9.8
极危
57 个模型检测该样本为恶意!
重新分析
更多

23cac5345d3e1b2d53ab246d6d6dff34433e7a6db2b590ca49bd7129a87cfd3c

97bb633ca1061f873ff335b5b18bf846.exe

分析耗时

117s

最近分析

文件大小

296.0KB
静态报毒 动态报毒 100% AI SCORE=99 AIDETECT BANKERX BSCOPE CLOUD CONFIDENCE CXFKOPRQVM4 DOWNLOADER34 ELDORADO EMOTET EMOTETCRYPT GDSE GENCIRC GENERICKD GENERICKDZ HGIASOYA HIGH CONFIDENCE HUMWCI KCLOUD MALICIOUS PE MALWARE2 MALWARE@#755UPBL39SB4 R + TROJ RFVWN SAVE SCORE SQX@AAWMTTDI STATIC AI TRBL TROJANBANKER UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.d08f1ba3 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20210405 21.1.5827.0
Tencent Malware.Win32.Gencirc.10ce0170 20210405 1.0.0.1
Kingsoft Win32.Troj.Banker.(kcloud) 20210405 2017.9.26.565
McAfee Emotet-FSD!97BB633CA106 20210405 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620818262.118125
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1620818250.399125
CryptGenKey
crypto_handle: 0x00521c70
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00521868
flags: 1
key: fß1õ-%ùù (¡2Ó«-†
success 1 0
1620818262.118125
CryptExportKey
crypto_handle: 0x00521c70
crypto_export_handle: 0x00521c30
buffer: f¤½öÀb¾H\Œ›ëWzÚ-fó]ÊÀ‘Ÿ7 XGî?ÁÀ/ÕY둫íä`~Ê;À²¤†Ùì¹Û'ñÞ'¡}nµ*zs¼lߜÃӛŠ¤EÖÈåb.\†¤†þ%{íàHÇãîw§"ñþ6q
blob_type: 1
flags: 64
success 1 0
1620818291.462125
CryptExportKey
crypto_handle: 0x00521c70
crypto_export_handle: 0x00521c30
buffer: f¤ûç¾@‹Þè<ø°²¡ü\Ër\!\_Á]˜¢€uç¨f<`P—[H2\ÎAŒ2ª'¨tœ Üc>,X¿Zú| ˜¡¿Å‘‘]½|é_˜±ocN1f֜YO3
blob_type: 1
flags: 64
success 1 0
1620818316.196125
CryptExportKey
crypto_handle: 0x00521c70
crypto_export_handle: 0x00521c30
buffer: f¤%€©W`p$e9 ‘dE‘ú5Úí€fì^çAÛIšjGžyfÛØ:Èë8ò§qê~LšYŠ £`i“ó¡€¹º?R¹»žüSÝcÆP+õlëlèíà*ibN‹
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620818240.634875
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02380000
success 0 0
1620818303.727
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000041d0000
success 0 0
1620818250.087125
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00780000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620818240.634875
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 45056
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x024b1000
success 0 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620818242.024875
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97bb633ca1061f873ff335b5b18bf846.exe
newfilepath: C:\Windows\SysWOW64\SyncHost\dwmcore.exe
newfilepath_r: C:\Windows\SysWOW64\SyncHost\dwmcore.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97bb633ca1061f873ff335b5b18bf846.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620818264.493125
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process dwmcore.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620818262.649125
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 178.79.163.131
host 51.38.124.206
host 74.136.144.133
Installs itself for autorun at Windows startup (1 个事件)
service_name dwmcore service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\SyncHost\dwmcore.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1620818247.696875
