6.4
高危
47 个模型检测该样本为恶意!
重新分析
更多

41bd0c8d798214f08065560baf02d9de0686de4d6cd0edcd6c4aaa210308dec5

d2e629e07ed81e6b2b6533ea9c6b0f19.exe

分析耗时

78s

最近分析

文件大小

268.1KB
静态报毒 动态报毒 1NF0C60 5D54D80UGXE AI SCORE=100 AIDETECTVM ATTRIBUTE BZHIA@0 CJQN ELDORADO EMOTET GENCIRC GENERICKD GENETIC GENOME HCEJ HIGHCONFIDENCE HRVUQO KRYPTIK MALICIOUS MALWARE1 R + TROJ R348890 SUSGEN THIOCBO UNSAFE WACATAC Y2EGQCUH3QE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.20213863 20190527 0.3.0.5
Tencent Malware.Win32.Gencirc.10cdead6 20200917 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200917 2013.8.14.323
McAfee 20200915 6.0.6.653
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619925287.143875
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619925278.565875
CryptGenKey
crypto_handle: 0x003254f8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x003249e8
flags: 1
key: f¥xÞ_Ò+s Á¨7|Èýñ
success 1 0
1619925287.158875
CryptExportKey
crypto_handle: 0x003254f8
crypto_export_handle: 0x003253a0
buffer: f¤·ºN IÛS÷ŸÏÈ38rψ¨ÆÍñaá%@B¤êxÎy¬5¡à¬ÛNÎÚéßw÷ïZkGîJ§ÝC[Ù鑝Z!ÉMwôêT1f[Â"Ðïï`³¤|A ¥‰6ï®,I
blob_type: 1
flags: 64
success 1 0
1619925323.049875
CryptExportKey
crypto_handle: 0x003254f8
crypto_export_handle: 0x003253a0
buffer: f¤sòVgÃ&¥èìè3¹9u«VL7ÄqnÊ"¯{ÍÁKCº>•Jê_ôÁ±Àx\1ÇßÞΘ¢`/»y4÷œê7Ô*;’³íL ñhž •¦ø RA‡Cζ²Ï±_
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619925278.065875
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e50000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619925287.643875
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process d2e629e07ed81e6b2b6533ea9c6b0f19.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619925287.315875
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 173.94.215.84
host 85.25.207.108
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619925290.221875
RegSetValueExA
key_handle: 0x000003a8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619925290.221875
RegSetValueExA
key_handle: 0x000003a8
value: ÐqÂÐÑ>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619925290.221875
RegSetValueExA
key_handle: 0x000003a8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619925290.221875
RegSetValueExW
key_handle: 0x000003a8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619925290.221875
RegSetValueExA
key_handle: 0x000003c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619925290.221875
RegSetValueExA
key_handle: 0x000003c0
value: ÐqÂÐÑ>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619925290.221875
RegSetValueExA
key_handle: 0x000003c0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619925290.252875
RegSetValueExW
key_handle: 0x000003a4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)
Bkav W32.AIDetectVM.malware1
DrWeb Trojan.Emotet.999
MicroWorld-eScan Trojan.GenericKD.34393151
FireEye Generic.mg.d2e629e07ed81e6b
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Trojan.Emotet.Win32.24750
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.20213863
K7GW Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D20CCC3F
Invincea Mal/Generic-R + Troj/Emotet-CLL
Cyren W32/Emotet.AQM.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THIOCBO
Paloalto generic.ml
Kaspersky Backdoor.Win32.Emotet.cjqn
BitDefender Trojan.GenericKD.34393151
NANO-Antivirus Trojan.Win32.Emotet.hrvuqo
ViRobot Trojan.Win32.Emotet.274432
Tencent Malware.Win32.Gencirc.10cdead6
Ad-Aware Trojan.GenericKD.34393151
Comodo TrojWare.Win32.Genome.bzhia@0
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.THIOCBO
Sophos Troj/Emotet-CLL
Ikarus Trojan-Banker.Emotet
Jiangmin Backdoor.Emotet.sf
MaxSecure Trojan.Malware.105527958.susgen
Antiy-AVL Trojan/Win32.Emotet
Microsoft Trojan:Win32/Emotet!MSR
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm Backdoor.Win32.Emotet.cjqn
GData Win32.Trojan.PSE.1NF0C60
TACHYON Trojan/W32.Agent.274541.B
AhnLab-V3 Trojan/Win32.Emotet.R348890
MAX malware (ai score=100)
VBA32 Trojan.Wacatac
Malwarebytes Trojan.MalPack.TRE
APEX Malicious
ESET-NOD32 Win32/Emotet.CD
Rising Trojan.Kryptik!8.8 (TFE:5:5d54d80ugxE)
Yandex Trojan.Agent!y2EgqcuH3qE
Fortinet W32/Kryptik.HCEJ!tr
AVG Win32:Trojan-gen
Panda Trj/Genetic.gen
Qihoo-360 Win32/Backdoor.0ed
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 85.25.207.108:8080
dead_host 173.94.215.84:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-20 05:07:11

