7.4
高危

90d33c816053963abb4c2f24a2be213f8365c929417b30aeb64f441244274f4a

8b388e7da9d2447c2aa5341fa955291c.exe

分析耗时

118s

最近分析

文件大小

268.0KB
静态报毒 动态报毒 100% AI SCORE=89 CONFIDENCE DOWNLOADER34 ELDORADO EMOTET EMOTETPMF GDND GENCIRC GENERICKDZ GENETIC HFZB HIGH CONFIDENCE HUCSVI KRYPTIK KYOLC MALWARE@#1L3CA0EGYR2WT OBFUSE QRYOC0YXLYU R + TROJ S15765419 SCORE TROJANBANKER TROJANX UNSAFE VOBFUSAGENTHQ YSGNO0UVIT0 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FSD!8B388E7DA9D2 20201022 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201022 18.4.3895.0
Alibaba Trojan:Win32/Emotet.42466687 20190527 0.3.0.5
Kingsoft 20201022 2013.8.14.323
Tencent Malware.Win32.Gencirc.10cdfe48 20201022 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620829497.607625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1620829483.341625
CryptGenKey
crypto_handle: 0x002d5d18
algorithm_identifier: 0x0000660e ()
provider_handle: 0x002d5520
flags: 1
key: fŒØÜò:bÒ¾Öþ°
success 1 0
1620829497.685625
CryptExportKey
crypto_handle: 0x002d5d18
crypto_export_handle: 0x002d5cd8
buffer: f¤GAK1öW}p±6-=ôÚ!i–‚þ”̼׍•žýYŒAMìWݶmg€¶08aى €|HntPöÀ¿.L ’wõ€­:1Óì0~>ç5뢜ÏK<uÀ3G+ãÞÝ}XE
blob_type: 1
flags: 64
success 1 0
1620829524.810625
CryptExportKey
crypto_handle: 0x002d5d18
crypto_export_handle: 0x002d5cd8
buffer: f¤d¨ÿûPXjìyv>Á’RÐ.õFÈôRsŸ3µ´}Š˜Ù9„e¯Oeï…ì)¯S“X©qÄ.ª˜–#®[ lò/ôDD²Lqý'%êbqxø4ü©Ýr
blob_type: 1
flags: 64
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620829482.654625
NtAllocateVirtualMemory
process_identifier: 2260
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d30000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620829482.654625
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x01d51000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620829498.325625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.959926921745421 section {'size_of_data': '0x00010000', 'virtual_address': '0x00037000', 'entropy': 6.959926921745421, 'name': '.rsrc', 'virtual_size': '0x0000ffa8'} description A section with a high entropy has been found
entropy 0.24242424242424243 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process 8b388e7da9d2447c2aa5341fa955291c.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620829497.982625
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 118.2.218.1
host 172.217.24.14
host 51.254.140.91
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620829500.872625
RegSetValueExA
key_handle: 0x000003b8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620829500.872625
RegSetValueExA
key_handle: 0x000003b8
value:  MG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620829500.872625
RegSetValueExA
key_handle: 0x000003b8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620829500.872625
RegSetValueExW
key_handle: 0x000003b8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620829500.888625
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620829500.888625
RegSetValueExA
key_handle: 0x000003d0
value:  MG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620829500.888625
RegSetValueExA
key_handle: 0x000003d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620829500.904625
RegSetValueExW
key_handle: 0x000003b4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
Bkav W32.VobfusAgentHQ.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69924
FireEye Trojan.GenericKDZ.69924
CAT-QuickHeal Trojan.EmotetPMF.S15765419
McAfee Emotet-FSD!8B388E7DA9D2
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056dc831 )
BitDefender Trojan.GenericKDZ.69924
K7GW Trojan ( 0056dcb21 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Kryptik.BWJ.gen!Eldorado
Symantec Packed.Generic.554
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
ClamAV Win.Malware.Emotet-9753021-0
Kaspersky Trojan-Banker.Win32.Emotet.gdnd
Alibaba Trojan:Win32/Emotet.42466687
NANO-Antivirus Trojan.Win32.Emotet.hucsvi
ViRobot Trojan.Win32.Emotet.274432.A
Rising Downloader.Obfuse!8.105AD (TFE:6:qryoc0yxlYU)
Ad-Aware Trojan.GenericKDZ.69924
Sophos Troj/Emotet-CLZ
Comodo Malware@#1l3ca0egyr2wt
DrWeb Trojan.DownLoader34.32692
Invincea Mal/Generic-R + Troj/Emotet-CLZ
McAfee-GW-Edition BehavesLike.Win32.Emotet.dh
Emsisoft Trojan.Emotet (A)
Jiangmin Trojan.Banker.Emotet.oic
Avira TR/Crypt.Agent.kyolc
MAX malware (ai score=89)
Microsoft Trojan:Win32/Emotet.ARK!MTB
Arcabit Trojan.Generic.D11124
ZoneAlarm Trojan-Banker.Win32.Emotet.gdnd
GData Trojan.GenericKDZ.69924
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4192695
ALYac Trojan.Agent.Emotet
TACHYON Trojan/W32.Agent.274432.ALH
VBA32 TrojanBanker.Emotet
Panda Trj/Genetic.gen
ESET-NOD32 a variant of Win32/Kryptik.HFZB
Tencent Malware.Win32.Gencirc.10cdfe48
Yandex Trojan.Kryptik!ysgnO0UVIt0
Ikarus Trojan-Banker.Emotet
Fortinet W32/Emotet.2B27!tr
AVG Win32:TrojanX-gen [Trj]
Paloalto generic.ml
Qihoo-360 Generic/Trojan.7db
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 51.254.140.91:7080
dead_host 118.2.218.1:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-05 01:03:35