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x026e94c0
display_name: dwmcore
error_control: 0
service_name: dwmcore
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\SyncHost\dwmcore.exe"
filepath_r: "C:\Windows\SysWOW64\SyncHost\dwmcore.exe"
service_manager_handle: 0x026e9150
desired_access: 2
service_type: 16
password:
success 40801472 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620818267.087125
RegSetValueExA
key_handle: 0x00000380
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620818267.087125
RegSetValueExA
key_handle: 0x00000380
value: ð}á G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620818267.087125
RegSetValueExA
key_handle: 0x00000380
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620818267.087125
RegSetValueExW
key_handle: 0x00000380
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620818267.087125
RegSetValueExA
key_handle: 0x00000398
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620818267.087125
RegSetValueExA
key_handle: 0x00000398
value: ð}á G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620818267.087125
RegSetValueExA
key_handle: 0x00000398
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620818267.102125
RegSetValueExW
key_handle: 0x0000037c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\SyncHost\dwmcore.exe:Zone.Identifier
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43808119
ALYac Trojan.GenericKD.43808119
Malwarebytes Trojan.MalPack.TRE
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056e14e1 )
Alibaba Trojan:Win32/Emotet.d08f1ba3
K7GW Trojan ( 0056e14e1 )
Cybereason malicious.ca1061
Arcabit Trojan.Generic.D29C7577
Cyren W32/Emotet.ASI.gen!Eldorado
Symantec Trojan.Emotet
ESET-NOD32 Win32/Emotet.CD
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Emotet-9782464-0
Kaspersky Trojan-Banker.Win32.Emotet.gdse
BitDefender Trojan.GenericKD.43808119
NANO-Antivirus Trojan.Win32.Emotet.humwci
Avast Win32:BankerX-gen [Trj]
Tencent Malware.Win32.Gencirc.10ce0170
Ad-Aware Trojan.GenericKD.43808119
Emsisoft Trojan.GenericKD.43808119 (B)
Comodo Malware@#755upbl39sb4
F-Secure Trojan.TR/Emotet.rfvwn
DrWeb Trojan.DownLoader34.38207
Zillya Trojan.Emotet.Win32.29296
McAfee-GW-Edition Emotet-FSD!97BB633CA106
FireEye Generic.mg.97bb633ca1061f87
Sophos Mal/Generic-R + Troj/Emotet-CND
Ikarus Trojan-Banker.Emotet
Jiangmin Trojan.Banker.Emotet.ojh
Webroot W32.Trojan.Emotet
Avira TR/Emotet.rfvwn
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Trojan.Win32.Emotet.oa
Microsoft Trojan:Win32/EmotetCrypt.PV!MTB
AegisLab Trojan.Win32.Emotet.trBl
ZoneAlarm Trojan-Banker.Win32.Emotet.gdse
GData Trojan.GenericKD.43808119
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.C4194777
McAfee Emotet-FSD!97BB633CA106
MAX malware (ai score=99)
VBA32 BScope.TrojanBanker.Emotet
Cylance Unsafe
Rising Trojan.EmotetCrypt!8.120EC (CLOUD)
Yandex Trojan.Emotet!CXfKOPrQVm4
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 51.38.124.206:80
dead_host 74.136.144.133:80
dead_host 172.217.24.14:443
dead_host 216.58.200.46:443
dead_host 178.79.163.131:8080
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-10 02:45:30

