SmartHawk

6.4

高危

55 个模型检测该样本为恶意！

重新分析

下载样本

b8c09f4d12d67f9af73ab66cc21359659731da67eb832580f639577ad80ff804

6c4a29093059681650f3b88bcb74dd84.exe

分析耗时

78s

最近分析

文件大小

128.0KB

静态报毒动态报毒 AI SCORE=89 ATTRIBUTE BANKERX BEHAVIOR CLOUD CONFIDENCE ELDORADO EMOTET FAMVT GENCIRC GENERICKD GORGONTT HIGH CONFIDENCE HIGHCONFIDENCE HNWTRD IQ0@AW0ZDQKI KRYPTIK MALWARE@#3U52KEYN1O9VZ SCORE SUSGEN TFCGV THGAEBO TRICKBOT TRRC UNSAFE ZEXAE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Emotet-FRG!6C4A29093059	20200808	6.0.6.653
Alibaba	Trojan:Win32/Emotet.76b2dd98	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:BankerX-gen [Trj]	20200808	18.4.3895.0
Kingsoft		20200808	2013.8.14.323
Tencent	Malware.Win32.Gencirc.10cddfa2	20200808	1.0.0.1

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619608990.242249 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (3 个事件)

Time & API	Arguments	Status	Return
1619608975.367249 CryptGenKey	crypto_handle: 0x004b6978 algorithm_identifier: 0x0000660e () provider_handle: 0x004b61c0 flags: 1 key: fEsWü_Ô¬»SÞBøÓ~Á	success	1
1619608990.274249 CryptExportKey	crypto_handle: 0x004b6978 crypto_export_handle: 0x004b6938 buffer: f¤½QãEéX9(@ô³÷æéLã}Ëú/hËÃì²®²´T>²P l«k·ú /(8DV¸äWB#É,6ýNk`õ¶4aÅ"úÓ×£êÎ×Yj blob_type: 1 flags: 64	success	1
1619609026.602249 CryptExportKey	crypto_handle: 0x004b6978 crypto_export_handle: 0x004b6938 buffer: f¤LC=ðt¹] \¸tÄ¢}ÞÌlVsq[îE\|`6Âw¥:GBÖ%¶ þ¹è/«þ¦æQj½È/ëÝÅMÔ}â,?µÊô±PSç²b$;giÒ@Ü(Ç blob_type: 1 flags: 64	success	1

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619608968.914249 NtAllocateVirtualMemory	process_identifier: 1544 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005f0000	success	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619608975.055249 Process32NextW	process_name: 6c4a29093059681650f3b88bcb74dd84.exe snapshot_handle: 0x00000144 process_identifier: 1544	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619608990.821249 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.245306811836183

section

{'size_of_data': '0x0000f000', 'virtual_address': '0x00011000', 'entropy': 7.245306811836183, 'name': '.rsrc', 'virtual_size': '0x0000e960'}

description

A section with a high entropy has been found

entropy

0.4838709677419355

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

6c4a29093059681650f3b88bcb74dd84.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619608990.430249 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (4 个事件)

host	113.108.239.196
host	104.247.221.104
host	172.217.24.14
host	177.144.135.2

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619608993.399249 RegSetValueExA	key_handle: 0x000003a0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619608993.399249 RegSetValueExA	key_handle: 0x000003a0 value: p¬÷ö;× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619608993.399249 RegSetValueExA	key_handle: 0x000003a0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619608993.399249 RegSetValueExW	key_handle: 0x000003a0 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619608993.399249 RegSetValueExA	key_handle: 0x000003b8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619608993.399249 RegSetValueExA	key_handle: 0x000003b8 value: p¬÷ö;× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619608993.399249 RegSetValueExA	key_handle: 0x000003b8 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619608993.414249 RegSetValueExW	key_handle: 0x0000039c value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

