6.2
高危
56 个模型检测该样本为恶意!
重新分析
更多

6731db0018e23fa23e0ad0eae596af6ed847483b85d190b1cf0bd7e7c12e8999

dc5384cc7da9452765857e99381834b0.exe

分析耗时

76s

最近分析

文件大小

536.1KB
静态报毒 动态报毒 100% AI SCORE=82 ATTRIBUTE BANKERX BSCOPE CLASSIC CONFIDENCE EMOTET EMOTETCRYPT GENCIRC GENERICKD GENETIC GENKRYPTIK HGIASOGA HIGH CONFIDENCE HIGHCONFIDENCE HKLC HTKMGJ I571ZAIUQNG JNYKS KCLOUD MALWARE@#1TSTAOD6EQXT3 R + TROJ R349766 SCORE SUSGEN TROJANBANKER UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FQS!DC5384CC7DA9 20210222 6.0.6.653
Alibaba Trojan:Win32/Emotet.4152be58 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20210222 21.1.5827.0
Kingsoft Win32.Troj.Banker.(kcloud) 20210222 2017.9.26.565
Tencent Malware.Win32.Gencirc.10cdf984 20210222 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619982740.213626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619982731.853626
CryptGenKey
crypto_handle: 0x006db6e0
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00624530
flags: 1
key: f µC6•sÆ1K<ú^/
success 1 0
1619982740.228626
CryptExportKey
crypto_handle: 0x006db6e0
crypto_export_handle: 0x006245f8
buffer: f¤+˜æc¤Ñ’é…AébÓ¥("æDt\Bh]¦ó€!Ì>]kGpd#VŠ S*Mfc¯»°IEèiv^‡X_{­*Gšºlq(~àƓ¤š†åÉ|O˜£a8@
blob_type: 1
flags: 64
success 1 0
1619982775.228626
CryptExportKey
crypto_handle: 0x006db6e0
crypto_export_handle: 0x006245f8
buffer: f¤e;=»WyJÓöÂ-…>/µé[Cj´ÏP HgOºïÕ/÷ •˜«güGäWžY¦­¦ìÊñƟ9­ ƒ§ÿ÷aœ‚œ5Í^l› ̍(6¶‰•¦âFhÙʤ®Oõ®
blob_type: 1
flags: 64
success 1 0
1619982780.853626
CryptExportKey
crypto_handle: 0x006db6e0
crypto_export_handle: 0x006245f8
buffer: f¤gærÒ>;£RšëQWl¤s ٘þjB¼àðôúcˎ̷oւ)&G£ŸOÒQîÖÒç±Ï,ôe€æÌ~ ³÷(¿Ã_3Bûh6"¦÷»V·>¹HÐ[í=ÃÊí«O
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619982731.385626
NtAllocateVirtualMemory
process_identifier: 2732
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619982740.666626
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process dc5384cc7da9452765857e99381834b0.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619982740.353626
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 209.236.123.42
host 91.121.54.71
host 98.13.75.196
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619982743.228626
RegSetValueExA
key_handle: 0x00000394
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619982743.228626
RegSetValueExA
key_handle: 0x00000394
value: ÐV§3O?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619982743.228626
RegSetValueExA
key_handle: 0x00000394
