6.8
高危
55 个模型检测该样本为恶意!
重新分析
更多

7558fc3c7994603071b49dcc2021c344ea4de12d67896963f885e9998b9adf91

71a065865d4deaf82baab85732881ad8.exe

分析耗时

94s

最近分析

文件大小

296.0KB
静态报毒 动态报毒 100% AI SCORE=82 AIDETECT BANKERX BSCOPE CLOUD CONFIDENCE DOWNLOADER34 ELDORADO EMOTET EMOTETCRYPT EWEZ GENCIRC GENERICKDZ HGIASOYA HIGH CONFIDENCE HUMWCI KCLOUD MALICIOUS PE MALWARE2 MALWARE@#1SK83O30KYSU9 SAVE SCORE SQX@A8NVCHBI STATIC AI SUSGEN TROJANBANKER UNSAFE YVLXJ ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.f462e49c 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20210405 21.1.5827.0
Kingsoft Win32.Troj.Banker.(kcloud) 20210405 2017.9.26.565
McAfee Emotet-FSD!71A065865D4D 20210405 6.0.6.653
Tencent Malware.Win32.Gencirc.10ce0126 20210405 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620781841.040124
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1620781827.619124
CryptGenKey
crypto_handle: 0x00531b80
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00531778
flags: 1
key: f‘=ÈÌÒýhQ焖S¼ü
success 1 0
1620781841.056124
CryptExportKey
crypto_handle: 0x00531b80
crypto_export_handle: 0x00531b40
buffer: f¤ÌŠsˆ2K×6Exª£mì''£Æw® (&)ÑÆc‹òÑ»G|9Åx¡®LÖ¡G ÈUºt=ê>¿s?}QÇ߈nöÑYEúK¦²;ðÏ kÐÜFÜ +þQ ˏ «
blob_type: 1
flags: 64
success 1 0
1620781868.431124
CryptExportKey
crypto_handle: 0x00531b80
crypto_export_handle: 0x00531b40
buffer: f¤šïÂ~ç¤`»hHìÎétð»V¢*Pf-ڰ춞°¯F+2@}çñAìWªl€ ÷»ñâ½F‘ÞÅi£¼d"œHânG{¸ ff|ÙUYò/–T9”Ítë‡e×®{
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620781826.478124
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620781826.478124
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 45056
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x004f1000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620781841.728124
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process 71a065865d4deaf82baab85732881ad8.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620781841.369124
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 120.138.30.150
host 172.217.24.14
host 50.91.114.38
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620781844.290124
RegSetValueExA
key_handle: 0x0000036c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620781844.290124
RegSetValueExA
key_handle: 0x0000036c
value: ²}*ŽF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620781844.290124
RegSetValueExA
key_handle: 0x0000036c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620781844.290124
RegSetValueExW
key_handle: 0x0000036c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620781844.290124
RegSetValueExA
key_handle: 0x00000384
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620781844.290124
RegSetValueExA
key_handle: 0x00000384
value: ²}*ŽF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620781844.290124
RegSetValueExA
key_handle: 0x00000384
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620781844.306124
RegSetValueExW
key_handle: 0x00000368
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.EWEZ
Qihoo-360 Win32/Backdoor.Emotet.HgIASOYA
ALYac Trojan.Agent.EWEZ
Cylance Unsafe
Zillya Trojan.Emotet.Win32.29304
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056e14e1 )
Alibaba Trojan:Win32/Emotet.f462e49c
K7GW Trojan ( 0056e14e1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Agent.EWEZ
Cyren W32/Emotet.ASI.gen!Eldorado
Symantec Packed.Generic.554
ESET-NOD32 Win32/Emotet.CD
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Emotet-9782463-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.vho
BitDefender Trojan.Agent.EWEZ
NANO-Antivirus Trojan.Win32.Emotet.humwci
ViRobot Trojan.Win32.Emotet.303108
Avast Win32:BankerX-gen [Trj]
Rising Trojan.EmotetCrypt!8.120EC (CLOUD)
Ad-Aware Trojan.Agent.EWEZ
Sophos Troj/Emotet-CND
Comodo Malware@#1sk83o30kysu9
DrWeb Trojan.DownLoader34.38207
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Emotet-FSD!71A065865D4D
FireEye Generic.mg.71a065865d4deaf8
Emsisoft Trojan.Agent.EWEZ (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Banker.Emotet.ojc
Avira TR/Emotet.yvlxj
MAX malware (ai score=82)
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Trojan.Win32.Emotet.oa
Microsoft Trojan:Win32/EmotetCrypt.PV!MTB
AegisLab Trojan.Win32.Emotet.L!c
GData Trojan.Agent.EWEZ
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Emotet.C4194777
McAfee Emotet-FSD!71A065865D4D
VBA32 BScope.TrojanBanker.Emotet
Malwarebytes Trojan.MalPack.TRE
Tencent Malware.Win32.Gencirc.10ce0126
Ikarus Trojan-Banker.Emotet
Fortinet W32/GenericKDZ.7010!tr
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.24.14:443
dead_host 120.138.30.150:8080
dead_host 172.217.160.78:443
dead_host 50.91.114.38:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-10 02:44:56

