3.8
中危
57 个模型检测该样本为恶意!
重新分析
更多

002dd9b7cbf8ca2a09434f8c4abd85631efe922ab8daa1219d86d83a0228aeda

6b82d03d7c7a8ff4ec843cb92d35e33f.exe

分析耗时

23s

最近分析

文件大小

239.5KB
静态报毒 动态报毒 100% AI SCORE=100 BSCOPE BVXG CLASSIC CONFIDENCE CONTI DEEPSCAN DELSHAD EMOTET FILECODER GENCIRC GENETIC HEYS HIGH CONFIDENCE HOJDCV KCLOUD KRYPTIK LAEELBORCYO MALWARE@#KRWPTZZG1HSS MALWAREX OQW@AQOXDZFK RGXZK SCORE STATIC AI SUSGEN SUSPICIOUS PE UNSAFE ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRH!6B82D03D7C7A 20210111 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Alibaba Trojan:Win32/DelShad.9b057ecd 20190527 0.3.0.5
Avast Win32:MalwareX-gen [Trj] 20210111 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20210111 2017.9.26.565
Tencent Malware.Win32.Gencirc.10cde03f 20210111 1.0.0.1
静态指标
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619613473.574374
__exception__
stacktrace: 
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x778f1d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x76354a08
0x45437d
0x4568e2
0x3e03da

registers.esp: 1636372
registers.edi: 0
registers.eax: 6002524
registers.ebp: 1636372
registers.edx: 6002622
registers.ebx: 0
registers.esi: 2010545523
registers.ecx: 1636436
exception.instruction_r: a1 ec f6 e9 7d 83 ec 0c 53 83 c8 01 56 8b 75 08
exception.symbol: LdrLoadDll+0x5 _strcmpi-0x37a ntdll+0x3c43f
exception.instruction: mov eax, dword ptr [0x7de9f6ec]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 246847
exception.address: 0x77d6c43f
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (43 个事件)
Time & API Arguments Status Return Repeated
1619613473.324374
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 57344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d5f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d60000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d6c000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d71000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.558374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d51000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d51000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d51000
success 0 0
1619613473.574374
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d50000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5200942687882595 section {'size_of_data': '0x00019400', 'virtual_address': '0x00027000', 'entropy': 7.5200942687882595, 'name': '.rsrc', 'virtual_size': '0x00019400'} description A section with a high entropy has been found
entropy 0.42348008385744235 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan DeepScan:Generic.Ransom.Conti.75BA9725
McAfee Emotet-FRH!6B82D03D7C7A
Cylance Unsafe
AegisLab Trojan.Win32.DelShad.4!c
K7AntiVirus Trojan ( 0056ac821 )
BitDefender DeepScan:Generic.Ransom.Conti.75BA9725
K7GW Trojan ( 0056ac821 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Trojan.BVXG-5604
Symantec Trojan.Emotet
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win32.DelShad.dpm
Alibaba Trojan:Win32/DelShad.9b057ecd
NANO-Antivirus Trojan.Win32.Kryptik.hojdcv
Avast Win32:MalwareX-gen [Trj]
Rising Trojan.Kryptik!1.C927 (CLASSIC)
Ad-Aware DeepScan:Generic.Ransom.Conti.75BA9725
Sophos Mal/Generic-S
Comodo Malware@#krwptzzg1hss
F-Secure Trojan.TR/Crypt.Agent.rgxzk
DrWeb Trojan.Packed.140
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom.Win32.CONTI.H
McAfee-GW-Edition BehavesLike.Win32.Emotet.dh
FireEye Generic.mg.6b82d03d7c7a8ff4
Emsisoft DeepScan:Generic.Ransom.Conti.75BA9725 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Zenpak.cqs
MaxSecure Trojan.Malware.104287203.susgen
Avira TR/Crypt.Agent.rgxzk
MAX malware (ai score=100)
Antiy-AVL Trojan/Win32.Zenpak
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Packed.oa
Microsoft Trojan:Win32/Emotet.DGC!MTB
ZoneAlarm Trojan.Win32.DelShad.dpm
GData DeepScan:Generic.Ransom.Conti.75BA9725
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.Generic.C4163074
BitDefenderTheta Gen:NN.ZexaF.34760.oqW@aqoXDZfk
ALYac Trojan.Ransom.Conti
VBA32 BScope.Backdoor.Emotet
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 Win32/Filecoder.Conti.D
TrendMicro-HouseCall Ransom.Win32.CONTI.H
Tencent Malware.Win32.Gencirc.10cde03f
Yandex Trojan.Kryptik!lAeElBorCyo
Ikarus Trojan-Ransom.Conti
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-18 01:33:31

Imports

Library KERNEL32.dll:
0x41c000 SetEvent
0x41c008 GetModuleHandleW
0x41c00c GetLastError
0x41c010 GetProcAddress
0x41c014 GlobalFree
0x41c018 CreateEventExW
0x41c01c CloseHandle
0x41c020 ExitProcess
0x41c024 HeapAlloc
0x41c028 LoadLibraryExW
0x41c02c HeapFree
0x41c030 GetProcessHeap
0x41c034 LoadLibraryExA
0x41c038 ReadConsoleW
0x41c03c ReadFile
0x41c044 CreateFileW
0x41c048 WriteConsoleW
0x41c04c SetStdHandle
0x41c050 SetFilePointerEx
0x41c054 GetConsoleMode
0x41c058 GetConsoleCP
0x41c05c FlushFileBuffers
0x41c060 GetStringTypeW
0x41c064 EnumSystemLocalesEx
0x41c068 EncodePointer
0x41c06c DecodePointer
0x41c070 GetCommandLineW
0x41c074 IsDebuggerPresent
0x41c088 GetModuleHandleExW
0x41c08c MultiByteToWideChar
0x41c090 HeapSize
0x41c094 Sleep
0x41c098 GetStdHandle
0x41c09c WriteFile
0x41c0a0 GetModuleFileNameW
0x41c0a4 RaiseException
0x41c0a8 RtlUnwind
0x41c0ac SetLastError
0x41c0b4 GetCurrentThreadId
0x41c0b8 GetFileType
0x41c0c4 InitOnceExecuteOnce
0x41c0c8 GetStartupInfoW
0x41c0d4 GetTickCount64
0x41c0e8 FlsAlloc
0x41c0ec FlsGetValue
0x41c0f0 FlsSetValue
0x41c0f4 FlsFree
0x41c0f8 GetCurrentProcess
0x41c0fc TerminateProcess
0x41c100 IsValidCodePage
0x41c104 GetACP
0x41c108 GetOEMCP
0x41c10c GetCPInfo
0x41c110 HeapReAlloc
0x41c114 WideCharToMultiByte
0x41c118 OutputDebugStringW
0x41c11c LoadLibraryW
0x41c120 GetLocaleInfoEx
0x41c128 LCMapStringEx
0x41c12c IsValidLocaleName
Library WINHTTP.dll:
0x41c134 WinHttpCrackUrl
0x41c138 WinHttpOpenRequest
0x41c13c WinHttpOpen
0x41c140 WinHttpQueryHeaders
0x41c144 WinHttpConnect
0x41c148 WinHttpSendRequest
0x41c158 WinHttpCloseHandle
0x41c160 WinHttpSetOption

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62194 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.