6.2
高危
58 个模型检测该样本为恶意!
重新分析
更多

a6381fc516860ce0c616f316f6d847cea7a0b10f6141a7738e993581320581c2

6e5d42d6e37ab16895c8197374da3bbd.exe

分析耗时

90s

最近分析

文件大小

424.4KB
静态报毒 动态报毒 100% AGEN AI SCORE=84 AQ1@AMIUZ6HI AUTORUNS BSCOPE CCMW CLASSIC CONFIDENCE CXFWGA8ODJC DOWNLOADER32 ELDORADO EMOTET ENCPK GENASA GENCIRC GENERICKDS GENERICS GENETIC HALK HIGH CONFIDENCE KRYPTIK MALWARE@#119S73QHHW0R9 POSSIBLETHREAT R + MAL R327499 SCORE SMD6 STATIC AI SUSGEN SUSPICIOUS PE UNSAFE WACATAC ZEXAE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.bca8cb3c 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201229 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b8ce52 20201229 1.0.0.1
McAfee Emotet-FPT!6E5D42D6E37A 20201229 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619614515.740999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable has a PDB path (1 个事件)
pdb_path c:\Users\User\Desktop\2005\EASYLogger\ATLUtils\ReleaseMinSize\ATLUtils.pdb
The file contains an unknown PE resource name possibly indicative of a packer (4 个事件)
resource name REGISTRY
resource name TYPELIB
resource name XADQEAS
resource name None
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1619614507.288626
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619614507.288626
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619614507.288626
NtAllocateVirtualMemory
process_identifier: 912
region_size: 86016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00490000
success 0 0
1619614507.288626
NtAllocateVirtualMemory
process_identifier: 912
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619614507.646999
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01c70000
success 0 0
1619614507.646999
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01c80000
success 0 0
1619614507.646999
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 86016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01cb0000
success 0 0
1619614507.646999
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01cd0000
success 0 0
1619614151.447395
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004130000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619614516.662999
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x002e6450
display_name: targetsinet
error_control: 0
service_name: targetsinet
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\targetsinet.exe"
filepath_r: "C:\Windows\SysWOW64\targetsinet.exe"
service_manager_handle: 0x002defe8
desired_access: 18
service_type: 16
password:
success 3040336 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619614516.224999
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6e5d42d6e37ab16895c8197374da3bbd.exe
newfilepath: C:\Windows\SysWOW64\targetsinet.exe
newfilepath_r: C:\Windows\SysWOW64\targetsinet.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6e5d42d6e37ab16895c8197374da3bbd.exe
success 1 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 113.108.239.196
host 172.217.24.14
host 190.131.167.50
host 68.174.15.223
Installs itself for autorun at Windows startup (1 个事件)
service_name targetsinet service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\targetsinet.exe"
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\targetsinet.exe:Zone.Identifier
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 190.131.167.50:80
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Autoruns.GenericKDS.32973823
FireEye Generic.mg.6e5d42d6e37ab168
ALYac Trojan.Agent.Emotet
Cylance Unsafe
SUPERAntiSpyware Trojan.Agent/Gen-Emotet
Sangfor Malware
K7AntiVirus Trojan ( 005605281 )
Alibaba Trojan:Win32/Emotet.bca8cb3c
K7GW Trojan ( 005606161 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Autoruns.GenericS.D1F723FF
BitDefenderTheta Gen:NN.ZexaE.34700.Aq1@amiUz6hi
Cyren W32/Agent.BNA.gen!Eldorado
Symantec Packed.Generic.534
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMD6.hp
Avast Win32:Malware-gen
ClamAV Pdf.Dropper.Agent-7640284-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.gen
BitDefender Trojan.Autoruns.GenericKDS.32973823
NANO-Antivirus Virus.Win32.Gen.ccmw
Paloalto generic.ml
ViRobot Trojan.Win32.Emotet.434573
Tencent Malware.Win32.Gencirc.10b8ce52
Ad-Aware Trojan.Autoruns.GenericKDS.32973823
Emsisoft Trojan.Emotet (A)
Comodo Malware@#119s73qhhw0r9
F-Secure Heuristic.HEUR/AGEN.1129565
DrWeb Trojan.DownLoader32.51648
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.SMD6.hp
McAfee-GW-Edition BehavesLike.Win32.Emotet.gh
SentinelOne Static AI - Suspicious PE
Sophos Mal/Generic-R + Mal/Encpk-APE
APEX Malicious
Jiangmin Trojan.Banker.Emotet.ndw
Avira HEUR/AGEN.1129565
MAX malware (ai score=84)
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Emotet.vb
Microsoft Trojan:Win32/Emotet.ARJ!MTB
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.gen
GData Trojan.Autoruns.GenericKDS.32973823
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Emotet.R327499
McAfee Emotet-FPT!6E5D42D6E37A
VBA32 BScope.Trojan.Emotet
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HALK
Rising Trojan.Kryptik!1.C21C (CLASSIC)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-01-22 00:43:23

