7.0
高危
58 个模型检测该样本为恶意!
重新分析
更多

ee6d76c87005bac6bf4e4fe2ddc3caa39246ff9b8383bac26f70ce2a155fe40a

69f983135a6b185874245db3e71bbfe1.exe

分析耗时

106s

最近分析

文件大小

233.3KB
静态报毒 动态报毒 100% AGEN AI SCORE=100 AIDETECTVM BSCOPE CLASSIC CONFIDENCE CSRY DANGEROUSSIG DSLD DUDDIJVRTU ELDORADO EMOTET FOMFJN FQPI GENASA GENETIC GRFS HDMV HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE1 MAUVAISE OQ1@AISY0LLJ R + MAL R260381 RDF@835X12 SCORE SIGGEN8 STATIC AI SUSGEN THCBGAI UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Trojan:Win32/Emotet.158 20190527 0.3.0.5
Avast Win32:DangerousSig [Trj] 20210109 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20210110 2017.9.26.565
McAfee Trojan-FQPI!69F983135A6B 20210110 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619627815.8315
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1619627807.612875
NtAllocateVirtualMemory
process_identifier: 200
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619627808.144875
NtAllocateVirtualMemory
process_identifier: 200
region_size: 106496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619627808.144875
NtAllocateVirtualMemory
process_identifier: 200
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619627808.144875
NtAllocateVirtualMemory
process_identifier: 200
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619627808.3315
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619627808.8785
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 106496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619627808.8785
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619627808.8785
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619627438.772896
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000040e0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619627818.7375
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x0052e338
display_name: servslide
error_control: 0
service_name: servslide
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\servslide.exe"
filepath_r: "C:\Windows\SysWOW64\servslide.exe"
service_manager_handle: 0x0052e040
desired_access: 18
service_type: 16
password:
success 5432120 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619627816.0975
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\69f983135a6b185874245db3e71bbfe1.exe
newfilepath: C:\Windows\SysWOW64\servslide.exe
newfilepath_r: C:\Windows\SysWOW64\servslide.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\69f983135a6b185874245db3e71bbfe1.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.6626557485465145 section {'size_of_data': '0x0001d200', 'virtual_address': '0x00001000', 'entropy': 7.6626557485465145, 'name': '.text', 'virtual_size': '0x0001d08b'} description A section with a high entropy has been found
entropy 0.5087336244541485 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 66.50.29.185
host 72.161.250.4
Installs itself for autorun at Windows startup (1 个事件)
service_name servslide service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\servslide.exe"
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\servslide.exe:Zone.Identifier
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Siggen8.20731
MicroWorld-eScan Trojan.Agent.DSLD
CAT-QuickHeal Trojan.Mauvaise.SL1
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Trojan.Agent.Win32.1084757
SUPERAntiSpyware Trojan.Agent/Gen-Kryptik
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Emotet.158
K7GW Trojan ( 0054a8b61 )
K7AntiVirus Trojan ( 0054a8b61 )
Arcabit Trojan.Agent.DSLD
BitDefenderTheta Gen:NN.ZexaF.34742.oq1@aiSY0Llj
Cyren W32/Emotet.SN.gen!Eldorado
Symantec Packed.Generic.459
ESET-NOD32 a variant of Win32/Kryptik.GRFS
APEX Malicious
Avast Win32:DangerousSig [Trj]
ClamAV Win.Malware.Emotet-6911441-0
Kaspersky Trojan-Banker.Win32.Emotet.csry
BitDefender Trojan.Agent.DSLD
NANO-Antivirus Trojan.Win32.Emotet.fomfjn
Paloalto generic.ml
Ad-Aware Trojan.Agent.DSLD
Emsisoft Trojan.Agent.DSLD (B)
Comodo TrojWare.Win32.Emotet.RDF@835x12
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.THCBGAI
McAfee-GW-Edition Trojan-FQPI!69F983135A6B
FireEye Generic.mg.69f983135a6b1858
Sophos Mal/Generic-R + Mal/Emotet-Q
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Banker.Emotet.hyu
Avira HEUR/AGEN.1125417
MAX malware (ai score=100)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.PA!MTB
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm Trojan-Banker.Win32.Emotet.csry
GData Trojan.Agent.DSLD
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R260381
Acronis suspicious
McAfee Trojan-FQPI!69F983135A6B
VBA32 BScope.Malware-Cryptor.Emotet
Malwarebytes Trojan.Emotet
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THCBGAI
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
dead_host 72.161.250.4:80
dead_host 66.50.29.185:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-03-26 21:20:34

