6.4
高危
54 个模型检测该样本为恶意!
重新分析
更多

92738cdd5fbb36ae9ffe7ee58213dcc968705477ac2639776a8f447f4495756c

dda661911d82dd69d7064a82d0c93417.exe

分析耗时

77s

最近分析

文件大小

172.0KB
静态报毒 动态报毒 AI SCORE=89 AIDETECTVM ATTRIBUTE BEHAVIOR CLASSIC CONFIDENCE ELDORADO EMOTET FPYEC GCVK GENCIRC GENERICKD GENKRYPTIK HFVD HIGH CONFIDENCE HIGHCONFIDENCE HTRXJL KQ0@AAQC1DGJ KRYPTIK MALWARE1 MALWARE@#1F7MR3GKF19HG R + TROJ R349634 SCORE THIOEBO TROJANBANKER UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Alibaba Trojan:Win32/Emotet.63fec305 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200924 2013.8.14.323
McAfee Emotet-FRZ!DDA661911D82 20200924 6.0.6.653
Tencent Malware.Win32.Gencirc.10cdf982 20200924 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619948432.646429
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619948416.724429
CryptGenKey
crypto_handle: 0x005abf08
algorithm_identifier: 0x0000660e ()
provider_handle: 0x004e4b50
flags: 1
key: f cŸ´àpD-ÿM‘ßQë
success 1 0
1619948432.662429
CryptExportKey
crypto_handle: 0x005abf08
crypto_export_handle: 0x004e4f18
buffer: f¤ânM¬'ÂO¨Ì¸)ÚI ËÀn.Ž¬l®@ó.㑈ȪõWá`>oæíµ²·,ÀðÖ¦Ò¶ä-1LMäG›"â$B7Ï©—ݦ>á^&ðÀBZ´ÿük"†ØJ
blob_type: 1
flags: 64
success 1 0
1619948467.302429
CryptExportKey
crypto_handle: 0x005abf08
crypto_export_handle: 0x004e4f18
buffer: f¤ÃáúsV̂° ìa™"eœ™÷M}þÇ»`*_lý¿ªØE,YµÛ'LdݳÅìHT2Õ¦x&-—½.}H3wÈ6¥ãcÿ'_íÓF¬<h„X‚±¨y¬ö““Ô^pÀ
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619948416.287429
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00740000
success 0 0
1619948416.302429
NtAllocateVirtualMemory
process_identifier: 784
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00750000
success 0 0
Foreign language identified in PE resource (20 个事件)
name RT_CURSOR language LANG_CHINESE offset 0x0002ded8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000b4
name RT_CURSOR language LANG_CHINESE offset 0x0002ded8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000b4
name RT_BITMAP language LANG_CHINESE offset 0x0002e8b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000144
name RT_BITMAP language LANG_CHINESE offset 0x0002e8b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000144
name RT_BITMAP language LANG_CHINESE offset 0x0002e8b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000144
name RT_BITMAP language LANG_CHINESE offset 0x0002e8b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000144
name RT_DIALOG language LANG_CHINESE offset 0x0002e5a0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000e2
name RT_DIALOG language LANG_CHINESE offset 0x0002e5a0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000e2
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_STRING language LANG_CHINESE offset 0x0002f2c8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000024
name RT_GROUP_CURSOR language LANG_CHINESE offset 0x0002df90 filetype Lotus unknown worksheet or configuration, revision 0x2 sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000022
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619948433.146429
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.9524728587499425 section {'size_of_data': '0x0000d000', 'virtual_address': '0x00023000', 'entropy': 6.9524728587499425, 'name': '.rsrc', 'virtual_size': '0x0000c2f0'} description A section with a high entropy has been found
entropy 0.30952380952380953 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process dda661911d82dd69d7064a82d0c93417.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619948432.802429
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 162.241.242.173
host 172.217.24.14
host 67.68.210.95
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619948435.724429
RegSetValueExA
key_handle: 0x0000039c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619948435.724429
RegSetValueExA
key_handle: 0x0000039c
value: ¾ Y_?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619948435.724429
RegSetValueExA
key_handle: 0x0000039c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619948435.724429
RegSetValueExW
key_handle: 0x0000039c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619948435.724429
RegSetValueExA
key_handle: 0x000003b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619948435.724429
RegSetValueExA
key_handle: 0x000003b4
value: ¾ Y_?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619948435.724429
RegSetValueExA
key_handle: 0x000003b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619948435.755429
RegSetValueExW
key_handle: 0x00000398
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 67.68.210.95:80
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34440715
FireEye Trojan.GenericKD.34440715
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Trojan.Emotet.Win32.27698
Sangfor Malware
CrowdStrike win/malicious_confidence_60% (W)
Alibaba Trojan:Win32/Emotet.63fec305
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D20D860B
Invincea Mal/Generic-R + Troj/Emotet-CMG
Cyren W32/Emotet.ARO.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Banker.Win32.Emotet.gcvk
BitDefender Trojan.GenericKD.34440715
NANO-Antivirus Trojan.Win32.Emotet.htrxjl
Rising Trojan.Emotet!1.CB4C (CLASSIC)
Ad-Aware Trojan.GenericKD.34440715
TACHYON Banker/W32.Emotet.176128.BC
Emsisoft Trojan.Emotet (A)
Comodo Malware@#1f7mr3gkf19hg
F-Secure Trojan.TR/Kryptik.fpyec
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.THIOEBO
McAfee-GW-Edition BehavesLike.Win32.Emotet.ch
Sophos Troj/Emotet-CMG
Jiangmin Trojan.Banker.Emotet.ogk
Avira TR/Kryptik.fpyec
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.PED!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm Trojan-Banker.Win32.Emotet.gcvk
GData Trojan.GenericKD.34440715
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R349634
McAfee Emotet-FRZ!DDA661911D82
MAX malware (ai score=89)
VBA32 TrojanBanker.Emotet
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HFVD
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THIOEBO
Tencent Malware.Win32.Gencirc.10cdf982
Yandex Trojan.GenKryptik!
Ikarus Trojan-Banker.Emotet
Fortinet W32/Malicious_Behavior.VEX
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-29 00:13:19