Imports

Library COMCTL32.dll:
0x44002c ImageList_Destroy
Library KERNEL32.dll:
0x440060 CreateThread
0x440064 CreateEventA
0x440068 GetModuleFileNameA
0x44006c GetCurrentThreadId
0x440070 IsDBCSLeadByte
0x440074 lstrcmpA
0x440078 MulDiv
0x44007c GlobalUnlock
0x440080 GlobalLock
0x440084 SetLastError
0x440088 FreeLibrary
0x44008c SizeofResource
0x440090 LoadResource
0x440094 LoadLibraryExA
0x440098 GetModuleHandleA
0x44009c Sleep
0x4400a0 GetCommandLineA
0x4400a4 GlobalFree
0x4400a8 GlobalHandle
0x4400ac LockResource
0x4400b0 Process32Next
0x4400b4 Process32First
0x4400bc LocalFree
0x4400c0 LocalAlloc
0x4400c4 FormatMessageA
0x4400c8 GetExitCodeThread
0x4400cc CallNamedPipeA
0x4400d0 WaitNamedPipeA
0x4400d8 CompareStringW
0x4400dc CompareStringA
0x4400e0 FlushFileBuffers
0x4400e4 IsValidCodePage
0x4400e8 IsValidLocale
0x4400ec EnumSystemLocalesA
0x4400f0 GetUserDefaultLCID
0x4400f4 GetStringTypeW
0x4400f8 GetStringTypeA
0x4400fc LCMapStringW
0x440100 LCMapStringA
0x440104 ReadFile
0x440108 SetEndOfFile
0x44010c GetLocaleInfoW
0x440110 SetEvent
0x440114 GetCurrentProcessId
0x440118 GetTickCount
0x440134 GetOEMCP
0x440138 GetCPInfo
0x44013c SetFilePointer
0x440140 WriteConsoleW
0x440144 GetConsoleOutputCP
0x440148 WriteConsoleA
0x44014c CreateFileW
0x440150 CreateFileA
0x440154 SetHandleCount
0x440158 SetStdHandle
0x44015c HeapSize
0x440160 GetCurrentThread
0x440164 TlsFree
0x440168 TlsSetValue
0x44016c TlsAlloc
0x440170 TlsGetValue
0x440174 IsDebuggerPresent
0x440180 TerminateProcess
0x440184 GetStdHandle
0x440188 ExitProcess
0x44018c FatalAppExitA
0x440190 HeapCreate
0x440194 HeapDestroy
0x440198 GetStartupInfoA
0x44019c GetDateFormatA
0x4401a0 GetTimeFormatA
0x4401a4 GetConsoleMode
0x4401a8 GetConsoleCP
0x4401ac WriteFile
0x4401b0 GetFileType
0x4401b4 PeekNamedPipe
0x4401c8 FindResourceA
0x4401cc GlobalAlloc
0x4401d4 lstrcmpiA
0x4401d8 lstrlenA
0x4401e4 WaitForSingleObject
0x4401e8 CloseHandle
0x4401f0 LoadLibraryW
0x4401f4 HeapReAlloc
0x4401f8 RtlUnwind
0x4401fc GetCurrentProcess
0x440200 GetLastError
0x440214 RaiseException
0x440218 lstrlenW
0x44021c WideCharToMultiByte
0x440220 MultiByteToWideChar
0x440224 VirtualQuery
0x440228 GetSystemInfo
0x44022c VirtualProtect
0x440230 VirtualAlloc
0x440234 VirtualFree
0x44023c LoadLibraryA
0x440240 GetProcAddress
0x440244 HeapAlloc
0x440248 GetProcessHeap
0x44024c HeapFree
0x440254 GetVersionExA
0x440258 GetThreadLocale
0x44025c GetLocaleInfoA
0x440260 GetACP
0x440264 InterlockedExchange
Library USER32.dll:
0x4402c4 UnregisterClassA
0x4402c8 SendMessageA
0x4402cc PostThreadMessageA