Imports

Library VERSION.dll:
0x417038 GetFileVersionInfoA
0x41703c VerQueryValueA
Library MFC42.DLL:
0x4169ac
0x4169b0
0x4169b4
0x4169b8
0x4169bc
0x4169c0
0x4169c4
0x4169c8
0x4169cc
0x4169d0
0x4169d4
0x4169d8
0x4169dc
0x4169e0
0x4169e4
0x4169e8
0x4169ec
0x4169f0
0x4169f4
0x4169f8
0x4169fc
0x416a00
0x416a04
0x416a08
0x416a0c
0x416a10
0x416a14
0x416a18
0x416a1c
0x416a20
0x416a24
0x416a28
0x416a2c
0x416a30
0x416a34
0x416a38
0x416a3c
0x416a40
0x416a44
0x416a48
0x416a4c
0x416a50
0x416a54
0x416a58
0x416a5c
0x416a60
0x416a64
0x416a68
0x416a6c
0x416a70
0x416a74
0x416a78
0x416a7c
0x416a80
0x416a84
0x416a88
0x416a8c
0x416a90
0x416a94
0x416a98
0x416a9c
0x416aa0
0x416aa4
0x416aa8
0x416aac
0x416ab0
0x416ab4
0x416ab8
0x416abc
0x416ac0
0x416ac4
0x416ac8
0x416acc
0x416ad0
0x416ad4
0x416ad8
0x416adc
0x416ae0
0x416ae4
0x416ae8
0x416aec
0x416af0
0x416af4
0x416af8
0x416afc
0x416b00
0x416b04
0x416b08
0x416b0c
0x416b10
0x416b14
0x416b18
0x416b1c
0x416b20
0x416b24
0x416b28
0x416b2c
0x416b30
0x416b34
0x416b38
0x416b3c
0x416b40
0x416b44
0x416b48
0x416b4c
0x416b50
0x416b54
0x416b58
0x416b5c
0x416b60
0x416b64
0x416b68
0x416b6c
0x416b70
0x416b74
0x416b78
0x416b7c
0x416b80
0x416b84
0x416b88
0x416b8c
0x416b90
0x416b94
0x416b98
0x416b9c
0x416ba0
0x416ba4
0x416ba8
0x416bac
0x416bb0
0x416bb4
0x416bb8
0x416bbc
0x416bc0
0x416bc4
0x416bc8
0x416bcc
0x416bd0
0x416bd4
0x416bd8
0x416bdc
0x416be0
0x416be4
0x416be8
0x416bec
0x416bf0
0x416bf4
0x416bf8
0x416bfc
0x416c00
0x416c04
0x416c08
0x416c0c
0x416c10
0x416c14
0x416c18
0x416c1c
0x416c20
0x416c24
0x416c28
0x416c2c
0x416c30
0x416c34
0x416c38
0x416c3c
0x416c40
0x416c44
0x416c48
0x416c4c
0x416c50
0x416c54
0x416c58
0x416c5c
0x416c60
0x416c64
0x416c68
0x416c6c
0x416c70
0x416c74
0x416c78
0x416c7c
0x416c80
0x416c84
0x416c88
0x416c8c
0x416c90
0x416c94
0x416c98
0x416c9c
0x416ca0
0x416ca4
0x416ca8
0x416cac
0x416cb0
0x416cb4
0x416cb8
0x416cbc
0x416cc0
0x416cc4
0x416cc8
0x416ccc
0x416cd0
0x416cd4
0x416cd8
0x416cdc
0x416ce0
0x416ce4
0x416ce8
0x416cec
0x416cf0
0x416cf4
0x416cf8
0x416cfc
0x416d00
0x416d04
0x416d08
0x416d0c
0x416d10
0x416d14
0x416d18
0x416d1c
0x416d20
0x416d24
0x416d28
0x416d2c
