7.2
高危
55 个模型检测该样本为恶意!
重新分析
更多

e809f0e74959d78fe624057be66025f0876bad30a081cf7829f57c31a399f744

66b4d43382c75e04857234fd0c02beed.exe

分析耗时

99s

最近分析

文件大小

108.2KB
静态报毒 动态报毒 BANKERX BSCOPE CERBER CLOUD CONFIDENCE DHDF ELDORADO EMOTET FALSESIGN FQOAAR FUERBOOS GDSDA GENERICKD GLWT GTED GY@86K3C1 HIGH HIGH CONFIDENCE INVALIDSIG KRYPTIK MALICIOUS QVM07 R272562 SCORE SUSGEN SUSPICIOUS PE TROJANBANKER UNSAFE WQDG 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FMG!66B4D43382C7 20190602 6.0.6.653
Alibaba TrojanBanker:Win32/Emotet.b03245f7 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20190602 18.4.3895.0
Tencent Win32.Trojan.Falsesign.Wqdg 20190603 1.0.0.1
Kingsoft 20190603 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190212 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619641449.744874
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1619641444.088374
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006f0000
success 0 0
1619641444.619374
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00710000
success 0 0
1619641444.619374
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00720000
success 0 0
1619641444.619374
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619641444.947874
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619641445.525874
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619641445.525874
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619641445.525874
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619641510.103626
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004030000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619641451.541874
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x0054d700
display_name: dmapnf
error_control: 0
service_name: dmapnf
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\dmapnf.exe"
filepath_r: "C:\Windows\SysWOW64\dmapnf.exe"
service_manager_handle: 0x00525790
desired_access: 18
service_type: 16
password:
success 5560064 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619641450.025874
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\66b4d43382c75e04857234fd0c02beed.exe
newfilepath: C:\Windows\SysWOW64\dmapnf.exe
newfilepath_r: C:\Windows\SysWOW64\dmapnf.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\66b4d43382c75e04857234fd0c02beed.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.477686083523733 section {'size_of_data': '0x00012800', 'virtual_address': '0x00008000', 'entropy': 7.477686083523733, 'name': '.data', 'virtual_size': '0x000127f4'} description A section with a high entropy has been found
entropy 0.7254901960784313 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (5 个事件)
host 159.65.241.220
host 172.217.24.14
host 80.86.92.114
host 203.208.41.65
host 203.208.41.66
Installs itself for autorun at Windows startup (1 个事件)
service_name dmapnf service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\dmapnf.exe"
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\dmapnf.exe:Zone.Identifier
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
K7AntiVirus Trojan ( 0054ea211 )
MicroWorld-eScan Trojan.GenericKD.41321598
FireEye Generic.mg.66b4d43382c75e04
CAT-QuickHeal Trojan.Fuerboos
McAfee Emotet-FMG!66B4D43382C7
Cylance Unsafe
Alibaba TrojanBanker:Win32/Emotet.b03245f7
K7GW Trojan ( 0054ea211 )
Arcabit Trojan.Generic.D276847E
Invincea heuristic
F-Prot W32/Emotet.TL.gen!Eldorado
Symantec Packed.Generic.534
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Malware.Emotet-6980706-0
Kaspersky Trojan-Banker.Win32.Emotet.dhdf
BitDefender Trojan.GenericKD.41321598
NANO-Antivirus Trojan.Win32.Emotet.fqoaar
Paloalto generic.ml
Tencent Win32.Trojan.Falsesign.Wqdg
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.41321598 (B)
Comodo TrojWare.Win32.Emotet.GY@86k3c1
DrWeb Trojan.Emotet.678
TrendMicro TrojanSpy.Win32.EMOTET.SM
McAfee-GW-Edition Emotet-FMG!66B4D43382C7
Trapmine malicious.high.ml.score
Sophos Mal/Cerber-AM
SentinelOne DFI - Suspicious PE
Cyren W32/Emotet.TL.gen!Eldorado
Jiangmin Trojan.Banker.Emotet.iyc
eGambit PE.Heur.InvalidSig
Antiy-AVL Trojan/Win32.Fuerboos
Microsoft Trojan:Win32/Emotet.PA!MTB
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm Trojan-Banker.Win32.Emotet.dhdf
GData Trojan.GenericKD.41321598
AhnLab-V3 Trojan/Win32.Emotet.R272562
Acronis suspicious
VBA32 BScope.Malware-Cryptor.Emotet
ALYac Trojan.Agent.Emotet
Ad-Aware Trojan.GenericKD.41321598
ESET-NOD32 a variant of Win32/Kryptik.GTED
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SM
Rising Trojan.Kryptik!8.8 (CLOUD)
Yandex Trojan.PWS.Emotet!
Ikarus Trojan-Banker.Emotet
MaxSecure Trojan.Malware.74335577.susgen
Fortinet W32/Kryptik.GLWT!tr
Webroot W32.Trojan.Emotet
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.24.14:443
dead_host 159.65.241.220:8080
dead_host 80.86.92.114:7080
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2018-05-26 06:16:53