Imports

Library MFC42.DLL:
0x40702c
0x407030
0x407034
0x407038
0x40703c
0x407040
0x407044
0x407048
0x40704c
0x407050
0x407054
0x407058
0x40705c
0x407060
0x407064
0x407068
0x40706c
0x407070
0x407074
0x407078
0x40707c
0x407080
0x407084
0x407088
0x40708c
0x407090
0x407094
0x407098
0x40709c
0x4070a0
0x4070a4
0x4070a8
0x4070ac
0x4070b0
0x4070b4
0x4070b8
0x4070bc
0x4070c0
0x4070c4
0x4070c8
0x4070cc
0x4070d0
0x4070d4
0x4070d8
0x4070dc
0x4070e0
0x4070e4
0x4070e8
0x4070ec
0x4070f0
0x4070f4
0x4070f8
0x4070fc
0x407100
0x407104
0x407108
0x40710c
0x407110
0x407114
0x407118
0x40711c
0x407120
0x407124
0x407128
0x40712c
0x407130
0x407134
0x407138
0x40713c
0x407140
0x407144
0x407148
0x40714c
0x407150
0x407154
0x407158
0x40715c
0x407160
0x407164
0x407168
0x40716c
0x407170
0x407174
0x407178
0x40717c
0x407180
0x407184
0x407188
0x40718c
0x407190
0x407194
0x407198
0x40719c
0x4071a0
0x4071a4
0x4071a8
0x4071ac
0x4071b0
0x4071b4
0x4071b8
0x4071bc
0x4071c0
0x4071c4
0x4071c8
0x4071cc
0x4071d0
0x4071d4
0x4071d8
0x4071dc
0x4071e0
0x4071e4
0x4071e8
0x4071ec
0x4071f0
0x4071f4
0x4071f8
0x4071fc
0x407200
0x407204
0x407208
0x40720c
0x407210
0x407214
0x407218
0x40721c
0x407220
0x407224
0x407228
0x40722c
0x407230
0x407234
0x407238
0x40723c
0x407240
0x407244
0x407248
0x40724c
0x407250
0x407254
0x407258
0x40725c
0x407260
0x407264
0x407268
0x40726c
0x407270
0x407274
0x407278
0x40727c
0x407280
0x407284
0x407288
0x40728c
0x407290
0x407294
0x407298
0x40729c
0x4072a0
0x4072a4
0x4072a8
0x4072ac
0x4072b0
0x4072b4
0x4072b8
0x4072bc
0x4072c0
0x4072c4
0x4072c8
0x4072cc
0x4072d0
0x4072d4
0x4072d8
0x4072dc
0x4072e0
0x4072e4
0x4072e8
0x4072ec
0x4072f0
0x4072f4
0x4072f8
0x4072fc
0x407300
0x407304
0x407308
0x40730c
0x407310
0x407314
0x407318
0x40731c
0x407320
0x407324
0x407328
0x40732c
0x407330
0x407334
0x407338
0x40733c
0x407340
0x407344
0x407348
0x40734c
0x407350
0x407354
0x407358
0x40735c
0x407360
0x407364
0x407368
0x40736c
0x407370
0x407374
0x407378
0x40737c
0x407380
0x407384
0x407388
0x40738c
0x407390
0x407394
0x407398
0x40739c
0x4073a0
0x4073a4
0x4073a8
0x4073ac
0x4073b0
0x4073b4
0x4073b8
0x4073bc
0x4073c0
0x4073c4
0x4073c8
0x4073cc
0x4073d0
0x4073d4
0x4073d8
0x4073dc
0x4073e0
0x4073e4
0x4073e8
0x4073ec
0x4073f0
0x4073f4
0x4073f8
0x4073fc
0x407400
0x407404
0x407408
0x40740c
0x407410
0x407414
0x407418
0x40741c
0x407420
0x407424
0x407428
0x40742c
0x407430
0x407434
0x407438
0x40743c
0x407440
0x407444
0x407448
0x40744c
0x407450
0x407454
0x407458
0x40745c
0x407460
0x407464
0x407468
0x40746c
Library MSVCRT.dll:
0x4074b8 _mbsicmp
0x4074bc _filelength
0x4074c0 atoi
0x4074c4 malloc
0x4074c8 strlen
0x4074cc _EH_prolog
0x4074d0 __CxxFrameHandler
0x4074d4 _setmbcp
0x4074d8 sscanf
0x4074dc _exit
0x4074e0 __dllonexit
0x4074e4 _onexit
0x4074e8 _controlfp
0x4074ec _except_handler3
0x4074f0 __set_app_type
0x4074f4 __p__fmode
0x4074f8 __p__commode
0x4074fc _adjust_fdiv
0x407500 __setusermatherr
0x407504 _initterm
0x407508 __getmainargs
0x40750c _acmdln
0x407510 exit
0x407514 _XcptFilter
0x407518 strcmp
Library KERNEL32.dll:
0x407000 GetProcAddress
0x407004 GetModuleFileNameA
0x407008 GetCurrentProcess
0x40700c LocalFree
0x407010 FormatMessageA
0x407014 GetLastError
0x407018 LoadLibraryA
0x40701c GetModuleHandleA
0x407020 GetStartupInfoA
0x407024 LoadLibraryW
Library USER32.dll:
0x407520 ShowWindow
0x407524 SendMessageA
0x407528 MessageBeep
0x40752c UpdateWindow
0x407530 EnableWindow
Library VERSION.dll:
0x407538 GetFileVersionInfoA
0x407540 VerQueryValueA
Library MSVCIRT.dll:
0x407474 ??0ifstream@@QAE@XZ
0x407488 ??1ifstream@@UAE@XZ
0x40748c ??1ios@@UAE@XZ
0x407494 ??1ofstream@@UAE@XZ
0x4074ac ??0ofstream@@QAE@XZ

Exports

Ordinal Address Name
1 0x4026b2 ERWQSDASQWAFASASWW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.