d4 IsWindow
0x4313d8 GetDlgItem
0x4313dc GetNextDlgTabItem
0x4313e0 EndDialog
0x4313e4 SetMenuItemBitmaps
0x4313e8 GetFocus
0x4313ec ModifyMenuA
0x4313f0 GetMenuState
0x4313f4 EnableMenuItem
0x4313f8 CheckMenuItem
0x431400 LoadBitmapA
0x431404 SetWindowsHookExA
0x431408 CallNextHookEx
0x43140c GetMessageA
0x431410 TranslateMessage
0x431414 DispatchMessageA
0x431418 GetActiveWindow
0x43141c IsWindowVisible
0x431420 GetKeyState
0x431424 PeekMessageA
0x431428 GetNextDlgGroupItem
0x43142c InvalidateRgn
0x431430 InvalidateRect
0x431438 SetRect
0x43143c IsRectEmpty
0x431440 CharNextA
0x431444 GetSysColorBrush
0x431448 ReleaseCapture
0x43144c GetCursorPos
0x431450 ValidateRect
0x431454 MessageBoxA
0x431458 GetParent
0x43145c GetWindowLongA
0x431460 GetLastActivePopup
0x431464 IsWindowEnabled
0x431468 SetCursor
0x43146c PostQuitMessage
0x431470 PostMessageA
0x431474 CharUpperA
0x43147c GetSystemMetrics
0x431480 LoadIconA
0x431484 EnableWindow
0x431488 GetClientRect
0x43148c IsIconic
0x431490 GetSystemMenu
0x431494 SetMenu
0x431498 SendMessageA
0x43149c LoadMenuA
0x4314a0 AppendMenuA
0x4314a4 DrawIcon
0x4314a8 ShowWindow
0x4314ac GetWindowRect
0x4314b0 LoadCursorA
0x4314b4 SetCapture
0x4314b8 EndPaint
0x4314bc BeginPaint
0x4314c0 GetWindowDC
0x4314c4 ReleaseDC
0x4314c8 GetDC
0x4314cc ClientToScreen
0x4314d0 GrayStringA
0x4314d4 DrawTextExA
0x4314d8 DrawTextA
0x4314dc TabbedTextOutA
0x4314e0 wsprintfA
0x4314e4 DestroyMenu
0x4314e8 MoveWindow
0x4314ec SetWindowTextA
0x4314f0 IsDialogMessageA
0x4314f4 DefWindowProcA
Library GDI32.dll:
0x431030 DeleteObject
0x431034 GetViewportExtEx
0x431038 GetWindowExtEx
0x43103c PtVisible
0x431040 RectVisible
0x431044 TextOutA
0x431048 Escape
0x43104c SelectObject
0x431050 SetViewportOrgEx
0x431054 OffsetViewportOrgEx
0x431058 SetViewportExtEx
0x43105c ScaleViewportExtEx
0x431060 SetWindowExtEx
0x431064 ScaleWindowExtEx
0x431068 ExtSelectClipRgn
0x43106c GetStockObject
0x431070 GetBkColor
0x431074 GetTextColor
0x43107c GetRgnBox
0x431080 GetMapMode
0x431084 SetMapMode
0x431088 RestoreDC
0x43108c SaveDC
0x431090 ExtTextOutA
0x431094 GetDeviceCaps
0x431098 GetObjectA
0x43109c SetBkColor
0x4310a0 SetTextColor
0x4310a4 GetClipBox
0x4310a8 DeleteDC
0x4310ac CreateBitmap
Library comdlg32.dll:
0x43150c GetFileTitleA
Library WINSPOOL.DRV:
0x4314fc OpenPrinterA
0x431500 DocumentPropertiesA
0x431504 ClosePrinter
Library ADVAPI32.dll:
0x431000 RegQueryValueExA
0x431004 RegOpenKeyExA
0x431008 RegDeleteKeyA
0x43100c RegEnumKeyA
0x431010 RegOpenKeyA
0x431014 RegQueryValueA
0x431018 RegCreateKeyExA
0x43101c RegSetValueExA
0x431020 RegCloseKey
Library COMCTL32.dll:
0x431028
Library SHLWAPI.dll:
0x4312f0 PathFindFileNameA
0x4312f4 PathStripToRootA
0x4312f8 PathFindExtensionA
0x4312fc PathIsUNCA
Library oledlg.dll:
0x431554
Library ole32.dll:
0x431520 CoGetClassObject
0x431524 CoTaskMemAlloc
0x431528 CoTaskMemFree
0x43152c CLSIDFromString
0x431530 CLSIDFromProgID
0x431534 OleUninitialize
0x431540 OleFlushClipboard
0x431548 CoRevokeClassObject
0x43154c OleInitialize
Library OLEAUT32.dll:
0x4312bc SysFreeString
0x4312c0 VariantClear
0x4312c4 VariantChangeType
0x4312c8 VariantInit
0x4312cc SysStringLen
0x4312dc SafeArrayDestroy
0x4312e0 SysAllocString
0x4312e4 VariantCopy
0x4312e8 SysAllocStringLen

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49185 203.208.40.34 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60088 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.