0x4402d0 CharNextA
0x4402d4 DestroyWindow
0x4402d8 SetWindowLongA
0x4402dc GetWindowLongA
0x4402e0 ShowWindow
0x4402e4 DefWindowProcA
0x4402e8 GetSysColor
0x4402ec MoveWindow
0x4402f0 SetWindowPos
0x4402f4 GetClientRect
0x4402f8 ClientToScreen
0x4402fc ScreenToClient
0x440300 GetDC
0x440304 ReleaseDC
0x440308 InvalidateRect
0x44030c CheckDlgButton
0x440310 PeekMessageA
0x440314 GetActiveWindow
0x44031c LoadMenuA
0x440320 GetSubMenu
0x440324 GetCursorPos
0x440328 TrackPopupMenu
0x44032c DestroyMenu
0x440330 MessageBoxA
0x440338 MapDialogRect
0x44033c EndDialog
0x44034c GetWindowTextA
0x440350 SetWindowTextA
0x440354 GetMessageA
0x440358 DispatchMessageA
0x440360 CreateWindowExA
0x440364 RegisterClassExA
0x440368 LoadCursorA
0x44036c GetClassInfoExA
0x440370 IsWindow
0x440374 GetDesktopWindow
0x440378 GetFocus
0x44037c GetWindow
0x440380 SetFocus
0x440388 BeginPaint
0x44038c EndPaint
0x440390 CallWindowProcA
0x440394 FillRect
0x440398 ReleaseCapture
0x44039c GetClassNameA
0x4403a0 GetDlgItem
0x4403a4 GetParent
0x4403a8 IsChild
0x4403ac SetCapture
0x4403b0 RedrawWindow
0x4403b4 InvalidateRgn
Library GDI32.dll:
0x440034 GetObjectA
0x440038 CreateSolidBrush
0x44003c GetDeviceCaps
0x440040 BitBlt
0x440044 CreateCompatibleDC
0x44004c SelectObject
0x440050 DeleteObject
0x440054 DeleteDC
0x440058 GetStockObject
Library comdlg32.dll:
0x4403bc GetOpenFileNameA
Library ADVAPI32.dll:
0x440000 RegDeleteValueA
0x440004 RegDeleteKeyA
0x440008 RegCloseKey
0x44000c RegEnumKeyExA
0x440010 RegQueryInfoKeyA
0x440014 RegSetValueExA
0x440018 RegOpenKeyExA
0x44001c RegCreateKeyExA
0x440020 RegOpenKeyExW
Library ole32.dll:
0x4403c4 CoTaskMemAlloc
0x4403c8 CoTaskMemRealloc
0x4403d0 CoRevokeClassObject
0x4403d8 CoTaskMemFree
0x4403dc CoCreateInstance
0x4403e0 StringFromGUID2
0x4403e4 OleLockRunning
0x4403e8 CoGetClassObject
0x4403ec CLSIDFromProgID
0x4403f0 CLSIDFromString
0x4403f8 CoUninitialize
0x440400 CoInitializeEx
0x440404 OleInitialize
0x440408 OleRun
0x44040c OleUninitialize
Library OLEAUT32.dll:
0x44026c CreateErrorInfo
0x440270 SetErrorInfo
0x440274 VariantChangeType
0x440278 SysStringLen
0x44027c SysFreeString
0x440280 SysAllocStringLen
0x440284 SysAllocString
0x440288 LoadTypeLib
0x44028c UnRegisterTypeLib
0x440290 RegisterTypeLib
0x440294 VarUI4FromStr
0x440298 LoadRegTypeLib
0x44029c SysStringByteLen
0x4402a0 VariantInit
0x4402a4 VariantClear
0x4402ac VariantCopy
0x4402b8 VarAdd
0x4402bc GetErrorInfo

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 51966 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.