SmartHawk

6.2

高危

37 个模型检测该样本为恶意！

重新分析

下载样本

c90134fb290778c4a29837321661902c17754c1182acae6c2b2ea418d5b0d533

8b9d3338d76f9b583734ca06e16fc065.exe

分析耗时

90s

最近分析

文件大小

144.1KB

静态报毒动态报毒 AI SCORE=84 AIDETECTVM BANKERX BSCOPE CLASSIC ELDORADO EMOTET GENCIRC GENERICKDZ GENETIC HFLW HIGH CONFIDENCE HQXTRS KRYPTIK MALWARE2 SUSGEN 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Emotet-FQS!8B9D3338D76F	20200815	6.0.6.653
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:BankerX-gen [Trj]	20200815	18.4.3895.0
Tencent	Malware.Win32.Gencirc.10cde664	20200815	1.0.0.1
Kingsoft		20200815	2013.8.14.323
CrowdStrike		20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620808788.73425 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (4 个事件)

Time & API	Arguments	Status	Return
1620808778.51525 CryptGenKey	crypto_handle: 0x003b3248 algorithm_identifier: 0x0000660e () provider_handle: 0x002fb830 flags: 1 key: fË¿O4þ¾zãOé(YòÑD	success	1
1620808788.75025 CryptExportKey	crypto_handle: 0x003b3248 crypto_export_handle: 0x003b2560 buffer: f¤Ñ5%[.ø/74¬Ö½ICïM(M¨LÔCfÆ8Ú~{¤úNõÇ£NkùWÿ=¿rs o8¼Îç"©1Ù©o×¶!ìÀÚª'«#ÆPÕ}gÒUf blob_type: 1 flags: 64	success	1
1620808816.60925 CryptExportKey	crypto_handle: 0x003b3248 crypto_export_handle: 0x003b2560 buffer: f¤{5»Ä¿ksãP\qM(Ø tè¯íþÖ\v5ßNJ"¥øéüÕåê®Wõªk¿JYê»ýÏÀ¨K.>¨æ×&õð(_BóB}_n<rÚ© þ]EÑv blob_type: 1 flags: 64	success	1
1620808824.18725 CryptExportKey	crypto_handle: 0x003b3248 crypto_export_handle: 0x003b2560 buffer: f¤4o(p.àqejJ\|~î]Zóà³XBØ=Ó®;áõsg´Ahë^½ÞPMP4Åd3²HÝ*\| ÒÖU¤')ÀÛáÄ¶Æâdòÿ´ÎwÇE%õÖ5å blob_type: 1 flags: 64	success	1

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620808777.06225 NtProtectVirtualMemory	process_identifier: 392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x002e3000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620808789.92225 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Expresses interest in specific running processes (1 个事件)

process

8b9d3338d76f9b583734ca06e16fc065.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620808789.50025 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (4 个事件)

host	116.125.120.88
host	172.217.24.14
host	217.160.182.191
host	82.76.111.249

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1620808792.46925 RegSetValueExA	key_handle: 0x00000388 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620808792.46925 RegSetValueExA	key_handle: 0x00000388 value: Ðû2÷HG× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620808792.48425 RegSetValueExA	key_handle: 0x00000388 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620808792.48425 RegSetValueExW	key_handle: 0x00000388 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620808792.48425 RegSetValueExA	key_handle: 0x000003a0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620808792.48425 RegSetValueExA	key_handle: 0x000003a0 value: Ðû2÷HG× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620808792.48425 RegSetValueExA	key_handle: 0x000003a0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620808792.50025 RegSetValueExW	key_handle: 0x00000384 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69302
McAfee	Emotet-FQS!8B9D3338D76F
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
F-Prot	W32/Emotet.APC.gen!Eldorado
Symantec	Trojan.Emotet
APEX	Malicious
Avast	Win32:BankerX-gen [Trj]
GData	Trojan.GenericKDZ.69302
Kaspersky	HEUR:Trojan-Banker.Win32.Emotet.pef
BitDefender	Trojan.GenericKDZ.69302
NANO-Antivirus	Trojan.Win32.Emotet.hqxtrs
Tencent	Malware.Win32.Gencirc.10cde664
Ad-Aware	Trojan.GenericKDZ.69302
DrWeb	Trojan.Emotet.997
Zillya	Backdoor.Emotet.Win32.908
FireEye	Trojan.GenericKDZ.69302
Sophos	Troj/Emotet-CKS
Cyren	W32/Emotet.APC.gen!Eldorado
Jiangmin	Trojan.Banker.Emotet.obh
MaxSecure	Trojan.Malware.121218.susgen
Antiy-AVL	Trojan/Win32.Generic
Arcabit	Trojan.Generic.D10EB6
Microsoft	Trojan:Win32/Emotet.ARJ!MTB
AhnLab-V3	Malware/Win32.Generic.C4177916
ALYac	Trojan.GenericKDZ.69302
MAX	malware (ai score=84)
VBA32	BScope.Trojan.Inject
Malwarebytes	Trojan.MalPack.TRE.Generic
ESET-NOD32	a variant of Win32/Kryptik.HFLW
Rising	Trojan.Kryptik!1.CA2A (CLASSIC)
Ikarus	Trojan-Banker.Emotet
Fortinet	W32/Emotet.997!tr
AVG	Win32:BankerX-gen [Trj]
Panda	Trj/Genetic.gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 个事件)

dead_host	217.160.182.191:8080
dead_host	172.217.24.14:443
dead_host	216.58.200.46:443
dead_host	116.125.120.88:443
dead_host	82.76.111.249:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-07 21:16:09