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619982743.228626
RegSetValueExW
key_handle: 0x00000394
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619982743.228626
RegSetValueExA
key_handle: 0x000003ac
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619982743.228626
RegSetValueExA
key_handle: 0x000003ac
value: ÐV§3O?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619982743.228626
RegSetValueExA
key_handle: 0x000003ac
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619982743.260626
RegSetValueExW
key_handle: 0x00000390
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
ClamAV Win.Keylogger.Emotet-9775410-0
McAfee Emotet-FQS!DC5384CC7DA9
Cylance Unsafe
Zillya Trojan.Emotet.Win32.27705
Sangfor Trojan.Win32.Emotet.PED
K7AntiVirus Trojan ( 0056e0731 )
Alibaba Trojan:Win32/Emotet.4152be58
K7GW Trojan ( 0056e0731 )
Cybereason malicious.c7da94
Arcabit Trojan.Generic.D29EC076
Cyren W32/Emotet.HKLC-6114
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:BankerX-gen [Trj]
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.pef
BitDefender Trojan.GenericKD.43958390
NANO-Antivirus Trojan.Win32.Emotet.htkmgj
Paloalto generic.ml
ViRobot Trojan.Win32.Emotet.548988
MicroWorld-eScan Trojan.GenericKD.43958390
Rising Trojan.Emotet!1.CB4A (CLASSIC)
Ad-Aware Trojan.GenericKD.43958390
Sophos Mal/Generic-R + Troj/Emotet-CMC
Comodo Malware@#1tstaod6eqxt3
F-Secure Trojan.TR/Emotet.jnyks
DrWeb Trojan.Emotet.1005
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Emotet-FQS!DC5384CC7DA9
FireEye Generic.mg.dc5384cc7da94527
Emsisoft Trojan.GenericKD.43958390 (B)
Jiangmin Trojan.Banker.Emotet.oft
Avira TR/Emotet.jnyks
Antiy-AVL Trojan[Banker]/Win32.Emotet
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Trojan.Win32.Emotet.oa
Microsoft Trojan:Win32/EmotetCrypt.AR!MTB
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
GData Trojan.GenericKD.43958390
AhnLab-V3 Trojan/Win32.Emotet.R349766
ALYac Trojan.Agent.Emotet
MAX malware (ai score=82)
VBA32 BScope.TrojanBanker.Emotet
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 Win32/Emotet.CD
Tencent Malware.Win32.Gencirc.10cdf984
Yandex Trojan.GenKryptik!I571ZAiuQNg
Ikarus Trojan-Banker.Emotet
eGambit Generic.Malware
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 91.121.54.71:8080
dead_host 192.168.56.101:49181
dead_host 98.13.75.196:80
dead_host 209.236.123.42:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-28 00:23:48