Imports

Library KERNEL32.dll:
0x41f000 AddAtomW
0x41f004 CloseHandle
0x41f008 CompareStringA
0x41f010 CreateEventW
0x41f014 CreateFileA
0x41f018 CreateFileW
0x41f01c CreateMutexW
0x41f020 CreateProcessW
0x41f024 CreateThread
0x41f02c DeleteAtom
0x41f034 DeleteFileW
0x41f038 DeviceIoControl
0x41f03c DuplicateHandle
0x41f048 EnumSystemLocalesA
0x41f04c ExitProcess
0x41f050 ExitThread
0x41f054 FatalAppExitA
0x41f060 FindAtomW
0x41f064 FindClose
0x41f068 FindFirstFileW
0x41f06c FindResourceExW
0x41f070 FindResourceW
0x41f074 FlushFileBuffers
0x41f078 FormatMessageW
0x41f080 FreeLibrary
0x41f084 FreeResource
0x41f088 GetACP
0x41f08c GetCPInfo
0x41f090 GetCommandLineW
0x41f094 GetComputerNameW
0x41f098 GetConsoleCP
0x41f09c GetConsoleMode
0x41f0a0 GetConsoleOutputCP
0x41f0a8 GetCurrentProcess
0x41f0ac GetCurrentProcessId
0x41f0b0 GetCurrentThread
0x41f0b4 GetCurrentThreadId
0x41f0b8 GetDateFormatA
0x41f0c4 GetFileAttributesW
0x41f0c8 GetFileSize
0x41f0cc GetFileSizeEx
0x41f0d0 GetFileTime
0x41f0d4 GetFileType
0x41f0d8 GetFullPathNameW
0x41f0dc GetLastError
0x41f0e0 GetLocalTime
0x41f0e4 GetLocaleInfoA
0x41f0e8 GetLocaleInfoW
0x41f0ec GetLongPathNameW
0x41f0f0 GetModuleFileNameA
0x41f0f4 GetModuleFileNameW
0x41f0f8 GetModuleHandleA
0x41f0fc GetModuleHandleW
0x41f100 GetOEMCP
0x41f10c GetProcAddress
0x41f110 GetProcessHeap
0x41f114 GetProcessTimes
0x41f118 GetShortPathNameW
0x41f11c GetStartupInfoA
0x41f120 GetStartupInfoW
0x41f124 GetStdHandle
0x41f128 GetStringTypeA
0x41f12c GetStringTypeExW
0x41f130 GetStringTypeW
0x41f138 GetSystemDirectoryW
0x41f13c GetSystemTime
0x41f144 GetTempPathW
0x41f148 GetTickCount
0x41f14c GetTimeFormatA
0x41f154 GetUserDefaultLCID
0x41f15c GetVersionExA
0x41f160 GetVersionExW
0x41f16c GlobalAddAtomW
0x41f170 GlobalAlloc
0x41f174 GlobalDeleteAtom
0x41f178 GlobalFindAtomW
0x41f17c GlobalFlags
0x41f180 GlobalLock
0x41f184 GlobalSize
0x41f188 GlobalUnlock
0x41f18c HeapAlloc
0x41f190 HeapCreate
0x41f194 HeapDestroy
0x41f198 HeapFree
0x41f19c HeapReAlloc
0x41f1a0 HeapSize
0x41f1b4 InterlockedExchange
0x41f1b8 IsDebuggerPresent
0x41f1bc IsValidCodePage
0x41f1c0 IsValidLocale
0x41f1c4 LCMapStringA
0x41f1c8 LCMapStringW
0x41f1d0 LoadLibraryA
0x41f1d4 LoadLibraryExW
0x41f1d8 LoadLibraryW
0x41f1dc LoadResource
