SmartHawk

6.4

高危

56 个模型检测该样本为恶意！

重新分析

下载样本

3a8843ad3398348da2c2f946b28c30b0804ddfd08dee6aeb6dbb674116df3399

cea6ba6cad496fbcfcb6a713ff1936f4.exe

分析耗时

75s

最近分析

文件大小

116.0KB

静态报毒动态报毒 5YXVHZVKOPI AGEN AI SCORE=88 AIDETECTGBM ATTRIBUTE BANKERX CCMW CLASSIC CONFIDENCE ELDORADO EMOTET GENERICKDZ GENERICRXLW GENETIC HFYG HGIASOCA HIGH CONFIDENCE HIGHCONFIDENCE HQW@AQK0WPII KRYPTIK MALWARE@#3DNSYISOVGYZ9 R + TROJ R350739 SCORE STATIC AI SUSGEN SUSPICIOUS PE TROJANPSW UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXLW-HG!CEA6BA6CAD49	20210219	6.0.6.653
Alibaba	Trojan:Win32/Emotet.961a1554	20190527	0.3.0.5
Avast	Win32:BankerX-gen [Trj]	20210219	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft		20210219	2017.9.26.565
CrowdStrike	win/malicious_confidence_60% (W)	20210203	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910856.744822 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (3 个事件)

Time & API	Arguments	Status	Return
1619910848.650822 CryptGenKey	crypto_handle: 0x00656318 algorithm_identifier: 0x0000660e () provider_handle: 0x0058e288 flags: 1 key: fö÷ºÛÐ<\¸çü²ñ	success	1
1619910856.760822 CryptExportKey	crypto_handle: 0x00656318 crypto_export_handle: 0x0058e350 buffer: f¤¹³{¡õ«Èõpy ÌâÍ»;Íù;0¡z`ôÀth«*dÊÌ×Ãk0nk·ÒOödû> y!ì¯©2Ó½KjM}Y^+o¤ÿè/R§ÏÇ:j$±Éò(çÒo0ýÔ blob_type: 1 flags: 64	success	1
1619910891.557822 CryptExportKey	crypto_handle: 0x00656318 crypto_export_handle: 0x0058e350 buffer: f¤EÎ"Q!vòçàßWgaLéx¼nd4áx÷nGKõeÜ5i2Ë«Þ!DFe_ÒÈÍÙnÇÝq¢ÿõ\|3©\Þ3 ¦üCµþzËUj7ÍÍ blob_type: 1 flags: 64	success	1

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910847.932822 NtAllocateVirtualMemory	process_identifier: 472 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00540000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910857.275822 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.780503796958698

section

{'size_of_data': '0x00009000', 'virtual_address': '0x00015000', 'entropy': 7.780503796958698, 'name': '.rsrc', 'virtual_size': '0x00008be8'}

description

A section with a high entropy has been found

entropy

0.32142857142857145

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

cea6ba6cad496fbcfcb6a713ff1936f4.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619910856.947822 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	185.215.227.107
host	51.38.124.206

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619910859.838822 RegSetValueExA	key_handle: 0x00000374 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619910859.838822 RegSetValueExA	key_handle: 0x00000374 value: @ü>× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619910859.838822 RegSetValueExA	key_handle: 0x00000374 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619910859.838822 RegSetValueExW	key_handle: 0x00000374 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619910859.838822 RegSetValueExA	key_handle: 0x0000038c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619910859.838822 RegSetValueExA	key_handle: 0x0000038c value: @ü>× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619910859.854822 RegSetValueExA	key_handle: 0x0000038c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619910859.869822 RegSetValueExW	key_handle: 0x00000370 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectGBM.malware.01
Elastic	malicious (high confidence)
DrWeb	Trojan.Emotet.1016
MicroWorld-eScan	Trojan.GenericKDZ.69898
McAfee	GenericRXLW-HG!CEA6BA6CAD49
Cylance	Unsafe
Zillya	Trojan.Emotet.Win32.28396
Sangfor	Trojan.Win32.Emotet.ibt
K7AntiVirus	Trojan ( 0056dbba1 )
Alibaba	Trojan:Win32/Emotet.961a1554
K7GW	Trojan ( 0056dbba1 )
Cybereason	malicious.cad496
Arcabit	Trojan.Generic.D1110A
BitDefenderTheta	Gen:NN.ZexaF.34574.hqW@aqK0WPii
Cyren	W32/Kryptik.BWH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HFYG
APEX	Malicious
Avast	Win32:BankerX-gen [Trj]
ClamAV	Win.Packed.Generickdz-9752566-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKDZ.69898
NANO-Antivirus	Virus.Win32.Gen.ccmw
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKDZ.69898
TACHYON	Trojan/W32.Agent.118784.CPY
Emsisoft	Trojan.GenericKDZ.69898 (B)
Comodo	Malware@#3dnsyisovgyz9
F-Secure	Heuristic.HEUR/AGEN.1138399
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.ch
FireEye	Generic.mg.cea6ba6cad496fbc
Sophos	Mal/Generic-R + Troj/Emotet-CNC
Ikarus	Trojan-Banker.Emotet
Avira	HEUR/AGEN.1138399
Antiy-AVL	Trojan/Win32.Emotet
Gridinsoft	Trojan.Win32.Emotet.oa!s1
Microsoft	Trojan:Win32/Emotet.ARK!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKDZ.69898
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Emotet.R350739
VBA32	Trojan.Emotet
ALYac	Trojan.GenericKDZ.69898
MAX	malware (ai score=88)
Malwarebytes	Trojan.MalPack.TRE
Rising	Trojan.Emotet!1.CBDD (CLASSIC)
Yandex	Trojan.Agent!5YXvHzVkOPI
SentinelOne	Static AI - Suspicious PE
eGambit	Generic.Malware

