10.8
0-day
52 个模型检测该样本为恶意!
重新分析
更多

170d2421edf0f3af5c148dbf3616edcb027275f331b37e0184bf566c0ddbed8f

cd0c8b894386abb591b4f1eb5166d848.exe

分析耗时

110s

最近分析

文件大小

60.0KB
静态报毒 动态报毒 1XAFHL4 AI SCORE=87 BANKERX BSCOPE CKGENERIC CLOUD ELDORADO EMOTET GENCIRC HFMI HIGH CONFIDENCE HRJDSH KRYPTIK R011C0DHD20 R347704 RANAPAMA RRIMV SCORE SUSPICIOUS PE TROJANBANKER UNCLASSIFIEDMALWARE@0 UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRT!CD0C8B894386 20200820 6.0.6.653
Alibaba Trojan:Win32/Emotet.dd0511f1 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Tencent Malware.Win32.Gencirc.10cde80b 20200820 1.0.0.1
Kingsoft 20200820 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619918255.751625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619918240.767625
CryptGenKey
crypto_handle: 0x002d57e8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x002d4d00
flags: 1
key: f hk?íW%ó?\)
success 1 0
1619918255.767625
CryptExportKey
crypto_handle: 0x002d57e8
crypto_export_handle: 0x002d4dc8
buffer: f¤úOiÛ×ôÊ'bu†¼,ó0”Vb!¯.6ÃQ-ݶut’ó<·ŸÈuÒ)»\~zAÞª³Z14Ãà¾ÞgøÑÐî;Õd_U'\«îØ¡Ë g =acgþ&JáR~BÞ~Ç
blob_type: 1
flags: 64
success 1 0
1619918282.986625
CryptExportKey
crypto_handle: 0x002d57e8
crypto_export_handle: 0x002d4dc8
buffer: f¤¤Ïm«SCö-Ѷw©I‰ 8MNünÆ‘.‹cŸ¥ÏS¬{ÆǞ÷"=Ády9‹ÈÐe•â?  qã`1¯¾±„„µkÖ2Oæ Â~û+YÂFh–apENr
blob_type: 1
flags: 64
success 1 0
1619918306.251625
CryptExportKey
crypto_handle: 0x002d57e8
crypto_export_handle: 0x002d4dc8
buffer: f¤v§-–tdÑåA¦"»¥×µÈkƒúŽqxý2~”$O(ÌÓ,¡7_Ö j2¨##úûêÄ°³áô°ç¸Ñý3i­ [öõÞÈ'²Ü f. nBÛ¾a5wÍܬQ##b
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3069734113&cup2hreq=da38985711276672bae56d4279c88f7a4f43ea747633115ab0c15f4ca8a500c7
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619889141&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5a225f6048b045bb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619889141&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3069734113&cup2hreq=da38985711276672bae56d4279c88f7a4f43ea747633115ab0c15f4ca8a500c7
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3069734113&cup2hreq=da38985711276672bae56d4279c88f7a4f43ea747633115ab0c15f4ca8a500c7
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619918237.282625
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619917868.942271
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004090000
success 0 0
1619918240.470625
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e00000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619918238.001625
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cd0c8b894386abb591b4f1eb5166d848.exe
newfilepath: C:\Windows\SysWOW64\winsockhc\psr.exe
newfilepath_r: C:\Windows\SysWOW64\winsockhc\psr.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cd0c8b894386abb591b4f1eb5166d848.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619918256.532625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.263229979770701 section {'size_of_data': '0x00001000', 'virtual_address': '0x00004000', 'entropy': 7.263229979770701, 'name': '.data', 'virtual_size': '0x0000024c'} description A section with a high entropy has been found
entropy 7.432347819533883 section {'size_of_data': '0x0000a000', 'virtual_address': '0x00005000', 'entropy': 7.432347819533883, 'name': '.rsrc', 'virtual_size': '0x00009268'} description A section with a high entropy has been found
entropy 0.7857142857142857 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process psr.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619918255.907625
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 192.187.99.90
host 87.98.218.33
host 95.9.180.128
Installs itself for autorun at Windows startup (1 个事件)
service_name psr service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsockhc\psr.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619918239.720625
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02ce4018
display_name: psr
error_control: 0
service_name: psr
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsockhc\psr.exe"
filepath_r: "C:\Windows\SysWOW64\winsockhc\psr.exe"
service_manager_handle: 0x02d36f50
desired_access: 2
service_type: 16
password:
success 47071256 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619918259.376625
RegSetValueExA
key_handle: 0x00000398
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619918259.376625
RegSetValueExA
key_handle: 0x00000398
value: ;H¹>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619918259.376625
RegSetValueExA
key_handle: 0x00000398
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619918259.376625
RegSetValueExW
key_handle: 0x00000398
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619918259.376625
RegSetValueExA
key_handle: 0x000003b0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619918259.376625
RegSetValueExA
key_handle: 0x000003b0
value: ;H¹>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619918259.376625
RegSetValueExA
key_handle: 0x000003b0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619918259.392625
RegSetValueExW
key_handle: 0x00000394
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\winsockhc\psr.exe:Zone.Identifier
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Ranapama.ALM
FireEye Generic.mg.cd0c8b894386abb5
CAT-QuickHeal Trojan.CKGENERIC
McAfee Emotet-FRT!CD0C8B894386
Zillya Backdoor.Emotet.Win32.932
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.dd0511f1
K7GW Riskware ( 0040eff71 )
Invincea heuristic
F-Prot W32/Kryptik.BTL.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
GData Win32.Trojan.PSE.1XAFHL4
Kaspersky HEUR:Backdoor.Win32.Emotet.vho
BitDefender Trojan.Ranapama.ALM
NANO-Antivirus Trojan.Win32.Emotet.hrjdsh
ViRobot Trojan.Win32.Emotet.61440
Tencent Malware.Win32.Gencirc.10cde80b
Ad-Aware Trojan.Ranapama.ALM
TACHYON Trojan/W32.Ranapama.61440
Comodo .UnclassifiedMalware@0
F-Secure Trojan.TR/Crypt.Agent.rrimv
DrWeb Trojan.Emotet.1000
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R011C0DHD20
Sophos Troj/Emotet-CKY
SentinelOne DFI - Suspicious PE
Cyren W32/Kryptik.BTL.gen!Eldorado
Jiangmin Backdoor.Emotet.qj
Avira TR/Crypt.Agent.rrimv
Antiy-AVL Trojan/Win32.Kryptik
Arcabit Trojan.Ranapama.ALM
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Backdoor.Win32.Emotet.vho
Microsoft Trojan:Win32/Emotet.GGG!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R347704
ALYac Trojan.Agent.Emotet
MAX malware (ai score=87)
VBA32 BScope.TrojanBanker.Emotet
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 a variant of Win32/Kryptik.HFMI
TrendMicro-HouseCall TROJ_GEN.R011C0DHD20
Rising Trojan.Emotet!8.B95 (CLOUD)
Ikarus Trojan-Banker.Emotet
eGambit Unsafe.AI_Score_99%
Fortinet W32/Kryptik.HFMI!tr
AVG Win32:BankerX-gen [Trj]
Cybereason malicious.b8965e
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.160.110:443
dead_host 95.9.180.128:80
dead_host 172.217.24.14:443
dead_host 87.98.218.33:7080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-12 03:39:44

