8.4
高危
61 个模型检测该样本为恶意!
重新分析
更多

f555a7f464a82d1e953faaab7262577d04a024233c3ad4fa8b10cf7673ad6a8c

8090b0f1f0f7667f4a506193cbe189ff.exe

分析耗时

140s

最近分析

文件大小

132.8KB
静态报毒 动态报毒 100% AGEN BANKERX BSCOPE CLOUD CONFIDENCE DDKX ELDORADO EMOTET FPWBEA GDSDA GENCIRC GSJJ HIGH HIGH CONFIDENCE INVALIDSIG IQ1@A0P3QQFI KRYPTIK LUPUS MALWARE@#2Q8ZPMMD5SIYD S6348779 SCORE SUSPICIOUS PE UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FMG!8090B0F1F0F7 20200629 6.0.6.653
Alibaba Trojan:Win32/Emotet.01dbb595 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20200629 18.4.3895.0
Kingsoft 20200629 2013.8.14.323
Tencent Malware.Win32.Gencirc.10b3dee6 20200629 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620833015.48175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2575934676&cup2hreq=5cedbfe1173842377609cde7ce81a0780c42833f92cb70336514586ba2d84d73
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=10089c3382fd2a8a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=3
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=10089c3382fd2a8a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:2575934676&cup2hreq=5cedbfe1173842377609cde7ce81a0780c42833f92cb70336514586ba2d84d73
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2575934676&cup2hreq=5cedbfe1173842377609cde7ce81a0780c42833f92cb70336514586ba2d84d73
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1620833006.997499
NtAllocateVirtualMemory
process_identifier: 708
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1620833007.528499
NtAllocateVirtualMemory
process_identifier: 708
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1620833007.528499
NtAllocateVirtualMemory
process_identifier: 708
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1620833007.528499
NtAllocateVirtualMemory
process_identifier: 708
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620833007.80975
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1620833008.34075
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1620833008.34075
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1620833008.34075
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620832638.765645
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1620833018.71575
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x00515248
display_name: dmapnf
error_control: 0
service_name: dmapnf
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\dmapnf.exe"
filepath_r: "C:\Windows\SysWOW64\dmapnf.exe"
service_manager_handle: 0x00515270
desired_access: 18
service_type: 16
password:
success 5329480 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620833016.59075
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8090b0f1f0f7667f4a506193cbe189ff.exe
newfilepath: C:\Windows\SysWOW64\dmapnf.exe
newfilepath_r: C:\Windows\SysWOW64\dmapnf.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8090b0f1f0f7667f4a506193cbe189ff.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5460697653818345 section {'size_of_data': '0x00011000', 'virtual_address': '0x00008000', 'entropy': 7.5460697653818345, 'name': '.data', 'virtual_size': '0x00011090'} description A section with a high entropy has been found
entropy 0.5291828793774319 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (5 个事件)
host 172.217.24.14
host 189.196.140.187
host 200.58.171.51
host 222.104.222.145
host 203.208.40.66
Installs itself for autorun at Windows startup (1 个事件)
service_name dmapnf service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\dmapnf.exe"
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\dmapnf.exe:Zone.Identifier
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
MicroWorld-eScan Trojan.Lupus.Gen.1
FireEye Generic.mg.8090b0f1f0f7667f
CAT-QuickHeal Trojan.Emotet.S6348779
McAfee Emotet-FMG!8090B0F1F0F7
Cylance Unsafe
Zillya Trojan.Emotet.Win32.17103
SUPERAntiSpyware Trojan.Agent/Gen-Emotet
Sangfor Malware
K7AntiVirus Trojan ( 0054ea211 )
Alibaba Trojan:Win32/Emotet.01dbb595
K7GW Trojan ( 0054cb081 )
Cybereason malicious.1f0f76
Arcabit Trojan.Lupus.Gen.1
Invincea heuristic
BitDefenderTheta Gen:NN.ZexaF.34130.iq1@a0p3qqFi
F-Prot W32/Emotet.SV.gen!Eldorado
Symantec Packed.Generic.459
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SM
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Malware.Emotet-6960704-0
Kaspersky Trojan-Banker.Win32.Emotet.ddkx
BitDefender Trojan.Lupus.Gen.1
NANO-Antivirus Trojan.Win32.Emotet.fpwbea
Paloalto generic.ml
AegisLab Trojan.Win32.Emotet.L!c
Rising Trojan.Kryptik!1.B8D2 (CLOUD)
Ad-Aware Trojan.Lupus.Gen.1
Emsisoft Trojan.Emotet (A)
Comodo Malware@#2q8zpmmd5siyd
F-Secure Heuristic.HEUR/AGEN.1118870
DrWeb Trojan.Emotet.678
TrendMicro TrojanSpy.Win32.EMOTET.SM
SentinelOne DFI - Suspicious PE
Trapmine malicious.high.ml.score
Sophos Mal/Emotet-Q
APEX Malicious
Cyren W32/Emotet.SV.gen!Eldorado
Jiangmin Trojan.Banker.Emotet.ilm
eGambit PE.Heur.InvalidSig
Avira HEUR/AGEN.1118870
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.AD
Endgame malicious (high confidence)
ViRobot Trojan.Win32.Emotet.135992
ZoneAlarm Trojan-Banker.Win32.Emotet.ddkx
GData Trojan.Lupus.Gen.1
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.C3185689
Acronis suspicious
VBA32 BScope.Malware-Cryptor.Emotet
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 个事件)
dead_host 172.217.160.110:443
dead_host 172.217.24.14:443
dead_host 189.196.140.187:80
dead_host 200.58.171.51:80
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2018-05-03 13:38:53