0x41f1e4 LocalFree
0x41f1e8 LockFile
0x41f1ec LockResource
0x41f1f0 MoveFileW
0x41f1f4 MulDiv
0x41f1f8 MultiByteToWideChar
0x41f1fc OpenMutexW
0x41f200 OpenProcess
0x41f204 OpenThread
0x41f208 OutputDebugStringW
0x41f20c Process32FirstW
0x41f210 Process32NextW
0x41f21c RaiseException
0x41f220 ReadFile
0x41f224 ReleaseMutex
0x41f228 ResumeThread
0x41f22c RtlUnwind
0x41f234 SetEndOfFile
0x41f23c SetErrorMode
0x41f240 SetEvent
0x41f244 SetFileAttributesW
0x41f248 SetFilePointer
0x41f24c SetFilePointerEx
0x41f250 SetFileTime
0x41f254 SetHandleCount
0x41f258 SetLastError
0x41f25c SetStdHandle
0x41f264 SizeofResource
0x41f268 Sleep
0x41f26c SuspendThread
0x41f270 TerminateProcess
0x41f278 UnlockFile
0x41f27c VirtualAlloc
0x41f280 VirtualFree
0x41f288 WaitForSingleObject
0x41f28c WriteConsoleA
0x41f290 WriteConsoleW
0x41f294 WriteFile
0x41f29c lstrcmpW
0x41f2a0 lstrcmpiW
0x41f2a4 lstrlenW
0x41f2a8 VirtualAllocEx
Library USER32.dll:
0x41f2b0 AdjustWindowRectEx
0x41f2b4 AppendMenuW
0x41f2b8 BeginDeferWindowPos
0x41f2bc BeginPaint
0x41f2c0 BringWindowToTop
0x41f2c4 CallNextHookEx
0x41f2c8 CallWindowProcW
0x41f2cc CharUpperW
0x41f2d0 CheckDlgButton
0x41f2d4 CheckMenuItem
0x41f2d8 CheckRadioButton
0x41f2dc ClientToScreen
0x41f2e0 CopyRect
0x41f2e4 CreatePopupMenu
0x41f2e8 CreateWindowExW
0x41f2ec DefWindowProcW
0x41f2f0 DeferWindowPos
0x41f2f4 DestroyIcon
0x41f2f8 DestroyMenu
0x41f2fc DestroyWindow
0x41f300 DispatchMessageW
0x41f304 DrawTextExW
0x41f308 DrawTextW
0x41f30c EnableMenuItem
0x41f310 EnableWindow
0x41f314 EndDeferWindowPos
0x41f318 EndDialog
0x41f31c EndPaint
0x41f320 EqualRect
0x41f324 FillRect
0x41f328 GetActiveWindow
0x41f32c GetCapture
0x41f330 GetClassInfoExW
0x41f334 GetClassInfoW
0x41f338 GetClassLongW
0x41f33c GetClassNameW
0x41f340 GetClientRect
0x41f344 GetCursorPos
0x41f348 GetDC
0x41f34c GetDCEx
0x41f350 GetDesktopWindow
0x41f354 GetDlgCtrlID
0x41f358 GetDlgItem
0x41f35c GetDlgItemInt
0x41f360 GetDlgItemTextW
0x41f364 GetFocus
0x41f368 GetForegroundWindow
0x41f36c GetKeyNameTextW
0x41f370 GetKeyState
0x41f374 GetLastActivePopup
0x41f378 GetMenu
0x41f37c GetMenuBarInfo
0x41f384 GetMenuItemCount
0x41f388 GetMenuItemID
0x41f38c GetMenuItemInfoW
0x41f390 GetMenuState
0x41f394 GetMenuStringW