Imports

Library KERNEL32.dll:
0x4170b0 RtlUnwind
0x4170b4 HeapAlloc
0x4170b8 GetStartupInfoA
0x4170bc GetCommandLineA
0x4170c0 ExitProcess
0x4170c4 RaiseException
0x4170c8 HeapFree
0x4170cc TerminateProcess
0x4170d0 HeapSize
0x4170d4 HeapReAlloc
0x4170d8 GetACP
0x4170dc HeapDestroy
0x4170e0 HeapCreate
0x4170e4 VirtualFree
0x4170e8 IsBadWritePtr
0x4170fc SetHandleCount
0x417100 GetStdHandle
0x417104 GetFileType
0x41710c LCMapStringA
0x417110 LCMapStringW
0x417114 GetStringTypeA
0x417118 GetStringTypeW
0x41711c IsBadReadPtr
0x417120 IsBadCodePtr
0x417124 SetStdHandle
0x417128 GetProfileStringA
0x41712c FlushFileBuffers
0x417130 SetFilePointer
0x417134 WriteFile
0x417138 GetCurrentProcess
0x41713c SetErrorMode
0x417140 SizeofResource
0x417148 GetOEMCP
0x41714c GetCPInfo
0x417150 GetProcessVersion
0x417154 GlobalFlags
0x417158 TlsGetValue
0x41715c LocalReAlloc
0x417160 TlsSetValue
0x417168 GlobalReAlloc
0x417170 TlsFree
0x417174 GlobalHandle
0x41717c TlsAlloc
0x417184 LocalFree
0x417188 LocalAlloc
0x41718c GetLastError
0x417190 GlobalFree
0x417194 CloseHandle
0x417198 GetModuleFileNameA
0x41719c GetProcAddress
0x4171a0 GlobalAlloc
0x4171a4 lstrcmpA
0x4171a8 GetCurrentThread
0x4171ac MultiByteToWideChar
0x4171b0 WideCharToMultiByte
0x4171b4 lstrlenA
0x4171c0 GlobalLock
0x4171c4 GlobalUnlock
0x4171c8 SetLastError
0x4171cc lstrcpynA
0x4171d0 MulDiv
0x4171d4 FindResourceA
0x4171d8 LoadResource
0x4171dc LockResource
0x4171e0 GetVersion
0x4171e4 lstrcatA
0x4171e8 GetCurrentThreadId
0x4171ec GlobalGetAtomNameA
0x4171f0 lstrcmpiA
0x4171f4 GlobalAddAtomA
0x4171f8 GlobalFindAtomA
0x4171fc GlobalDeleteAtom
0x417200 lstrcpyA
0x417204 GetModuleHandleA
0x417208 VirtualAlloc
0x41720c LoadLibraryW
0x417210 FreeLibrary
0x417214 LoadLibraryA
Library USER32.dll:
0x417220 ModifyMenuA
0x417224 GetMenuState
0x417228 LoadBitmapA
0x417230 InflateRect
0x417234 ReleaseDC
0x417238 GetDC
0x41723c ClientToScreen
0x417240 GetWindowDC
0x417244 BeginPaint
0x417248 EndPaint
0x41724c TabbedTextOutA
0x417250 DrawTextA
0x417254 GrayStringA
0x417258 PostQuitMessage
0x41725c SetCursor
0x417260 GetCursorPos
0x417264 ValidateRect
0x417268 GetActiveWindow
0x41726c TranslateMessage
0x417270 GetMessageA
0x417278 EndDialog
0x41727c GetClassNameA
0x417280 PtInRect
0x417284 LoadCursorA
0x417288 GetSysColorBrush
0x41728c DestroyMenu
0x417290 LoadStringA
0x417294 InvalidateRect
0x417298 ShowWindow
0x41729c SetWindowTextA
0x4172a0 IsDialogMessageA
0x4172a4 PostMessageA