Imports

Library KERNEL32.dll:
0x41912c VirtualAllocEx
0x419130 GetModuleHandleW
0x419138 DuplicateHandle
0x41913c WaitForSingleObject
0x419140 Sleep
0x419144 GetCurrentProcess
0x419148 CreateThread
0x41914c SetThreadPriority
0x419150 TerminateThread
0x419154 ResumeThread
0x419158 TlsAlloc
0x41915c TlsGetValue
0x419160 TlsSetValue
0x419164 TlsFree
0x419168 GetSystemInfo
0x419170 CreateFileW
0x419174 FlushFileBuffers
0x419178 GetFileType
0x41917c GetLogicalDrives
0x419180 ReadFile
0x419184 SetEndOfFile
0x419188 SetFilePointerEx
0x41918c WriteFile
0x419190 SetErrorMode
0x419194 CreateFileMappingW
0x419198 MapViewOfFile
0x41919c UnmapViewOfFile
0x4191a0 MoveFileExW
0x4191a8 CreateDirectoryW
0x4191ac FindClose
0x4191b0 FindFirstFileW
0x4191bc GetFullPathNameW
0x4191c0 GetLongPathNameW
0x4191c4 RemoveDirectoryW
0x4191c8 GetTempPathW
0x4191cc DeviceIoControl
0x4191d0 MoveFileW
0x4191e0 GetCurrencyFormatW
0x4191e4 GetTickCount
0x4191e8 FindFirstFileExW
0x4191ec GetTimeFormatW
0x4191f0 GetStartupInfoW
0x4191f4 GetModuleFileNameW
0x4191f8 MultiByteToWideChar
0x4191fc WideCharToMultiByte
0x419200 FreeLibrary
0x419208 GetGeoInfoW
0x41920c GetUserGeoID
0x419210 GetModuleHandleExW
0x419214 ExitProcess
0x41921c lstrcmpW
0x419220 ReleaseMutex
0x419224 CreateMutexW
0x419228 VirtualAlloc
0x41922c VirtualFree
0x419248 TerminateProcess
0x419250 IsDebuggerPresent
0x419258 InitializeSListHead
0x41925c RtlUnwind
0x419260 EncodePointer
0x419264 RaiseException
0x41926c LoadLibraryExW
0x419270 SetLastError
0x419274 GetCommandLineA
0x419278 ExitThread
0x419280 SetStdHandle
0x419284 GetConsoleMode
0x419288 ReadConsoleW
0x41928c GetConsoleCP
0x419290 GetStdHandle
0x419294 GetModuleFileNameA
0x419298 GetACP
0x41929c HeapFree
0x4192a0 HeapAlloc
0x4192a4 LCMapStringW
0x4192a8 EnumSystemLocalesW
0x4192ac DecodePointer
0x4192b0 HeapReAlloc
0x4192b4 GetCPInfo
0x4192bc WriteConsoleW
0x4192c0 GetStringTypeW
0x4192c4 IsValidCodePage
0x4192c8 GetOEMCP
0x4192d4 GetProcessHeap
0x4192d8 FindFirstFileExA
0x4192dc FindNextFileA
0x4192e0 HeapSize
0x4192e4 GetDateFormatW
0x4192e8 GetThreadPriority
0x4192ec GetCurrentThread
0x4192f0 ResetEvent
0x4192f4 LoadLibraryW
0x4192f8 GetSystemDirectoryW
0x4192fc CreateEventW
0x419304 SetEvent
0x419308 GetConsoleWindow
0x41930c OutputDebugStringW
0x419314 GetLocalTime
0x419318 GetSystemTime
0x41931c GetUserDefaultLCID
0x419320 CompareStringW
0x419324 GetCurrentProcessId
0x419328 GlobalSize
0x41932c LoadLibraryA
0x419330 GetLocaleInfoW
0x419334 GlobalUnlock