Imports

Library MFC42.DLL:
0x418090
0x418094
0x418098
0x41809c
0x4180a0
0x4180a4
0x4180a8
0x4180ac
0x4180b0
0x4180b4
0x4180b8
0x4180bc
0x4180c0
0x4180c4
0x4180c8
0x4180cc
0x4180d0
0x4180d4
0x4180d8
0x4180dc
0x4180e0
0x4180e4
0x4180e8
0x4180ec
0x4180f0
0x4180f4
0x4180f8
0x4180fc
0x418100
0x418104
0x418108
0x41810c
0x418110
0x418114
0x418118
0x41811c
0x418120
0x418124
0x418128
0x41812c
0x418130
0x418134
0x418138
0x41813c
0x418140
0x418144
0x418148
0x41814c
0x418150
0x418154
0x418158
0x41815c
0x418160
0x418164
0x418168
0x41816c
0x418170
0x418174
0x418178
0x41817c
0x418180
0x418184
0x418188
0x41818c
0x418190
0x418194
0x418198
0x41819c
0x4181a0
0x4181a4
0x4181a8
0x4181ac
0x4181b0
0x4181b4
0x4181b8
0x4181bc
0x4181c0
0x4181c4
0x4181c8
0x4181cc
0x4181d0
0x4181d4
0x4181d8
0x4181dc
0x4181e0
0x4181e4
0x4181e8
0x4181ec
0x4181f0
0x4181f4
0x4181f8
0x4181fc
0x418200
0x418204
0x418208
0x41820c
0x418210
0x418214
0x418218
0x41821c
0x418220
0x418224
0x418228
0x41822c
0x418230
0x418234
0x418238
0x41823c
0x418240
0x418244
0x418248
0x41824c
0x418250
0x418254
0x418258
0x41825c
0x418260
0x418264
0x418268
0x41826c
0x418270
0x418274
0x418278
0x41827c
0x418280
0x418284
0x418288
0x41828c
0x418290
0x418294
0x418298
0x41829c
0x4182a0
0x4182a4
0x4182a8
0x4182ac
0x4182b0
0x4182b4
0x4182b8
0x4182bc
0x4182c0
0x4182c4
0x4182c8
0x4182cc
0x4182d0
Library MSVCRT.dll:
0x4182ec _except_handler3
0x4182f0 _setmbcp
0x4182f4 __CxxFrameHandler
0x4182f8 _EH_prolog
0x4182fc memset
0x418300 strlen
0x418304 _ftol
0x418308 _mbsnbcpy
0x41830c _wcslwr
0x418310 malloc
0x418314 _mbsstr
0x418318 __dllonexit
0x41831c _onexit
0x418320 _exit
0x418324 _XcptFilter
0x418328 exit
0x41832c _acmdln
0x418330 __getmainargs
0x418334 _initterm
0x418338 __setusermatherr
0x41833c _adjust_fdiv
0x418340 __p__commode
0x418344 __p__fmode
0x418348 __set_app_type
0x41834c _controlfp
Library KERNEL32.dll:
0x418058 GetStartupInfoA
0x41805c GetModuleHandleA
0x418060 ExitProcess
0x418064 GetLastError
0x418068 VirtualAlloc
0x41806c FreeLibrary
0x418070 LoadLibraryA
0x418078 lstrcpyA
0x41807c WinExec
0x418080 lstrlenA
0x418084 GetProcAddress
0x418088 lstrcatA
Library USER32.dll:
0x418360 LoadIconA
0x418364 InSendMessage
0x418368 CreateWindowExA
0x41836c ShowWindow
0x418370 KillTimer
0x418374 SetWindowLongA
0x418378 GetIconInfo
0x41837c SetTimer
0x418380 PtInRect
0x418384 ScreenToClient
0x418388 GetMessagePos
0x41838c IsWindow
0x418390 CopyIcon
0x418394 LoadCursorA
0x418398 GetDC
0x41839c CreateIconIndirect
0x4183a0 EnableWindow
0x4183a4 FillRect
0x4183a8 DrawStateA
0x4183ac GetClientRect
0x4183b0 CopyRect
0x4183b4 FrameRect
0x4183b8 InflateRect
0x4183bc GetSysColor
0x4183c0 OffsetRect
0x4183c4 DrawFocusRect
0x4183c8 GetWindowRect
0x4183cc GetSubMenu
0x4183d0 TrackPopupMenuEx
0x4183d4 PostMessageA
0x4183d8 ClientToScreen
0x4183dc WindowFromPoint
0x4183e0 GetActiveWindow
0x4183e4 InvalidateRect
0x4183e8 LoadMenuA
0x4183ec ReleaseDC
0x4183f0 LoadImageA
0x4183f4 SetCursor
0x4183f8 GetParent
0x4183fc GetNextDlgTabItem
0x418400 SendMessageA
0x418404 GetWindowLongA
0x418408 DestroyIcon
0x41840c DestroyCursor
0x418410 DestroyMenu
0x418414 MessageBeep
Library GDI32.dll:
0x41801c CreateFontIndirectA
0x418020 GetObjectA
0x418024 GetPixel
0x418028 SetPixel
0x41802c CreateBitmap
0x418030 DeleteObject
0x418034 GetStockObject
0x418038 SelectObject
0x418040 CreateCompatibleDC
0x418044 BitBlt
0x418048 DeleteDC
0x41804c SetTextColor
0x418050 SetBkColor
Library ADVAPI32.dll:
0x418000 RegQueryValueA
0x418004 RegOpenKeyExA
0x418008 RegCloseKey
Library SHELL32.dll:
0x418354 ShellExecuteExA
0x418358 ShellExecuteA
Library COMCTL32.dll:
0x418010 _TrackMouseEvent
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.