Imports

Library MFC42.DLL:
0x40702c
0x407030
0x407034
0x407038
0x40703c
0x407040
0x407044
0x407048
0x40704c
0x407050
0x407054
0x407058
0x40705c
0x407060
0x407064
0x407068
0x40706c
0x407070
0x407074
0x407078
0x40707c
0x407080
0x407084
0x407088
0x40708c
0x407090
0x407094
0x407098
0x40709c
0x4070a0
0x4070a4
0x4070a8
0x4070ac
0x4070b0
0x4070b4
0x4070b8
0x4070bc
0x4070c0
0x4070c4
0x4070c8
0x4070cc
0x4070d0
0x4070d4
0x4070d8
0x4070dc
0x4070e0
0x4070e4
0x4070e8
0x4070ec
0x4070f0
0x4070f4
0x4070f8
0x4070fc
0x407100
0x407104
0x407108
0x40710c
0x407110
0x407114
0x407118
0x40711c
0x407120
0x407124
0x407128
0x40712c
0x407130
0x407134
0x407138
0x40713c
0x407140
0x407144
0x407148
0x40714c
0x407150
0x407154
0x407158
0x40715c
0x407160
0x407164
0x407168
0x40716c
0x407170
0x407174
0x407178
0x40717c
0x407180
0x407184
0x407188
0x40718c
0x407190
0x407194
0x407198
0x40719c
0x4071a0
0x4071a4
0x4071a8
0x4071ac
0x4071b0
0x4071b4
0x4071b8
0x4071bc
0x4071c0
0x4071c4
0x4071c8
0x4071cc
0x4071d0
0x4071d4
0x4071d8
0x4071dc
0x4071e0
0x4071e4
0x4071e8
0x4071ec
0x4071f0
0x4071f4
0x4071f8
0x4071fc
0x407200
0x407204
0x407208
0x40720c
0x407210
0x407214
0x407218
0x40721c
0x407220
0x407224
0x407228
0x40722c
0x407230
0x407234
0x407238
0x40723c
0x407240
0x407244
0x407248
0x40724c
0x407250
0x407254
0x407258
0x40725c
0x407260
0x407264
0x407268
0x40726c
0x407270
0x407274
0x407278
0x40727c
0x407280
0x407284
0x407288
0x40728c
0x407290
0x407294
0x407298
0x40729c
0x4072a0
0x4072a4
0x4072a8
0x4072ac
0x4072b0
0x4072b4
0x4072b8
0x4072bc
0x4072c0
0x4072c4
0x4072c8
0x4072cc
0x4072d0
0x4072d4
0x4072d8
0x4072dc
0x4072e0
0x4072e4
0x4072e8
0x4072ec
0x4072f0
0x4072f4
0x4072f8
0x4072fc
0x407300
0x407304
0x407308
0x40730c
0x407310
0x407314
0x407318
0x40731c
0x407320
0x407324
0x407328
0x40732c
0x407330
0x407334
0x407338
0x40733c
0x407340
0x407344
0x407348
0x40734c
0x407350
0x407354
0x407358
0x40735c
0x407360
0x407364
0x407368
0x40736c
0x407370
0x407374
0x407378
0x40737c
0x407380
0x407384
0x407388
0x40738c
0x407390
0x407394
0x407398
0x40739c
0x4073a0
0x4073a4
0x4073a8
0x4073ac
0x4073b0
0x4073b4
0x4073b8
0x4073bc
0x4073c0
0x4073c4
0x4073c8
0x4073cc
0x4073d0
0x4073d4
0x4073d8
0x4073dc
0x4073e0
0x4073e4
0x4073e8
0x4073ec
0x4073f0
0x4073f4
0x4073f8
0x4073fc
0x407400
0x407404
0x407408
0x40740c
0x407410
0x407414
0x407418
0x40741c
0x407420
0x407424
0x407428
0x40742c
0x407430
0x407434
0x407438
0x40743c
0x407440
0x407444
0x407448
0x40744c
0x407450
0x407454
0x407458
0x40745c
0x407460
0x407464
0x407468
0x40746c
Library MSVCRT.dll:
0x4074b8 _mbsicmp
0x4074bc _filelength
0x4074c0 atoi
0x4074c4 malloc
0x4074c8 strlen
0x4074cc _EH_prolog
0x4074d0 __CxxFrameHandler
0x4074d4 _setmbcp
0x4074d8 sscanf
0x4074dc _exit
0x4074e0 __dllonexit
0x4074e4 _onexit
0x4074e8 _controlfp
0x4074ec _except_handler3
0x4074f0 __set_app_type
0x4074f4 __p__fmode
0x4074f8 __p__commode
0x4074fc _adjust_fdiv
0x407500 __setusermatherr
0x407504 _initterm
0x407508 __getmainargs
0x40750c _acmdln
0x407510 exit
0x407514 _XcptFilter
0x407518 strcmp
Library KERNEL32.dll:
0x407000 GetProcAddress
0x407004 GetModuleFileNameA
0x407008 GetCurrentProcess
0x40700c LocalFree
0x407010 FormatMessageA
0x407014 GetLastError
0x407018 LoadLibraryA
0x40701c GetModuleHandleA
0x407020 GetStartupInfoA
0x407024 LoadLibraryW
Library USER32.dll:
0x407520 ShowWindow
0x407524 SendMessageA
0x407528 MessageBeep
0x40752c UpdateWindow
0x407530 EnableWindow
Library VERSION.dll:
0x407538 GetFileVersionInfoA
0x407540 VerQueryValueA
Library MSVCIRT.dll:
0x407474 ??0ifstream@@QAE@XZ
0x407488 ??1ifstream@@UAE@XZ
0x40748c ??1ios@@UAE@XZ
0x407494 ??1ofstream@@UAE@XZ
0x4074ac ??0ofstream@@QAE@XZ

Exports

Ordinal Address Name
1 0x4026b2 ERWQSDASQWAFASASWW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.