6.0
高危
56 个模型检测该样本为恶意!
重新分析
更多

9a1661da4c0df5e59d48c3dff57a4cc29288826e6c32b09cc64947f1ec5d63ff

8eb22dcc41692f1a09b369e8268cf8a4.exe

分析耗时

75s

最近分析

文件大小

204.1KB
静态报毒 动态报毒 100% 4PQPCFJXZMW AI SCORE=86 AIDETECTVM AUSL BSCOPE CLASSIC CONFIDENCE CRYPTERX ELDORADO EMOTET EVLK GCMR GENCIRC GENETIC GENKRYPTIK HIGH CONFIDENCE HSZESC KCLOUD KMZRN MALWARE1 MALWARE@#3AMHJSPZAUIAH MY1@ACILUPOI R + TROJ R002C0DHR20 R349240 SCORE SUSGEN UNSAFE WACATAC ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRW!8EB22DCC4169 20201211 6.0.6.653
Avast 20201214 21.1.5827.0
Alibaba Trojan:Win32/Emotet.a70bd9f5 20190527 0.3.0.5
Tencent Malware.Win32.Gencirc.10cdee4d 20201211 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Banker.(kcloud) 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619686150.588662
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619686134.885662
CryptGenKey
crypto_handle: 0x00575c00
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00571990
flags: 1
key: f¨vÛy{!ÇÉ8¯*
success 1 0
1619686150.604662
CryptExportKey
crypto_handle: 0x00575c00
crypto_export_handle: 0x00575250
buffer: f¤P_‘ Ñô¥ø^f©ø’îÖ)JI7½jíÜ]‰8\ýÊ4=òFü…äf03Qz°ÍEàBM×üĈäk?¿ ö3{H‚!àm6ãgO­lÕ§{þZ?¾~·Ü
blob_type: 1
flags: 64
success 1 0
1619686186.447662
CryptExportKey
crypto_handle: 0x00575c00
crypto_export_handle: 0x00575250
buffer: f¤Û=êŒÔ˜-Žÿå_+0q;»¢öÓ ž ˆ¥W|Ü #«»ã9Üe–Jö8ZæÖÇ Ì? %ºê¦RÅ?)\-znxÉàBD[¸ïØ:ɼ¯VLyàúÉ-ß
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619686134.166662
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00760000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619686151.057662
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process 8eb22dcc41692f1a09b369e8268cf8a4.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619686150.729662
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 37.52.87.0
host 87.118.70.45
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619686153.651662
RegSetValueExA
key_handle: 0x000003ac
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619686153.651662
RegSetValueExA
key_handle: 0x000003ac
value: P+ãÒ<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619686153.651662
RegSetValueExA
key_handle: 0x000003ac
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619686153.651662
RegSetValueExW
key_handle: 0x000003ac
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619686153.651662
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619686153.651662
RegSetValueExA
key_handle: 0x000003c4
value: P+ãÒ<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619686153.651662
RegSetValueExA
key_handle: 0x000003c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619686153.682662
RegSetValueExW
key_handle: 0x000003a8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 37.52.87.0:80
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Emotet.1006
MicroWorld-eScan Trojan.Agent.EVLK
FireEye Trojan.Agent.EVLK
McAfee Emotet-FRW!8EB22DCC4169
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Win32.Emotet.L!c
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Trojan.Agent.EVLK
K7GW Riskware ( 0040eff71 )
BitDefenderTheta Gen:NN.ZexaF.34670.my1@aCIlupoi
Cyren W32/Emotet.ARC.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
Kaspersky Trojan-Banker.Win32.Emotet.gcmr
Alibaba Trojan:Win32/Emotet.a70bd9f5
NANO-Antivirus Trojan.Win32.Emotet.hszesc
Tencent Malware.Win32.Gencirc.10cdee4d
Ad-Aware Trojan.Agent.EVLK
TACHYON Banker/W32.Emotet.209016
Emsisoft Trojan.Emotet (A)
Comodo Malware@#3amhjspzauiah
F-Secure Trojan.TR/Emotet.kmzrn
Zillya Trojan.Emotet.Win32.24951
TrendMicro TROJ_GEN.R002C0DHR20
McAfee-GW-Edition BehavesLike.Win32.Emotet.dt
Sophos Mal/Generic-R + Troj/Emotet-CLV
Ikarus Trojan-Banker.Emotet
GData Trojan.Agent.EVLK
Jiangmin Trojan.Banker.Emotet.ofj
Avira TR/Emotet.kmzrn
Antiy-AVL Trojan/Win32.Emotet
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Ransom.Win32.Wacatac.oa!s1
Arcabit Trojan.Agent.EVLK
ZoneAlarm Trojan-Banker.Win32.Emotet.gcmr
Microsoft Trojan:Win32/Emotet.PED!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R349240
ALYac Trojan.Agent.Emotet
MAX malware (ai score=86)
VBA32 BScope.Trojan.Downloader
Malwarebytes Trojan.MalPack.TRE
Panda Trj/Genetic.gen
ESET-NOD32 Win32/Emotet.CD
TrendMicro-HouseCall TROJ_GEN.R002C0DHR20
Rising Trojan.Emotet!1.CB4A (CLASSIC)
Yandex Trojan.GenKryptik!4pQpcfjXzmw
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-26 00:11:40