0x41f398 GetMessagePos
0x41f39c GetMessageTime
0x41f3a0 GetMessageW
0x41f3a4 GetParent
0x41f3a8 GetPropW
0x41f3ac GetScrollInfo
0x41f3b0 GetScrollPos
0x41f3b4 GetScrollRange
0x41f3b8 GetSubMenu
0x41f3bc GetSysColor
0x41f3c0 GetSysColorBrush
0x41f3c4 GetSystemMenu
0x41f3c8 GetSystemMetrics
0x41f3cc GetTopWindow
0x41f3d0 GetWindow
0x41f3d4 GetWindowDC
0x41f3d8 GetWindowLongW
0x41f3dc GetWindowPlacement
0x41f3e0 GetWindowRect
0x41f3e8 GetWindowTextW
0x41f3f0 GrayStringW
0x41f3f4 InflateRect
0x41f3f8 InsertMenuItemW
0x41f3fc InsertMenuW
0x41f400 IntersectRect
0x41f404 IsChild
0x41f408 IsDialogMessageW
0x41f40c IsDlgButtonChecked
0x41f410 IsIconic
0x41f414 IsRectEmpty
0x41f418 IsWindow
0x41f41c IsWindowEnabled
0x41f420 IsWindowVisible
0x41f424 KillTimer
0x41f428 LoadAcceleratorsW
0x41f42c LoadBitmapW
0x41f430 LoadCursorW
0x41f434 LoadIconW
0x41f438 LoadMenuW
0x41f43c LoadStringW
0x41f440 LockWindowUpdate
0x41f444 MapVirtualKeyW
0x41f448 MapWindowPoints
0x41f44c MessageBoxW
0x41f450 ModifyMenuW
0x41f454 MoveWindow
0x41f458 OffsetRect
0x41f45c PeekMessageW
0x41f460 PostMessageW
0x41f464 PostQuitMessage
0x41f468 PtInRect
0x41f46c RegisterClassW
0x41f474 ReleaseCapture
0x41f478 ReleaseDC
0x41f47c RemoveMenu
0x41f480 RemovePropW
0x41f484 ReuseDDElParam
0x41f488 ScreenToClient
0x41f48c ScrollWindow
0x41f490 ScrollWindowEx
0x41f494 SendDlgItemMessageA
0x41f498 SendDlgItemMessageW
0x41f49c SendMessageW
0x41f4a0 SetActiveWindow
0x41f4a4 SetCapture
0x41f4a8 SetDlgItemInt
0x41f4ac SetDlgItemTextW
0x41f4b0 SetFocus
0x41f4b4 SetForegroundWindow
0x41f4b8 SetMenu
0x41f4bc SetMenuItemBitmaps
0x41f4c0 SetParent
0x41f4c4 SetPropW
0x41f4c8 SetRect
0x41f4cc SetScrollInfo
0x41f4d0 SetScrollPos
0x41f4d4 SetScrollRange
0x41f4d8 SetTimer
0x41f4dc SetWindowLongW
0x41f4e0 SetWindowPlacement
0x41f4e4 SetWindowPos
0x41f4e8 SetWindowTextW
0x41f4ec SetWindowsHookExW
0x41f4f0 ShowScrollBar
0x41f4f4 ShowWindow
0x41f500 TabbedTextOutW
0x41f504 TrackPopupMenu
0x41f508 TrackPopupMenuEx
0x41f50c TranslateMessage
0x41f510 UnhookWindowsHookEx
0x41f514 UnionRect
0x41f518 UnpackDDElParam
0x41f51c UnregisterClassW
0x41f520 UpdateWindow
0x41f524 ValidateRect
0x41f528 WinHelpW
0x41f52c WindowFromPoint
0x41f530 wsprintfW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.