10.4
0-day
53 个模型检测该样本为恶意!
重新分析
更多

e1b00d6d4844e9c73dc8a7dce1238c815e7930057c478c3b011f471d1116c1f0

bde02a5e7290a1e78fc5eebeedff1773.exe

分析耗时

112s

最近分析

文件大小

60.0KB
静态报毒 动态报毒 1XAFHL4 AI SCORE=86 BANKERX BEHAVIOR BRXT BSCOPE CKGENERIC CLASSIC ELDORADO EMOTET GENCIRC GORGON HIGH CONFIDENCE HRJDSH KRYPTIK OGWLR@0 R + TROJ R347704 RANAPAMA SCORE SUSGEN SUSPICIOUS PE TROJANBANKER UNSAFE USXVPHC20 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.48a18c99 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200905 2013.8.14.323
McAfee Emotet-FRT!BDE02A5E7290 20200905 6.0.6.653
Tencent Malware.Win32.Gencirc.10cde81b 20200905 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619885145.910751
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619885131.691751
CryptGenKey
crypto_handle: 0x02bf0ea8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x02bf03c8
flags: 1
key: f*|âm«Ë º<OosW/
success 1 0
1619885145.926751
CryptExportKey
crypto_handle: 0x02bf0ea8
crypto_export_handle: 0x02bf0490
buffer: f¤×”0–]҆œØU?À+Œ‰[’Ò҃wà“”R”‹9% 5bé>E@“0(勈ÔÊW[U‰2Ü^qçGù¯õ—üã)Úk­Bù²OåÛVräU»FMq©S¥ä’š˜\»
blob_type: 1
flags: 64
success 1 0
1619885173.785751
CryptExportKey
crypto_handle: 0x02bf0ea8
crypto_export_handle: 0x02bf0490
buffer: f¤q?ÜßÆ,Ü¢x§@R%ë6ÌeƒÇá_¦¹¡–K óýÜ£ñëz–`oÞ ´ “ä­Œ`èÓã„×ÎRýœS¡†ssm®³4½} Õøb})äP„>¤
blob_type: 1
flags: 64
success 1 0
1619885197.910751
CryptExportKey
crypto_handle: 0x02bf0ea8
crypto_export_handle: 0x02bf0490
buffer: f¤qŸ!³qY[L]{R럜‡ÙÌñvû ÇUç]ÁÔÃy+;¨´[ÙÆMè ²c+âšyVèWPgÐîTVËr'Ö¿ãI·ÙàËËSž³CÊf’DM·A·
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:588215060&cup2hreq=1b947f9b58c195b406aed03759565a113d9aa485b6814934f16e35ac10762883
Performs some HTTP requests (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:588215060&cup2hreq=1b947f9b58c195b406aed03759565a113d9aa485b6814934f16e35ac10762883
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:588215060&cup2hreq=1b947f9b58c195b406aed03759565a113d9aa485b6814934f16e35ac10762883
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619885124.426501
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619884753.64877
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004050000
success 0 0
1619885130.988751
NtAllocateVirtualMemory
process_identifier: 2960
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ce0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619885129.176501
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bde02a5e7290a1e78fc5eebeedff1773.exe
newfilepath: C:\Windows\SysWOW64\qwave\userenv.exe
newfilepath_r: C:\Windows\SysWOW64\qwave\userenv.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bde02a5e7290a1e78fc5eebeedff1773.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619885147.066751
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.430031583063025 section {'size_of_data': '0x0000a000', 'virtual_address': '0x00005000', 'entropy': 7.430031583063025, 'name': '.rsrc', 'virtual_size': '0x00009268'} description A section with a high entropy has been found
entropy 0.7142857142857143 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process userenv.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619885146.754751
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 107.185.211.16
host 153.126.210.205
host 172.217.24.14
host 96.8.113.4
Installs itself for autorun at Windows startup (1 个事件)
service_name userenv service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\qwave\userenv.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619885130.160501
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02c968a0
display_name: userenv
error_control: 0
service_name: userenv
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\qwave\userenv.exe"
filepath_r: "C:\Windows\SysWOW64\qwave\userenv.exe"
service_manager_handle: 0x02caf1d8
desired_access: 2
service_type: 16
password:
success 46753952 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619885149.629751
RegSetValueExA
key_handle: 0x00000390
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619885149.629751
RegSetValueExA
key_handle: 0x00000390
value: Ð.[t>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619885149.629751
RegSetValueExA
key_handle: 0x00000390
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619885149.629751
RegSetValueExW
key_handle: 0x00000390
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619885149.629751
RegSetValueExA
key_handle: 0x000003a8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619885149.629751
RegSetValueExA
key_handle: 0x000003a8
value: Ð.[t>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619885149.629751
RegSetValueExA
key_handle: 0x000003a8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619885149.660751
RegSetValueExW
key_handle: 0x0000038c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\qwave\userenv.exe:Zone.Identifier
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Ranapama.ALM
FireEye Generic.mg.bde02a5e7290a1e7
CAT-QuickHeal Trojan.CKGENERIC
Qihoo-360 Win32/Backdoor.01a
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Backdoor.Emotet.Win32.928
Sangfor Malware
K7AntiVirus Trojan ( 0056cf471 )
Alibaba Trojan:Win32/Emotet.48a18c99
K7GW Trojan ( 0056cf471 )
Cybereason malicious.9616b0
Arcabit Trojan.Ranapama.ALM
Invincea Mal/Generic-R + Troj/Emotet-CKY
Cyren W32/Kryptik.BTL.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
Paloalto generic.ml
Kaspersky Backdoor.Win32.Emotet.brxt
BitDefender Trojan.Ranapama.ALM
NANO-Antivirus Trojan.Win32.Emotet.hrjdsh
ViRobot Trojan.Win32.Emotet.61440
Rising Trojan.Kryptik!1.CA73 (CLASSIC)
Ad-Aware Trojan.Ranapama.ALM
TACHYON Trojan/W32.Ranapama.61440
Comodo TrojWare.Win32.Agent.ogwlr@0
DrWeb Trojan.Emotet.1000
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.GORGON.USXVPHC20
Sophos Troj/Emotet-CKY
Ikarus Trojan-Banker.Emotet
Jiangmin Backdoor.Emotet.qj
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/Emotet.PEN!MTB
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm Backdoor.Win32.Emotet.brxt
GData Win32.Trojan.PSE.1XAFHL4
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R347704
McAfee Emotet-FRT!BDE02A5E7290
MAX malware (ai score=86)
VBA32 BScope.TrojanBanker.Emotet
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 Win32/Emotet.CD
TrendMicro-HouseCall TrojanSpy.MSIL.GORGON.USXVPHC20
Tencent Malware.Win32.Gencirc.10cde81b
SentinelOne DFI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/Malicious_Behavior.VEX
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.27.142:443
dead_host 107.185.211.16:80
dead_host 172.217.24.14:443
dead_host 96.8.113.4:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-12 03:38:37