Imports

Library KERNEL32.dll:
0x4260b4 RtlUnwind
0x4260b8 GetStartupInfoA
0x4260bc GetCommandLineA
0x4260c0 ExitProcess
0x4260c4 TerminateProcess
0x4260c8 HeapReAlloc
0x4260cc HeapSize
0x4260d0 HeapDestroy
0x4260d4 HeapCreate
0x4260d8 VirtualFree
0x4260dc IsBadWritePtr
0x4260e0 LCMapStringA
0x4260e4 LCMapStringW
0x4260e8 GetStdHandle
0x4260fc VirtualQuery
0x426100 SetHandleCount
0x426104 GetFileType
0x42610c GetCurrentProcessId
0x426118 GetStringTypeA
0x42611c GetStringTypeW
0x426124 IsBadReadPtr
0x426128 IsBadCodePtr
0x42612c SetStdHandle
0x426134 GetSystemInfo
0x426138 VirtualAlloc
0x42613c VirtualProtect
0x426140 HeapFree
0x426144 HeapAlloc
0x426148 GetTickCount
0x42614c GetFileTime
0x426150 GetFileAttributesA
0x426158 SetErrorMode
0x426160 GetOEMCP
0x426164 GetCPInfo
0x426168 CreateFileA
0x42616c GetFullPathNameA
0x426174 FindFirstFileA
0x426178 FindClose
0x42617c GetCurrentProcess
0x426180 DuplicateHandle
0x426184 GetFileSize
0x426188 SetEndOfFile
0x42618c UnlockFile
0x426190 LockFile
0x426194 FlushFileBuffers
0x426198 SetFilePointer
0x42619c WriteFile
0x4261a0 ReadFile
0x4261a4 GlobalFlags
0x4261a8 TlsFree
0x4261ac LocalReAlloc
0x4261b0 TlsSetValue
0x4261b4 TlsAlloc
0x4261b8 TlsGetValue
0x4261c0 GlobalHandle
0x4261c4 GlobalReAlloc
0x4261cc LocalAlloc
0x4261dc RaiseException
0x4261e0 GlobalGetAtomNameA
0x4261e4 GlobalFindAtomA
0x4261e8 lstrcatA
0x4261ec lstrcmpW
0x4261f8 FreeResource
0x4261fc CloseHandle
0x426200 GlobalAddAtomA
0x426204 GetCurrentThread
0x426208 GetCurrentThreadId
0x42620c FreeLibrary
0x426210 GlobalDeleteAtom
0x426214 lstrcmpA
0x426218 GetModuleFileNameA
0x42621c GetModuleHandleA
0x426228 lstrcpyA
0x42622c LoadLibraryA
0x426230 SetLastError
0x426234 GlobalFree
0x426238 MulDiv
0x42623c GlobalAlloc
0x426240 GlobalLock
0x426244 GlobalUnlock
0x426248 FormatMessageA
0x42624c lstrcpynA
0x426250 LocalFree
0x426254 LoadLibraryW
0x426258 GetProcAddress
0x42625c FindResourceA
0x426260 LoadResource
0x426264 LockResource
0x426268 SizeofResource
0x42626c CompareStringW
0x426270 CompareStringA
0x426274 lstrlenA
0x426278 lstrcmpiA
0x42627c GetVersion
0x426280 GetLastError
0x426284 WideCharToMultiByte
0x426288 MultiByteToWideChar
0x42628c GetVersionExA
0x426290 GetThreadLocale
0x426294 GetLocaleInfoA
