6.8
高危
57 个模型检测该样本为恶意!
重新分析
更多

5278652d07741856f9b70e633c49b523e6f62d278fea27cf94882375c327c9f9

ad2b24a566f10ef7d59c2a517c562cbd.exe

分析耗时

77s

最近分析

文件大小

120.1KB
静态报毒 动态报毒 100% AI SCORE=80 AIDETECTGBM ATTRIBUTE AUSL BSCOPE CLASSIC CONFIDENCE DTIOD ELDORADO EMOTET EVLB GENCIRC GENETIC HFTA HIGH CONFIDENCE HIGHCONFIDENCE HQX@A4TFOZBI HSYUIH HWCBZGSA KCLOUD KRYPTIK MALWARE@#3A7B872TPTNU4 NAXNONACI00 R + TROJ R349155 SCORE SUSGEN TRICK TROJANX UNSAFE WACATAC ZENPAK ZEXAE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Alibaba Trojan:Win32/Emotet.8c9ba077 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20210223 21.1.5827.0
Tencent Malware.Win32.Gencirc.10cdee3c 20210223 1.0.0.1
Kingsoft Win32.Troj.Banker.(kcloud) 20210223 2017.9.26.565
McAfee Emotet-FQS!AD2B24A566F1 20210223 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619826889.094046
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619826880.954046
CryptGenKey
crypto_handle: 0x002a5f78
algorithm_identifier: 0x0000660e ()
provider_handle: 0x002a54a0
flags: 1
key: föx@ê"a ºûÿ ¦˜^
success 1 0
1619826889.110046
CryptExportKey
crypto_handle: 0x002a5f78
crypto_export_handle: 0x002a5460
buffer: f¤SÀ{¦ÓÓïC³#¢å*½ðÉuŸ öÔÄNù¡›ƒÉ6?ì¹Í•Žo€X7 ¿†;áù‡gíô¿Aå¦b¸ÙÛ&–7Ê ¼6Z!%Þñý0Ë»°6¢kR+¾e3
blob_type: 1
flags: 64
success 1 0
1619826923.969046
CryptExportKey
crypto_handle: 0x002a5f78
crypto_export_handle: 0x002a5460
buffer: f¤æ¢†P²JuF\PŽ(&=A·ŒXcÈ®¼z ˜äq픀gØ;KD”D)ºœ¥KUtðÑ™º—­xÈå›t™Z/õˆÉxQˆï´ëÍ^^ÁÙ0•J£W §|c
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619826880.485046
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d00000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619826889.532046
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.08875791123495 section {'size_of_data': '0x00013000', 'virtual_address': '0x0000b000', 'entropy': 7.08875791123495, 'name': '.rsrc', 'virtual_size': '0x00012930'} description A section with a high entropy has been found
entropy 0.6551724137931034 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process ad2b24a566f10ef7d59c2a517c562cbd.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619826889.219046
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 172.217.24.14
host 185.81.158.15
host 82.239.200.118
host 203.208.41.65
host 203.208.41.98
host 58.63.233.69
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619826892.125046
RegSetValueExA
key_handle: 0x0000039c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619826892.125046
RegSetValueExA
key_handle: 0x0000039c
value: ÀªqW(>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619826892.125046
RegSetValueExA
key_handle: 0x0000039c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619826892.125046
RegSetValueExW
key_handle: 0x0000039c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619826892.125046
RegSetValueExA
key_handle: 0x000003b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619826892.125046
RegSetValueExA
key_handle: 0x000003b4
value: ÀªqW(>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619826892.125046
RegSetValueExA
key_handle: 0x000003b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619826892.157046
RegSetValueExW
key_handle: 0x00000398
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectGBM.malware.01
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.EVLB
FireEye Generic.mg.ad2b24a566f10ef7
ALYac Trojan.Agent.Emotet
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.Emotet.ARJ
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Emotet.8c9ba077
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Agent.EVLB
BitDefenderTheta Gen:NN.ZexaE.34574.hqX@a4tFOZbi
Cyren W32/Emotet.ARD.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Avast Win32:TrojanX-gen [Trj]
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.pef
BitDefender Trojan.Agent.EVLB
NANO-Antivirus Trojan.Win32.Emotet.hsyuih
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.10cdee3c
Ad-Aware Trojan.Agent.EVLB
Sophos Mal/Generic-R + Troj/Emotet-CLT
Comodo Malware@#3a7b872tptnu4
F-Secure Trojan.TR/Crypt.Agent.dtiod
DrWeb Trojan.Emotet.1005
Zillya Trojan.Emotet.Win32.24949
McAfee-GW-Edition BehavesLike.Win32.Emotet.ch
Emsisoft Trojan.Emotet (A)
APEX Malicious
Jiangmin Trojan.Banker.Emotet.ofg
eGambit Generic.Malware
Avira TR/Crypt.Agent.dtiod
MAX malware (ai score=80)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Ransom.Win32.Wacatac.oa!s1
Microsoft Trojan:Win32/Emotet.ARJ!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
GData Trojan.Agent.EVLB
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.R349155
McAfee Emotet-FQS!AD2B24A566F1
TACHYON Banker/W32.Emotet.123000
VBA32 BScope.Trojan.Trick
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HFTA
Rising Trojan.Kryptik!1.CB1B (CLASSIC)
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 82.239.200.118:80
dead_host 185.81.158.15:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-25 20:29:59