Imports

Library MFC42.DLL:
0x403014
0x403018
0x40301c
0x403020
0x403024
0x403028
0x40302c
0x403030
0x403034
0x403038
0x40303c
0x403040
0x403044
0x403048
0x40304c
0x403050
0x403054
0x403058
0x40305c
0x403060
0x403064
0x403068
0x40306c
0x403070
0x403074
0x403078
0x40307c
0x403080
0x403084
0x403088
0x40308c
0x403090
0x403094
0x403098
0x40309c
0x4030a0
0x4030a4
0x4030a8
0x4030ac
0x4030b0
0x4030b4
0x4030b8
0x4030bc
0x4030c0
0x4030c4
0x4030c8
0x4030cc
0x4030d0
0x4030d4
0x4030d8
0x4030dc
0x4030e0
0x4030e4
0x4030e8
0x4030ec
0x4030f0
0x4030f4
0x4030f8
0x4030fc
0x403100
0x403104
0x403108
0x40310c
0x403110
0x403114
0x403118
0x40311c
0x403120
0x403124
0x403128
0x40312c
0x403130
0x403134
0x403138
0x40313c
0x403140
0x403144
0x403148
0x40314c
0x403150
0x403154
0x403158
0x40315c
0x403160
0x403164
0x403168
0x40316c
0x403170
0x403174
0x403178
0x40317c
0x403180
0x403184
0x403188
0x40318c
0x403190
0x403194
0x403198
0x40319c
0x4031a0
0x4031a4
0x4031a8
0x4031ac
0x4031b0
0x4031b4
0x4031b8
0x4031bc
0x4031c0
0x4031c4
0x4031c8
0x4031cc
0x4031d0
0x4031d4
0x4031d8
0x4031dc
0x4031e0
0x4031e4
Library MSVCRT.dll:
0x403200 _adjust_fdiv
0x403204 __p__commode
0x403208 __p__fmode
0x40320c __set_app_type
0x403210 _except_handler3
0x403214 __setusermatherr
0x403218 _exit
0x40321c _onexit
0x403220 __dllonexit
0x403224 _wcslwr
0x403228 __CxxFrameHandler
0x40322c _setmbcp
0x403230 _XcptFilter
0x403234 _initterm
0x403238 __getmainargs
0x40323c _acmdln
0x403240 exit
0x403244 _controlfp
Library KERNEL32.dll:
0x403000 GetLastError
0x403004 GetModuleHandleA
0x403008 GetStartupInfoA
0x40300c ExitProcess
Library USER32.dll:
0x403254 EnableWindow
0x403258 IsIconic
0x40325c GetSystemMetrics
0x403260 GetClientRect
0x403264 DrawIcon
0x403268 GetSystemMenu
0x40326c AppendMenuA
0x403270 SendMessageA
0x403274 InSendMessage
0x403278 LoadIconA
0x40327c CreateWindowExA
Library SHELL32.dll:
0x40324c SHGetFileInfoA
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49190 203.208.40.98 update.googleapis.com 443
192.168.56.101 49194 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56743 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.