Imports

Library KERNEL32.dll:
0x418aa0 GetModuleHandleW
0x418aa4 LoadLibraryA
0x418aa8 GetProcAddress
0x418aac GetStartupInfoA
0x418ab0 GetModuleHandleA
Library USER32.dll:
0x418abc GetQueueStatus
0x418ac0 LoadCursorFromFileW
0x418ac4 PaintDesktop
0x418ac8 CharUpperA
0x418acc IsWindow
0x418ad0 GetSysColorBrush
0x418ad8 AnyPopup
0x418adc CloseWindowStation
0x418ae0 GetDesktopWindow
0x418ae4 GetClipboardOwner
0x418ae8 GetThreadDesktop
0x418aec GetCaretBlinkTime
0x418af0 DestroyWindow
0x418af4 GetKeyState
0x418af8 IsIconic
0x418afc GetTopWindow
0x418b00 GetSysColor
0x418b04 GetListBoxInfo
0x418b08 CharNextW
0x418b0c IsWindowVisible
0x418b10 CharToOemBuffA
0x418b14 CharNextExA
Library GDI32.dll:
0x418b1c DeleteObject
0x418b20 UpdateColors
0x418b24 GetLayout
0x418b28 CreateMetaFileW
0x418b2c DeleteEnhMetaFile
0x418b30 GetTextAlign
0x418b34 GetDCPenColor
0x418b38 CloseMetaFile
0x418b3c CreateMetaFileA
0x418b40 FillPath
0x418b44 RealizePalette
0x418b48 EndDoc
0x418b4c SwapBuffers
0x418b50 GetFontLanguageInfo
0x418b54 GetSystemPaletteUse
Library ADVAPI32.dll:
0x418b5c RegOpenKeyA
0x418b60 RegQueryValueExA
Library MSVCRT.dll:
0x418b68 _except_handler3
0x418b6c __set_app_type
0x418b70 __p__fmode
0x418b74 __p__commode
0x418b78 _adjust_fdiv
0x418b7c __setusermatherr
0x418b80 _initterm
0x418b84 __getmainargs
0x418b88 _acmdln
0x418b8c exit
0x418b90 _XcptFilter
0x418b94 _exit
0x418b98 _onexit
0x418b9c __dllonexit
0x418ba0 _controlfp

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49193 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49194 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49188 203.208.41.98 update.googleapis.com 443
192.168.56.101 49192 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=10089c3382fd2a8a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=10089c3382fd2a8a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6779
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=10089c3382fd2a8a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=10089c3382fd2a8a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620804021&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.