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	51.38.124.206:80
dead_host	185.215.227.107:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-04 01:24:04

Imports

Library KERNEL32.dll:

• 0x40f054 IsBadWritePtr

• 0x40f058 VirtualAlloc

• 0x40f05c WriteFile

• 0x40f060 VirtualFree

• 0x40f064 HeapCreate

• 0x40f068 HeapDestroy

• 0x40f06c GetFileType

• 0x40f070 GetStdHandle

• 0x40f074 SetHandleCount

• 0x40f078 GetEnvironmentStringsW

• 0x40f07c SetUnhandledExceptionFilter

• 0x40f080 FreeEnvironmentStringsW

• 0x40f084 FreeEnvironmentStringsA

• 0x40f088 GetModuleFileNameA

• 0x40f08c UnhandledExceptionFilter

• 0x40f090 LCMapStringW

• 0x40f094 LCMapStringA

• 0x40f098 MultiByteToWideChar

• 0x40f09c GetProcAddress

• 0x40f0a0 HeapSize

• 0x40f0a4 IsBadReadPtr

• 0x40f0a8 IsBadCodePtr

• 0x40f0ac GetCPInfo

• 0x40f0b0 GetACP

• 0x40f0b4 GetOEMCP

• 0x40f0b8 LoadLibraryA

• 0x40f0bc GetStringTypeA

• 0x40f0c0 GetStringTypeW

• 0x40f0c4 GetLastError

• 0x40f0c8 CompareStringA

• 0x40f0cc CompareStringW

• 0x40f0d0 SetEnvironmentVariableA

• 0x40f0d4 RaiseException

• 0x40f0d8 SetFilePointer

• 0x40f0dc FlushFileBuffers

• 0x40f0e0 CloseHandle

• 0x40f0e4 LoadLibraryExA

• 0x40f0e8 ReadFile

• 0x40f0ec GetEnvironmentStrings

• 0x40f0f0 WideCharToMultiByte

• 0x40f0f4 GetTimeZoneInformation

• 0x40f0f8 GetSystemTime

• 0x40f0fc GetLocalTime

• 0x40f100 RtlUnwind

• 0x40f104 GetModuleHandleA

• 0x40f108 GetStartupInfoA

• 0x40f10c GetCommandLineA

• 0x40f110 GetVersion

• 0x40f114 ExitProcess

• 0x40f118 HeapFree

• 0x40f11c HeapReAlloc

• 0x40f120 HeapAlloc

• 0x40f124 TerminateProcess

• 0x40f128 GetCurrentProcess

• 0x40f12c SetStdHandle

Library USER32.dll:

• 0x40f134 DefWindowProcA

• 0x40f138 GetClientRect

• 0x40f13c InvalidateRect

• 0x40f140 DestroyWindow

• 0x40f144 BeginPaint

• 0x40f148 DrawTextA

• 0x40f14c EndPaint

• 0x40f150 PostQuitMessage

• 0x40f154 CreateWindowExA

• 0x40f158 LoadIconA

• 0x40f15c RegisterClassExA

• 0x40f160 LoadStringA

• 0x40f164 LoadAcceleratorsA

• 0x40f168 GetMessageA

• 0x40f16c TranslateAcceleratorA

• 0x40f170 TranslateMessage

• 0x40f174 DispatchMessageA

• 0x40f178 ShowWindow

• 0x40f17c GetSysColorBrush

• 0x40f180 GetSysColor

• 0x40f184 FillRect

• 0x40f188 ReleaseCapture

• 0x40f18c PtInRect

• 0x40f190 LoadCursorA

• 0x40f194 SetCursor

• 0x40f198 UpdateWindow

• 0x40f19c SetCapture

• 0x40f1a0 CheckRadioButton

• 0x40f1a4 SetDlgItemInt

• 0x40f1a8 GetSystemMenu

• 0x40f1ac AppendMenuA

• 0x40f1b0 SetMenuDefaultItem

• 0x40f1b4 GetDC

• 0x40f1b8 DrawEdge

• 0x40f1bc IsDlgButtonChecked

• 0x40f1c0 ReleaseDC

• 0x40f1c4 EndDialog

• 0x40f1c8 DialogBoxParamA

Library GDI32.dll:

• 0x40f000 RealizePalette

• 0x40f004 CreateHalftonePalette

• 0x40f008 SelectPalette

• 0x40f00c StretchDIBits

• 0x40f010 BeginPath

• 0x40f014 MoveToEx

• 0x40f018 LineTo

• 0x40f01c EndPath

• 0x40f020 StrokeAndFillPath

• 0x40f024 CreateBrushIndirect

• 0x40f028 Ellipse

• 0x40f02c CreatePen

• 0x40f030 Rectangle

• 0x40f034 SetROP2

• 0x40f038 CreateSolidBrush

• 0x40f03c SelectObject

• 0x40f040 SetBkColor

• 0x40f044 DeleteObject

• 0x40f048 LPtoDP

• 0x40f04c GetPixel

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.