Imports

Library MFC42.DLL:
0x403014
0x403018
0x40301c
0x403020
0x403024
0x403028
0x40302c
0x403030
0x403034
0x403038
0x40303c
0x403040
0x403044
0x403048
0x40304c
0x403050
0x403054
0x403058
0x40305c
0x403060
0x403064
0x403068
0x40306c
0x403070
0x403074
0x403078
0x40307c
0x403080
0x403084
0x403088
0x40308c
0x403090
0x403094
0x403098
0x40309c
0x4030a0
0x4030a4
0x4030a8
0x4030ac
0x4030b0
0x4030b4
0x4030b8
0x4030bc
0x4030c0
0x4030c4
0x4030c8
0x4030cc
0x4030d0
0x4030d4
0x4030d8
0x4030dc
0x4030e0
0x4030e4
0x4030e8
0x4030ec
0x4030f0
0x4030f4
0x4030f8
0x4030fc
0x403100
0x403104
0x403108
0x40310c
0x403110
0x403114
0x403118
0x40311c
0x403120
0x403124
0x403128
0x40312c
0x403130
0x403134
0x403138
0x40313c
0x403140
0x403144
0x403148
0x40314c
0x403150
0x403154
0x403158
0x40315c
0x403160
0x403164
0x403168
0x40316c
0x403170
0x403174
0x403178
0x40317c
0x403180
0x403184
0x403188
0x40318c
0x403190
0x403194
0x403198
0x40319c
0x4031a0
0x4031a4
0x4031a8
0x4031ac
0x4031b0
0x4031b4
0x4031b8
0x4031bc
0x4031c0
0x4031c4
0x4031c8
0x4031cc
0x4031d0
0x4031d4
0x4031d8
0x4031dc
0x4031e0
0x4031e4
Library MSVCRT.dll:
0x403200 _adjust_fdiv
0x403204 __p__commode
0x403208 __p__fmode
0x40320c __set_app_type
0x403210 _except_handler3
0x403214 __setusermatherr
0x403218 _exit
0x40321c _onexit
0x403220 __dllonexit
0x403224 _wcslwr
0x403228 __CxxFrameHandler
0x40322c _setmbcp
0x403230 _XcptFilter
0x403234 _initterm
0x403238 __getmainargs
0x40323c _acmdln
0x403240 exit
0x403244 _controlfp
Library KERNEL32.dll:
0x403000 GetLastError
0x403004 GetModuleHandleA
0x403008 GetStartupInfoA
0x40300c ExitProcess
Library USER32.dll:
0x403254 EnableWindow
0x403258 IsIconic
0x40325c GetSystemMetrics
0x403260 GetClientRect
0x403264 DrawIcon
0x403268 GetSystemMenu
0x40326c AppendMenuA
0x403270 SendMessageA
0x403274 InSendMessage
0x403278 LoadIconA
0x40327c CreateWindowExA
Library SHELL32.dll:
0x40324c SHGetFileInfoA
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49195 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49196 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49194 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49190 203.208.41.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5a225f6048b045bb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619889141&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5a225f6048b045bb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619889141&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619889141&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619889141&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.