Imports

Library MFC42.DLL:
0x413a1c
0x413a20
0x413a24
0x413a28
0x413a2c
0x413a30
0x413a34
0x413a38
0x413a3c
0x413a40
0x413a44
0x413a48
0x413a4c
0x413a50
0x413a54
0x413a58
0x413a5c
0x413a60
0x413a64
0x413a68
0x413a6c
0x413a70
0x413a74
0x413a78
0x413a7c
0x413a80
0x413a84
0x413a88
0x413a8c
0x413a90
0x413a94
0x413a98
0x413a9c
0x413aa0
0x413aa4
0x413aa8
0x413aac
0x413ab0
0x413ab4
0x413ab8
0x413abc
0x413ac0
0x413ac4
0x413ac8
0x413acc
0x413ad0
0x413ad4
0x413ad8
0x413adc
0x413ae0
0x413ae4
0x413ae8
0x413aec
0x413af0
0x413af4
0x413af8
0x413afc
0x413b00
0x413b04
0x413b08
0x413b0c
0x413b10
0x413b14
0x413b18
0x413b1c
0x413b20
0x413b24
0x413b28
0x413b2c
0x413b30
0x413b34
0x413b38
0x413b3c
0x413b40
0x413b44
0x413b48
0x413b4c
0x413b50
0x413b54
0x413b58
0x413b5c
0x413b60
0x413b64
0x413b68
0x413b6c
0x413b70
0x413b74
0x413b78
0x413b7c
0x413b80
0x413b84
0x413b88
0x413b8c
0x413b90
0x413b94
0x413b98
0x413b9c
0x413ba0
0x413ba4
0x413ba8
0x413bac
0x413bb0
0x413bb4
0x413bb8
0x413bbc
0x413bc0
0x413bc4
0x413bc8
0x413bcc
0x413bd0
0x413bd4
0x413bd8
0x413bdc
0x413be0
0x413be4
0x413be8
0x413bec
0x413bf0
0x413bf4
0x413bf8
0x413bfc
0x413c00
0x413c04
0x413c08
0x413c0c
0x413c10
0x413c14
0x413c18
0x413c1c
0x413c20
0x413c24
0x413c28
0x413c2c
0x413c30
0x413c34
0x413c38
0x413c3c
0x413c40
0x413c44
0x413c48
0x413c4c
0x413c50
0x413c54
0x413c58
0x413c5c
0x413c60
0x413c64
0x413c68
0x413c6c
0x413c70
0x413c74
0x413c78
0x413c7c
0x413c80
0x413c84
0x413c88
0x413c8c
0x413c90
0x413c94
0x413c98
0x413c9c
0x413ca0
0x413ca4
0x413ca8
0x413cac
0x413cb0
0x413cb4
0x413cb8
0x413cbc
0x413cc0
0x413cc4
0x413cc8
0x413ccc
0x413cd0
0x413cd4
0x413cd8
0x413cdc
0x413ce0
0x413ce4
0x413ce8
0x413cec
0x413cf0
0x413cf4
0x413cf8
0x413cfc
0x413d00
0x413d04
0x413d08
0x413d0c
0x413d10
0x413d14
0x413d18
0x413d1c
0x413d20
0x413d24
0x413d28
0x413d2c
0x413d30
Library MSVCRT.dll:
0x413e38 __CxxFrameHandler
0x413e3c _ftol
0x413e40 _mbsnbcat
0x413e44 _mbsstr
0x413e48 _mbscmp
0x413e4c _vsnprintf
0x413e50 _mbsnbcpy
0x413e54 sprintf
0x413e58 _mbsupr
0x413e5c _wcslwr
0x413e60 malloc
0x413e64 __dllonexit
0x413e68 _onexit
0x413e6c _exit
0x413e70 _XcptFilter
0x413e74 exit
0x413e78 _acmdln
0x413e7c __getmainargs
0x413e80 _initterm
0x413e84 __setusermatherr
0x413e88 _adjust_fdiv
0x413e8c __p__commode
0x413e90 __p__fmode
0x413e94 __set_app_type
0x413e98 _except_handler3
0x413e9c _controlfp
0x413ea0 _setmbcp
Library KERNEL32.dll:
0x413948 GetModuleHandleA
0x41394c ExitProcess