0x416d30
0x416d34
0x416d38
0x416d3c
0x416d40
0x416d44
0x416d48
0x416d4c
0x416d50
0x416d54
Library MSVCRT.dll:
0x416e7c __p__commode
0x416e80 _adjust_fdiv
0x416e84 __setusermatherr
0x416e88 _initterm
0x416e8c __getmainargs
0x416e90 __p__fmode
0x416e94 exit
0x416e98 _XcptFilter
0x416e9c _exit
0x416ea4 _onexit
0x416ea8 __set_app_type
0x416eac _controlfp
0x416eb0 _acmdln
0x416eb4 _setmbcp
0x416eb8 __CxxFrameHandler
0x416ebc memcpy
0x416ec0 memset
0x416ec4 _wcslwr
0x416ec8 malloc
0x416ecc _mbscmp
0x416ed0 _mbsicmp
0x416ed4 abs
0x416ed8 _splitpath
0x416edc __dllonexit
0x416ee0 _except_handler3
Library KERNEL32.dll:
0x416948 GetStartupInfoA
0x41694c DeleteFileA
0x416950 lstrcatA
0x416954 CreateDirectoryA
0x416958 MultiByteToWideChar
0x41695c LoadLibraryA
0x416960 GetProcAddress
0x416964 GetModuleFileNameA
0x416968 MulDiv
0x41696c GetModuleHandleA
0x416970 lstrcpyA
0x416974 ExitProcess
Library USER32.dll:
0x416f58 GetWindow
0x416f5c PostMessageA
0x416f60 IsWindow
0x416f64 InvalidateRect
0x416f68 RedrawWindow
0x416f6c DrawTextExA
0x416f70 GetSysColor
0x416f74 GetCursorPos
0x416f78 PtInRect
0x416f7c InflateRect
0x416f80 LoadMenuA
0x416f84 ScreenToClient
0x416f88 KillTimer
0x416f8c GetParent
0x416f90 SetTimer
0x416f94 GetSysColorBrush
0x416f98 LoadCursorA
0x416f9c SetCursor
0x416fa0 GetSubMenu
0x416fa4 GetMenuItemID
0x416fa8 GetMenuItemCount
0x416fac OffsetRect
0x416fb0 UnregisterHotKey
0x416fb4 GetWindowRect
0x416fb8 LoadIconA
0x416fbc RegisterHotKey
0x416fc0 SendMessageA
0x416fc4 SetForegroundWindow
0x416fc8 GetClientRect
0x416fcc WinHelpA
0x416fd0 GetMenu
0x416fd4 IsWindowVisible
0x416fd8 GetDlgItem
0x416fdc EnumWindows
0x416fe0 EnableWindow
0x416fe4 wsprintfA
0x416fe8 GetForegroundWindow
Library GDI32.dll:
0x4168f4 GetObjectA
0x4168f8 GetStockObject
0x416900 BitBlt
0x416904 Polygon
0x416908 CreateCompatibleDC
0x416910 CreateFontA
0x416914 CreateFontIndirectA
Library SHELL32.dll:
0x416f24 ShellExecuteA
0x416f28 Shell_NotifyIconA
Library COMCTL32.dll:
0x4168c0
Library ole32.dll:
0x41706c CoUninitialize
0x417070 CoCreateInstance
0x417074 CoInitialize
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.