Imports

Library MFC42.DLL:

• 0x412918

• 0x41291c

• 0x412920

• 0x412924

• 0x412928

• 0x41292c

• 0x412930

• 0x412934

• 0x412938

• 0x41293c

• 0x412940

• 0x412944

• 0x412948

• 0x41294c

• 0x412950

• 0x412954

• 0x412958

• 0x41295c

• 0x412960

• 0x412964

• 0x412968

• 0x41296c

• 0x412970

• 0x412974

• 0x412978

• 0x41297c

• 0x412980

• 0x412984

• 0x412988

• 0x41298c

• 0x412990

• 0x412994

• 0x412998

• 0x41299c

• 0x4129a0

• 0x4129a4

• 0x4129a8

• 0x4129ac

• 0x4129b0

• 0x4129b4

• 0x4129b8

• 0x4129bc

• 0x4129c0

• 0x4129c4

• 0x4129c8

• 0x4129cc

• 0x4129d0

• 0x4129d4

• 0x4129d8

• 0x4129dc

• 0x4129e0

• 0x4129e4

• 0x4129e8

• 0x4129ec

• 0x4129f0

• 0x4129f4

• 0x4129f8

• 0x4129fc

• 0x412a00

• 0x412a04

• 0x412a08

• 0x412a0c

• 0x412a10

• 0x412a14

• 0x412a18

• 0x412a1c

• 0x412a20

• 0x412a24

• 0x412a28

• 0x412a2c

• 0x412a30

• 0x412a34

• 0x412a38

• 0x412a3c

• 0x412a40

• 0x412a44

• 0x412a48

• 0x412a4c

• 0x412a50

• 0x412a54

• 0x412a58

• 0x412a5c

• 0x412a60

• 0x412a64

• 0x412a68

• 0x412a6c

• 0x412a70

• 0x412a74

• 0x412a78

• 0x412a7c

• 0x412a80

• 0x412a84

• 0x412a88

• 0x412a8c

• 0x412a90

• 0x412a94

• 0x412a98

• 0x412a9c

• 0x412aa0

• 0x412aa4

• 0x412aa8

• 0x412aac

• 0x412ab0

• 0x412ab4

• 0x412ab8

• 0x412abc

• 0x412ac0

• 0x412ac4

• 0x412ac8

• 0x412acc

• 0x412ad0

• 0x412ad4

• 0x412ad8

• 0x412adc

• 0x412ae0

• 0x412ae4

• 0x412ae8

• 0x412aec

• 0x412af0

• 0x412af4

• 0x412af8

• 0x412afc

• 0x412b00

• 0x412b04

• 0x412b08

• 0x412b0c

• 0x412b10

• 0x412b14

• 0x412b18

• 0x412b1c

• 0x412b20

• 0x412b24

• 0x412b28

• 0x412b2c

• 0x412b30

• 0x412b34

• 0x412b38

• 0x412b3c

• 0x412b40

• 0x412b44

• 0x412b48

• 0x412b4c

• 0x412b50

• 0x412b54

• 0x412b58

• 0x412b5c

• 0x412b60

• 0x412b64

• 0x412b68

• 0x412b6c

• 0x412b70

• 0x412b74

• 0x412b78

• 0x412b7c

• 0x412b80

• 0x412b84

• 0x412b88

• 0x412b8c

• 0x412b90

• 0x412b94

• 0x412b98

• 0x412b9c

• 0x412ba0

• 0x412ba4

• 0x412ba8

• 0x412bac

• 0x412bb0

• 0x412bb4

• 0x412bb8

• 0x412bbc

• 0x412bc0

• 0x412bc4

• 0x412bc8

• 0x412bcc

• 0x412bd0

• 0x412bd4

• 0x412bd8

• 0x412bdc

• 0x412be0

• 0x412be4

• 0x412be8

• 0x412bec

• 0x412bf0

• 0x412bf4

• 0x412bf8

• 0x412bfc

• 0x412c00

• 0x412c04

• 0x412c08

• 0x412c0c

• 0x412c10

• 0x412c14

• 0x412c18

• 0x412c1c

• 0x412c20

• 0x412c24

• 0x412c28

• 0x412c2c

• 0x412c30

• 0x412c34

• 0x412c38

• 0x412c3c

• 0x412c40

• 0x412c44

• 0x412c48

• 0x412c4c

• 0x412c50

• 0x412c54

• 0x412c58

• 0x412c5c

• 0x412c60

• 0x412c64

• 0x412c68

• 0x412c6c

• 0x412c70

• 0x412c74

• 0x412c78

• 0x412c7c

• 0x412c80

• 0x412c84

• 0x412c88

• 0x412c8c

• 0x412c90

• 0x412c94

• 0x412c98

• 0x412c9c

• 0x412ca0

• 0x412ca4

• 0x412ca8

• 0x412cac

• 0x412cb0

• 0x412cb4

• 0x412cb8

• 0x412cbc