177.144.135.2:80

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Bkav	W32.FamVT.GorgonTT.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34177597
FireEye	Generic.mg.6c4a290930596816
CAT-QuickHeal	Backdoor.Emotet
McAfee	Emotet-FRG!6C4A29093059
Cylance	Unsafe
Zillya	Trojan.Emotet.Win32.21008
Sangfor	Malware
K7AntiVirus	Trojan ( 005600f21 )
Alibaba	Trojan:Win32/Emotet.76b2dd98
K7GW	Trojan ( 005600f21 )
CrowdStrike	win/malicious_confidence_60% (W)
TrendMicro	TrojanSpy.Win32.EMOTET.THGAEBO
F-Prot	W32/Trickbot.EO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:BankerX-gen [Trj]
GData	Trojan.GenericKD.34177597
Kaspersky	Backdoor.Win32.Emotet.ost
BitDefender	Trojan.GenericKD.34177597
NANO-Antivirus	Trojan.Win32.Emotet.hnwtrd
Paloalto	generic.ml
Rising	Trojan.Kryptik!1.C89F (CLOUD)
Ad-Aware	Trojan.GenericKD.34177597
Sophos	Mal/Generic-S
Comodo	Malware@#3u52keyn1o9vz
F-Secure	Trojan.TR/Emotet.tfcgv
DrWeb	Trojan.Emotet.992
VIPRE	Trojan.Win32.Generic!BT
Emsisoft	Trojan.Emotet (A)
Cyren	W32/Trickbot.EO.gen!Eldorado
Jiangmin	Backdoor.Emotet.mx
Webroot	W32.Trojan.Emotet
Avira	TR/Emotet.tfcgv
Antiy-AVL	Trojan[Backdoor]/Win32.Emotet
Arcabit	Trojan.Generic.D209823D
AegisLab	Trojan.Win32.Emotet.trrc
ZoneAlarm	Backdoor.Win32.Emotet.ost
Microsoft	Trojan:Win32/Emotet.ARJ!MTB
Cynet	Malicious (score: 85)
BitDefenderTheta	Gen:NN.ZexaE.34152.iq0@aW0ZDQki
ALYac	Trojan.Agent.Emotet
MAX	malware (ai score=89)
VBA32	Backdoor.Emotet
Malwarebytes	Trojan.Emotet
ESET-NOD32	Win32/Emotet.CD
TrendMicro-HouseCall	TrojanSpy.Win32.EMOTET.THGAEBO
Tencent	Malware.Win32.Gencirc.10cddfa2
Ikarus	Trojan-Banker.Emotet

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-15 05:02:07

Imports

Library MFC42.DLL:

• 0x40d060

• 0x40d064

• 0x40d068

• 0x40d06c

• 0x40d070

• 0x40d074

• 0x40d078

• 0x40d07c

• 0x40d080

• 0x40d084

• 0x40d088

• 0x40d08c

• 0x40d090

• 0x40d094

• 0x40d098

• 0x40d09c

• 0x40d0a0

• 0x40d0a4

• 0x40d0a8

• 0x40d0ac

• 0x40d0b0

• 0x40d0b4

• 0x40d0b8

• 0x40d0bc

• 0x40d0c0

• 0x40d0c4

• 0x40d0c8

• 0x40d0cc

• 0x40d0d0

• 0x40d0d4

• 0x40d0d8

• 0x40d0dc

• 0x40d0e0

• 0x40d0e4

• 0x40d0e8

• 0x40d0ec

• 0x40d0f0

• 0x40d0f4

• 0x40d0f8

• 0x40d0fc

• 0x40d100

• 0x40d104

• 0x40d108

• 0x40d10c

• 0x40d110

• 0x40d114

• 0x40d118

• 0x40d11c

• 0x40d120

• 0x40d124

• 0x40d128

• 0x40d12c

• 0x40d130

• 0x40d134

• 0x40d138

• 0x40d13c

• 0x40d140

• 0x40d144

• 0x40d148

• 0x40d14c

• 0x40d150

• 0x40d154

• 0x40d158

• 0x40d15c

• 0x40d160

• 0x40d164

• 0x40d168

• 0x40d16c

• 0x40d170

• 0x40d174

• 0x40d178

• 0x40d17c

• 0x40d180

• 0x40d184

• 0x40d188

• 0x40d18c

• 0x40d190

• 0x40d194

• 0x40d198

• 0x40d19c

• 0x40d1a0

• 0x40d1a4

• 0x40d1a8

• 0x40d1ac

• 0x40d1b0

• 0x40d1b4

• 0x40d1b8

• 0x40d1bc

• 0x40d1c0

• 0x40d1c4

• 0x40d1c8

• 0x40d1cc

• 0x40d1d0

• 0x40d1d4

• 0x40d1d8

• 0x40d1dc

• 0x40d1e0

• 0x40d1e4

• 0x40d1e8

• 0x40d1ec

• 0x40d1f0

• 0x40d1f4

• 0x40d1f8

• 0x40d1fc

• 0x40d200

• 0x40d204

• 0x40d208

• 0x40d20c

• 0x40d210

• 0x40d214

• 0x40d218

• 0x40d21c

• 0x40d220

• 0x40d224

• 0x40d228

• 0x40d22c

• 0x40d230

• 0x40d234

• 0x40d238

• 0x40d23c

• 0x40d240

• 0x40d244

• 0x40d248

• 0x40d24c

• 0x40d250

• 0x40d254

• 0x40d258

• 0x40d25c

• 0x40d260

• 0x40d264

• 0x40d268

Library MSVCRT.dll:

• 0x40d298 _acmdln

• 0x40d29c __getmainargs

• 0x40d2a0 _initterm

• 0x40d2a4 __setusermatherr

• 0x40d2a8 _adjust_fdiv

• 0x40d2ac __p__commode

• 0x40d2b0 __p__fmode

• 0x40d2b4 __set_app_type

• 0x40d2b8 _except_handler3

• 0x40d2bc _setmbcp

• 0x40d2c0 __CxxFrameHandler

• 0x40d2c4 _EH_prolog

• 0x40d2c8 _mbsstr

• 0x40d2cc memcpy

• 0x40d2d0 strlen

• 0x40d2d4 __dllonexit

• 0x40d2d8 _onexit

• 0x40d2dc _exit

• 0x40d2e0 _XcptFilter

• 0x40d2e4 exit

• 0x40d2e8 _controlfp

Library KERNEL32.dll:

• 0x40d028 ExitProcess

• 0x40d02c lstrcatA

• 0x40d030 LoadLibraryExA

• 0x40d034 GetProcAddress

• 0x40d038 SizeofResource

• 0x40d03c lstrlenA

• 0x40d040 GetModuleHandleA

• 0x40d044 WinExec

• 0x40d048 lstrcpyA

• 0x40d04c FreeLibrary

• 0x40d050 GetStartupInfoA

• 0x40d054 GetWindowsDirectoryA

• 0x40d058 LoadLibraryA

Library USER32.dll:

• 0x40d304 EnableWindow

• 0x40d308 LoadCursorA

• 0x40d30c CopyIcon

• 0x40d310 GetWindowRect

• 0x40d314 IsIconic

• 0x40d318 GetDC

• 0x40d31c ReleaseDC

• 0x40d320 InflateRect

• 0x40d324 IsWindow

• 0x40d328 GetSysColor

• 0x40d32c LoadIconA

• 0x40d330 GetSystemMetrics

• 0x40d334 DrawIcon

• 0x40d338 AppendMenuA

• 0x40d33c GetParent

• 0x40d340 SetCursor

• 0x40d344 GetMessagePos

• 0x40d348 ScreenToClient

• 0x40d34c PtInRect

• 0x40d350 InvalidateRect

• 0x40d354 SetTimer

• 0x40d358 MessageBeep

• 0x40d35c SetWindowLongA

• 0x40d360 GetClientRect

• 0x40d364 SendMessageA

• 0x40d368 KillTimer

• 0x40d36c GetSystemMenu

Library GDI32.dll:

• 0x40d014 CreateFontIndirectA

• 0x40d018 GetTextExtentPoint32A

• 0x40d01c GetStockObject

• 0x40d020 GetObjectA

Library ADVAPI32.dll:

• 0x40d000 RegOpenKeyExA

• 0x40d004 RegQueryValueA

• 0x40d008 RegCloseKey

• 0x40d00c RegQueryValueExA

Library SHELL32.dll:

• 0x40d2f0 ShellExecuteA

Library SHLWAPI.dll:

• 0x40d2f8 PathFileExistsA

• 0x40d2fc PathAppendA

Library MSVCP60.dll:

• 0x40d270 ??1Init@ios_base@std@@QAE@XZ

• 0x40d274 ??0_Winit@std@@QAE@XZ

• 0x40d278 ??1_Winit@std@@QAE@XZ

• 0x40d27c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

• 0x40d280 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

• 0x40d284 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

• 0x40d288 ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB

• 0x40d28c ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z

• 0x40d290 ??0Init@ios_base@std@@QAE@XZ

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	60124	239.255.255.250	3702
192.168.56.101	62194	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.