0x426298 GetACP
0x4262a0 InterlockedExchange
Library USER32.dll:
0x4262f0 PostThreadMessageA
0x4262f4 MessageBeep
0x4262f8 GetNextDlgGroupItem
0x4262fc InvalidateRgn
0x426300 InvalidateRect
0x426308 SetRect
0x42630c IsRectEmpty
0x426310 CharNextA
0x426314 ReleaseCapture
0x426318 SetCapture
0x42631c LoadCursorA
0x426320 GetSysColorBrush
0x426324 EndPaint
0x426328 BeginPaint
0x42632c GetWindowDC
0x426330 ReleaseDC
0x426334 GetDC
0x426338 ClientToScreen
0x42633c GrayStringA
0x426340 DrawTextExA
0x426344 DrawTextA
0x426348 TabbedTextOutA
0x42634c ShowWindow
0x426350 MoveWindow
0x426354 SetWindowTextA
0x426358 IsDialogMessageA
0x426360 WinHelpA
0x426364 GetCapture
0x426368 CreateWindowExA
0x42636c GetClassLongA
0x426370 GetClassInfoExA
0x426374 GetClassNameA
0x426378 SetPropA
0x42637c GetPropA
0x426380 RemovePropA
0x426384 SendDlgItemMessageA
0x426388 SetFocus
0x42638c IsChild
0x426394 GetWindowTextA
0x426398 GetForegroundWindow
0x42639c GetTopWindow
0x4263a0 GetMessageTime
0x4263a4 MapWindowPoints
0x4263a8 SetForegroundWindow
0x4263ac UpdateWindow
0x4263b0 GetMenu
0x4263b4 AdjustWindowRectEx
0x4263b8 EqualRect
0x4263bc GetClassInfoA
0x4263c0 RegisterClassA
0x4263c4 UnregisterClassA
0x4263c8 GetDlgCtrlID
0x4263cc DefWindowProcA
0x4263d0 CallWindowProcA
0x4263d4 SetWindowLongA
0x4263d8 OffsetRect
0x4263dc IntersectRect
0x4263e0 GetWindowPlacement
0x4263e4 GetWindowRect
0x4263e8 PtInRect
0x4263ec CharUpperA
0x4263f0 DrawIcon
0x4263f4 AppendMenuA
0x4263f8 SendMessageA
0x4263fc GetSystemMenu
0x426400 IsIconic
0x426404 GetClientRect
0x426408 EnableWindow
0x42640c LoadIconA
0x426410 GetSystemMetrics
0x426414 GetSysColor
0x42641c DestroyMenu
0x426420 CopyRect
0x426424 UnhookWindowsHookEx
0x426428 GetWindow
0x426430 MapDialogRect
0x426434 SetWindowPos
0x426438 wsprintfA
0x42643c GetDesktopWindow
0x426440 SetActiveWindow
0x42644c DestroyWindow
0x426450 IsWindow
0x426454 GetDlgItem
0x426458 GetNextDlgTabItem
0x42645c EndDialog
0x426460 SetMenuItemBitmaps
0x426464 GetFocus
0x426468 ModifyMenuA
0x42646c EnableMenuItem
0x426470 CheckMenuItem
0x426478 LoadBitmapA
0x42647c GetMessagePos
0x426480 GetSubMenu
0x426484 GetMenuItemCount
0x426488 GetMenuItemID
0x42648c GetMenuState
0x426490 PostMessageA
0x426494 PostQuitMessage