0x419338 GlobalLock
0x41933c GlobalAlloc
0x419340 OpenProcess
0x41934c CreateProcessW
0x419350 CloseHandle
0x419358 IsValidLocale
0x419360 FormatMessageW
0x419364 GetProcAddress
0x419368 GetCurrentThreadId
0x41936c GetLastError
0x419370 FindNextFileW
0x41937c LocalFree
0x419380 GetCommandLineW
0x419384 GetVersionExW
0x419388 CopyFileW
0x41938c SetFileAttributesW
0x419390 GetFileAttributesW
0x419394 GetDriveTypeW
0x41939c DeleteFileW
0x4193a0 GetModuleHandleA
0x4193a4 GetStartupInfoA
0x4193a8 GlobalFree
0x4193ac LocalAlloc
0x4193b0 lstrlenW
0x4193b4 LocalUnlock
0x4193b8 LocalLock
0x4193bc FoldStringW
0x4193c0 lstrcpyW
0x4193c4 lstrcmpiW
0x4193c8 lstrcatW
0x4193cc MulDiv
0x4193d0 lstrcpynW
0x4193d4 LocalSize
0x4193d8 LocalReAlloc
Library USER32.dll:
0x4193e0 GetDesktopWindow
0x4193e4 GetClipboardOwner
0x4193e8 GetThreadDesktop
0x4193ec GetCaretBlinkTime
0x4193f0 DestroyWindow
0x4193f4 GetKeyState
0x4193f8 IsIconic
0x4193fc GetTopWindow
0x419400 GetSysColor
0x419404 GetListBoxInfo
0x419408 IsWindowVisible
Library GDI32.dll:
0x419410 GetTextAlign
0x419414 GetDCPenColor
0x419418 CloseMetaFile
0x41941c CreateMetaFileA
0x419420 FillPath
0x419424 GetFontLanguageInfo
0x419428 GetSystemPaletteUse
0x41942c GetLayout
Library ADVAPI32.dll:
0x419434 RegOpenKeyA
0x419438 RegQueryValueExA
0x41943c RegCloseKey
0x419440 RegQueryValueExW
0x419444 OpenProcessToken
0x419448 CopySid
0x41944c FreeSid
0x419450 GetLengthSid
0x419454 GetTokenInformation
0x419458 RegCreateKeyExW
0x41945c RegDeleteKeyW
0x419460 RegDeleteValueW
0x419464 RegEnumKeyExW
0x419468 RegEnumValueW
0x41946c RegFlushKey
0x419470 RegQueryInfoKeyW
0x419474 RegSetValueExW
0x419478 SystemFunction036
0x41947c RegOpenKeyExW
Library ole32.dll:
0x419484 StringFromGUID2
0x419488 CoTaskMemAlloc
0x41948c CoGetMalloc
0x419490 CoUninitialize
0x419494 CoTaskMemFree
0x419498 DoDragDrop
0x4194a0 OleFlushClipboard
0x4194a4 OleGetClipboard
0x4194a8 OleSetClipboard
0x4194ac CoCreateGuid
0x4194b0 OleUninitialize
0x4194b4 OleInitialize
0x4194b8 RevokeDragDrop
0x4194bc CoCreateInstance
0x4194c0 ReleaseStgMedium
0x4194c4 RegisterDragDrop
0x4194cc CoInitialize
Library MSVCRT.dll:
0x4194d4 _except_handler3
0x4194d8 __set_app_type
0x4194dc __p__fmode
0x4194e0 __p__commode
0x4194e4 _adjust_fdiv
0x4194e8 __setusermatherr
0x4194ec _initterm
0x4194f0 __getmainargs
0x4194f4 _acmdln
0x4194f8 exit
0x4194fc _XcptFilter
0x419500 _exit
0x419504 _onexit
0x419508 __dllonexit
0x41950c _controlfp

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.