Imports

Library MFC42.DLL:
0x4070b4
0x4070b8
0x4070bc
0x4070c0
0x4070c4
0x4070c8
0x4070cc
0x4070d0
0x4070d4
0x4070d8
0x4070dc
0x4070e0
0x4070e4
0x4070e8
0x4070ec
0x4070f0
0x4070f4
0x4070f8
0x4070fc
0x407100
0x407104
0x407108
0x40710c
0x407110
0x407114
0x407118
0x40711c
0x407120
0x407124
0x407128
0x40712c
0x407130
0x407134
0x407138
0x40713c
0x407140
0x407144
0x407148
0x40714c
0x407150
0x407154
0x407158
0x40715c
0x407160
0x407164
0x407168
0x40716c
0x407170
0x407174
0x407178
0x40717c
0x407180
0x407184
0x407188
0x40718c
0x407190
0x407194
0x407198
0x40719c
0x4071a0
0x4071a4
0x4071a8
0x4071ac
0x4071b0
0x4071b4
0x4071b8
0x4071bc
0x4071c0
0x4071c4
0x4071c8
0x4071cc
0x4071d0
0x4071d4
0x4071d8
0x4071dc
0x4071e0
0x4071e4
0x4071e8
0x4071ec
0x4071f0
0x4071f4
0x4071f8
0x4071fc
0x407200
0x407204
0x407208
0x40720c
0x407210
0x407214
0x407218
0x40721c
0x407220
0x407224
0x407228
0x40722c
0x407230
0x407234
0x407238
0x40723c
0x407240
0x407244
0x407248
0x40724c
0x407250
0x407254
0x407258
0x40725c
0x407260
0x407264
0x407268
0x40726c
0x407270
0x407274
0x407278
0x40727c
0x407280
0x407284
0x407288
0x40728c
0x407290
0x407294
0x407298
0x40729c
0x4072a0
0x4072a4
0x4072a8
0x4072ac
0x4072b0
0x4072b4
0x4072b8
0x4072bc
0x4072c0
0x4072c4
0x4072c8
0x4072cc
0x4072d0
0x4072d4
0x4072d8
0x4072dc
0x4072e0
0x4072e4
0x4072e8
0x4072ec
0x4072f0
0x4072f4
0x4072f8
0x4072fc
0x407300
0x407304
0x407308
0x40730c
0x407310
0x407314
0x407318
0x40731c
0x407320
0x407324
0x407328
0x40732c
0x407330
Library MSVCRT.dll:
0x40734c _adjust_fdiv
0x407350 __setusermatherr
0x407354 _initterm
0x407358 __getmainargs
0x40735c _acmdln
0x407360 exit
0x407364 __p__commode
0x407368 _exit
0x40736c _onexit
0x407370 __dllonexit
0x407374 _ftol
0x407378 atoi
0x40737c _setmbcp
0x407380 __p__fmode
0x407384 __set_app_type
0x407388 _except_handler3
0x40738c _XcptFilter
0x407390 __CxxFrameHandler
0x407394 _EH_prolog
0x407398 _mbsstr
0x40739c _vsnprintf
0x4073a0 sprintf
0x4073a4 _mbsnbcpy
0x4073a8 _mbscmp
0x4073ac _mbsupr
0x4073b0 _mbsnbcat
0x4073b4 _wcslwr
0x4073b8 malloc