0x426498 SetCursor
0x42649c IsWindowEnabled
0x4264a0 GetLastActivePopup
0x4264a4 GetWindowLongA
0x4264a8 GetParent
0x4264ac MessageBoxA
0x4264b0 ValidateRect
0x4264b4 GetCursorPos
0x4264b8 PeekMessageA
0x4264bc GetKeyState
0x4264c0 IsWindowVisible
0x4264c4 GetActiveWindow
0x4264c8 DispatchMessageA
0x4264cc TranslateMessage
0x4264d0 GetMessageA
0x4264d4 CallNextHookEx
0x4264d8 SetWindowsHookExA
Library GDI32.dll:
0x426030 GetBkColor
0x426034 GetTextColor
0x42603c GetRgnBox
0x426040 GetStockObject
0x426044 DeleteDC
0x426048 ExtSelectClipRgn
0x42604c ScaleWindowExtEx
0x426050 SetWindowExtEx
0x426054 ScaleViewportExtEx
0x426058 SetViewportExtEx
0x42605c OffsetViewportOrgEx
0x426060 SetViewportOrgEx
0x426064 SelectObject
0x426068 Escape
0x42606c TextOutA
0x426070 RectVisible
0x426074 GetMapMode
0x426078 GetDeviceCaps
0x42607c GetWindowExtEx
0x426080 GetViewportExtEx
0x426084 DeleteObject
0x426088 SetMapMode
0x42608c RestoreDC
0x426090 SaveDC
0x426094 SetBkColor
0x426098 SetTextColor
0x42609c GetClipBox
0x4260a0 ExtTextOutA
0x4260a4 GetObjectA
0x4260a8 CreateBitmap
0x4260ac PtVisible
Library comdlg32.dll:
0x4264f0 GetFileTitleA
Library WINSPOOL.DRV:
0x4264e0 OpenPrinterA
0x4264e4 DocumentPropertiesA
0x4264e8 ClosePrinter
Library ADVAPI32.dll:
0x426000 RegQueryValueExA
0x426004 RegCreateKeyExA
0x426008 RegSetValueExA
0x42600c RegOpenKeyA
0x426010 RegOpenKeyExA
0x426014 RegDeleteKeyA
0x426018 RegEnumKeyA
0x42601c RegQueryValueA
0x426020 RegCloseKey
Library COMCTL32.dll:
0x426028
Library SHLWAPI.dll:
0x4262dc PathFindFileNameA
0x4262e0 PathStripToRootA
0x4262e4 PathFindExtensionA
0x4262e8 PathIsUNCA
Library oledlg.dll:
0x426538
Library ole32.dll:
0x426504 CoGetClassObject
0x426508 CLSIDFromString
0x42650c CLSIDFromProgID
0x426510 CoTaskMemFree
0x426514 OleUninitialize
0x426520 OleFlushClipboard
0x426528 CoRevokeClassObject
0x42652c CoTaskMemAlloc
0x426530 OleInitialize
Library OLEAUT32.dll:
0x4262a8 SysAllocStringLen
0x4262ac VariantClear
0x4262b0 VariantChangeType
0x4262b4 VariantInit
0x4262b8 SysStringLen
0x4262c8 SafeArrayDestroy
0x4262cc SysAllocString
0x4262d0 VariantCopy
0x4262d4 SysFreeString

Exports

Ordinal Address Name
1 0x401545 UUACZDADWAJJJJJ

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.