0x413950 OpenMutexA
0x413954 OpenEventA
0x413958 CreateEventA
0x41395c ReleaseMutex
0x413960 WaitForSingleObject
0x413964 IsBadReadPtr
0x413968 IsBadWritePtr
0x41396c SetEvent
0x413970 UnmapViewOfFile
0x413974 CloseHandle
0x413978 FlushViewOfFile
0x41397c CreateFileMappingA
0x413980 OpenFileMappingA
0x413984 MapViewOfFile
0x413988 CreateFileA
0x41398c DeviceIoControl
0x413990 GetFileSize
0x413994 WinExec
0x41399c LoadLibraryA
0x4139a0 FreeLibrary
0x4139a4 CreateMutexA
0x4139a8 SetLastError
0x4139ac GetCurrentThreadId
0x4139b0 GetCurrentProcess
0x4139b4 GetLastError
0x4139bc Sleep
0x4139c0 GlobalAlloc
0x4139c4 GlobalSize
0x4139c8 GlobalLock
0x4139cc GlobalUnlock
0x4139d0 GetStartupInfoA
Library USER32.dll:
0x413f14 InSendMessage
0x413f18 CreateWindowExA
0x413f1c AppendMenuA
0x413f20 GetSystemMenu
0x413f24 DrawIcon
0x413f28 GetSubMenu
0x413f2c TabbedTextOutA
0x413f30 GetSysColor
0x413f34 InvalidateRect
0x413f38 GetClientRect
0x413f3c DrawFocusRect
0x413f40 GetSystemMetrics
0x413f44 LoadCursorA
0x413f48 CopyIcon
0x413f4c GetWindowRect
0x413f50 GetParent
0x413f54 GetDC
0x413f58 LoadIconA
0x413f5c InflateRect
0x413f60 RedrawWindow
0x413f64 SetCursor
0x413f68 GetMessagePos
0x413f6c ScreenToClient
0x413f70 PtInRect
0x413f74 SetTimer
0x413f78 MessageBeep
0x413f7c SetWindowLongA
0x413f80 KillTimer
0x413f84 DestroyCursor
0x413f8c GetThreadDesktop
0x413f94 wsprintfA
0x413f98 IsWindow
0x413f9c SendMessageA
0x413fa0 EmptyClipboard
0x413fa4 SetClipboardData
0x413fa8 ReleaseDC
0x413fac LoadMenuA
0x413fb0 OpenClipboard
0x413fb4 GetClipboardData
0x413fb8 CloseClipboard
0x413fbc EnableWindow
0x413fc0 GrayStringA
0x413fc4 IsIconic
0x413fc8 DrawTextA
Library GDI32.dll:
0x4138b0 CreatePen
0x4138b4 CreateSolidBrush
0x4138b8 GetTextMetricsA
0x4138bc CreateFontA
0x4138c0 CreatePolygonRgn
0x4138c4 PtVisible
0x4138c8 RectVisible
0x4138cc Polygon
0x4138d0 ExtTextOutA
0x4138d4 Escape
0x4138d8 CreateFontIndirectA
0x4138dc GetObjectA
0x4138e0 GetStockObject
0x4138e8 GetCharWidthA
0x4138ec CreateCompatibleDC
0x4138f0 LPtoDP
0x4138f8 GetMapMode
0x4138fc DPtoLP
0x413900 TextOutA
0x413904 BitBlt
0x413908 GetBkColor
Library ADVAPI32.dll:
0x413868 RegQueryValueA
0x41386c RegCloseKey
0x413870 OpenProcessToken
0x413874 GetTokenInformation
0x413878 GetUserNameA
0x41387c RegOpenKeyExA
Library SHELL32.dll:
0x413ee4 ShellExecuteA
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 51811 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.