• 0x412cc0

• 0x412cc4

• 0x412cc8

• 0x412ccc

• 0x412cd0

Library MSVCRT.dll:

• 0x412df8 ??1type_info@@UAE@XZ

• 0x412dfc _except_handler3

• 0x412e00 ?terminate@@YAXXZ

• 0x412e04 __dllonexit

• 0x412e08 _onexit

• 0x412e0c _exit

• 0x412e10 _XcptFilter

• 0x412e14 exit

• 0x412e18 _acmdln

• 0x412e1c __getmainargs

• 0x412e20 _initterm

• 0x412e24 __setusermatherr

• 0x412e28 _adjust_fdiv

• 0x412e2c __p__commode

• 0x412e30 _splitpath

• 0x412e34 __set_app_type

• 0x412e38 _controlfp

• 0x412e3c fprintf

• 0x412e40 fwrite

• 0x412e44 strchr

• 0x412e48 strspn

• 0x412e4c strtok

• 0x412e50 fgets

• 0x412e54 fopen

• 0x412e58 fread

• 0x412e5c fclose

• 0x412e60 __CxxFrameHandler

• 0x412e64 _setmbcp

• 0x412e68 _wcslwr

• 0x412e6c toupper

• 0x412e70 sprintf

• 0x412e74 atoi

• 0x412e78 __p__fmode

• 0x412e7c _CxxThrowException

• 0x412e80 memmove

• 0x412e84 _mbscmp

• 0x412e88 strerror

• 0x412e8c _errno

Library KERNEL32.dll:

• 0x4128c8 GlobalUnlock

• 0x4128cc GetStartupInfoA

• 0x4128d0 GetLastError

• 0x4128d4 GlobalAlloc

• 0x4128d8 GlobalLock

• 0x4128dc GetModuleHandleA

• 0x4128e0 SetCurrentDirectoryA

• 0x4128e4 GetCurrentDirectoryA

Library USER32.dll:

• 0x412f14 CloseClipboard

• 0x412f18 SetClipboardData

• 0x412f1c EmptyClipboard

• 0x412f20 OpenClipboard

• 0x412f24 GetClipboardData

• 0x412f28 EnableWindow

• 0x412f2c CreateWindowExA

• 0x412f30 InSendMessage

• 0x412f34 UpdateWindow

• 0x412f38 LoadBitmapA

• 0x412f3c CheckRadioButton

• 0x412f40 GetDlgItem

• 0x412f44 SendDlgItemMessageA

• 0x412f48 GetClientRect

• 0x412f4c SetCapture

• 0x412f50 LoadMenuA

• 0x412f54 SendMessageA

• 0x412f58 LoadCursorA

• 0x412f5c GetKeyState

• 0x412f60 SetTimer

• 0x412f64 SetCursor

• 0x412f68 KillTimer

• 0x412f6c IsDlgButtonChecked

• 0x412f70 MessageBeep

• 0x412f74 ScreenToClient

• 0x412f78 TranslateMessage

• 0x412f7c DispatchMessageA

• 0x412f80 ReleaseCapture

• 0x412f84 GetCursorPos

• 0x412f88 SetCursorPos

• 0x412f8c GetSubMenu

Library GDI32.dll:

• 0x412898 GetObjectA

Library comdlg32.dll:

• 0x412fd4 GetSaveFileNameA

• 0x412fd8 GetOpenFileNameA

Library SHELL32.dll:

• 0x412ed8 SHGetPathFromIDListA

• 0x412edc SHGetMalloc

• 0x412ee0 DragQueryFileA

• 0x412ee4 SHBrowseForFolderA

Library COMCTL32.dll:

• 0x412868 ImageList_AddMasked

Library MSVCP60.dll:

• 0x412dbc ??1Init@ios_base@std@@QAE@XZ

• 0x412dc0 ??0_Winit@std@@QAE@XZ

• 0x412dc4 ??1_Winit@std@@QAE@XZ

• 0x412dc8 ??0Init@ios_base@std@@QAE@XZ

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 216.58.200.46 CNAME clients.l.google.com	216.58.200.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.41.66	113.108.239.162
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49188	203.208.41.66 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60221	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.