0x4073bc clock
0x4073c0 _controlfp
Library KERNEL32.dll:
0x407030 GlobalLock
0x407034 GlobalUnlock
0x407038 FlushViewOfFile
0x40703c CloseHandle
0x407040 UnmapViewOfFile
0x407044 GetCurrentThreadId
0x407048 SetEvent
0x40704c IsBadWritePtr
0x407050 IsBadReadPtr
0x407054 GlobalSize
0x407058 ReleaseMutex
0x40705c CreateEventA
0x407060 CreateMutexA
0x407064 OpenEventA
0x407068 OpenMutexA
0x40706c GetLastError
0x407070 ExitProcess
0x407074 GetModuleHandleA
0x407078 GetStartupInfoA
0x40707c GlobalAlloc
0x407080 Sleep
0x407084 FreeLibrary
0x407088 LoadLibraryA
0x407090 WinExec
0x407094 DeviceIoControl
0x407098 GetFileSize
0x40709c CreateFileA
0x4070a0 MapViewOfFile
0x4070a4 WaitForSingleObject
0x4070a8 CreateFileMappingA
0x4070ac OpenFileMappingA
Library USER32.dll:
0x4073d0 ScreenToClient
0x4073d4 SendMessageA
0x4073d8 ReleaseDC
0x4073dc InvalidateRect
0x4073e0 RedrawWindow
0x4073e4 SetTimer
0x4073e8 KillTimer
0x4073ec GetParent
0x4073f0 GetSystemMetrics
0x4073f4 DrawFocusRect
0x4073f8 GetSubMenu
0x4073fc LoadMenuA
0x407400 InSendMessage
0x407404 CreateWindowExA
0x407408 DrawIcon
0x40740c GetClientRect
0x407410 GetSystemMenu
0x407414 IsIconic
0x407418 LoadIconA
0x40741c InflateRect
0x407420 PtInRect
0x407424 LoadCursorA
0x407428 CopyIcon
0x40742c IsWindow
0x407430 GetSysColor
0x407434 SetCursor
0x407438 GetMessagePos
0x40743c MessageBeep
0x407440 SetWindowLongA
0x407444 DestroyCursor
0x40744c AppendMenuA
0x407450 GetWindowRect
0x407454 EmptyClipboard
0x407458 SetClipboardData
0x40745c OpenClipboard
0x407460 GetClipboardData
0x407464 CloseClipboard
0x407468 EnableWindow
0x40746c GetDC
Library GDI32.dll:
0x407010 GetTextMetricsA
0x407018 GetObjectA
0x40701c CreateFontIndirectA
0x407020 CreateSolidBrush
0x407024 GetStockObject
0x407028 GetCharWidthA
Library ADVAPI32.dll:
0x407000 RegQueryValueA
0x407004 RegCloseKey
0x407008 RegOpenKeyExA
Library SHELL32.dll:
0x4073c8 ShellExecuteA
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 51811 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.