0x4172a8 UpdateWindow
0x4172ac SendDlgItemMessageA
0x4172b0 MapWindowPoints
0x4172b4 PeekMessageA
0x4172b8 DispatchMessageA
0x4172bc SetMenuItemBitmaps
0x4172c0 SetActiveWindow
0x4172c4 IsWindow
0x4172c8 SetFocus
0x4172cc AdjustWindowRectEx
0x4172d0 ScreenToClient
0x4172d4 CopyRect
0x4172d8 IsWindowVisible
0x4172dc GetTopWindow
0x4172e0 MessageBoxA
0x4172e4 GetParent
0x4172e8 GetCapture
0x4172ec WinHelpA
0x4172f0 wsprintfA
0x4172f4 GetClassInfoA
0x4172f8 RegisterClassA
0x4172fc GetMenu
0x417300 GetMenuItemCount
0x417304 GetSubMenu
0x417308 GetMenuItemID
0x41730c GetDlgItem
0x417314 GetWindowTextA
0x417318 GetDlgCtrlID
0x41731c GetKeyState
0x417320 DefWindowProcA
0x417324 DestroyWindow
0x417328 CreateWindowExA
0x41732c SetWindowsHookExA
0x417330 CallNextHookEx
0x417334 GetClassLongA
0x417338 SetPropA
0x41733c UnhookWindowsHookEx
0x417340 GetPropA
0x417344 CallWindowProcA
0x417348 RemovePropA
0x41734c GetMessageTime
0x417350 GetMessagePos
0x417354 GetLastActivePopup
0x417358 GetForegroundWindow
0x41735c SetForegroundWindow
0x417360 GetWindow
0x417364 GetWindowLongA
0x417368 SetWindowLongA
0x41736c SetWindowPos
0x417370 GetSysColor
0x417374 RedrawWindow
0x417378 GetWindowRect
0x41737c UnregisterClassA
0x417380 HideCaret
0x417384 ShowCaret
0x41738c OffsetRect
0x417390 IntersectRect
0x417398 GetWindowPlacement
0x41739c IsIconic
0x4173a0 GetSystemMetrics
0x4173a4 GetClientRect
0x4173a8 DrawIcon
0x4173ac CheckMenuItem
0x4173b0 EnableMenuItem
0x4173b4 GetNextDlgTabItem
0x4173b8 GetFocus
0x4173bc IsWindowEnabled
0x4173c0 SendMessageA
0x4173c4 LoadIconA
0x4173c8 EnableWindow
0x4173cc IsWindowUnicode
0x4173d0 CharNextA
0x4173d4 DefDlgProcA
0x4173d8 DrawFocusRect
0x4173dc ExcludeUpdateRgn
Library GDI32.dll:
0x41701c PatBlt
0x417020 ExtTextOutA
0x417024 DeleteDC
0x417028 SaveDC
0x41702c RestoreDC
0x417030 SelectObject
0x417034 GetStockObject
0x417038 SetBkMode
0x41703c SetMapMode
0x417040 SetViewportOrgEx
0x417044 OffsetViewportOrgEx
0x417048 SetViewportExtEx
0x41704c ScaleViewportExtEx
0x417050 SetWindowExtEx
0x417054 ScaleWindowExtEx
0x417058 IntersectClipRect
0x41705c DeleteObject
0x417060 MoveToEx
0x417064 LineTo
0x417068 CreateSolidBrush
0x41706c PtVisible
0x417070 RectVisible
0x417074 TextOutA
0x417078 Escape
0x41707c GetDeviceCaps
0x417080 CreateBitmap
0x417084 GetObjectA
0x417088 SetBkColor
0x41708c SetTextColor
0x417090 GetClipBox
0x417094 CreatePen
0x417098 CreateDIBitmap
0x41709c GetTextExtentPointA
0x4170a0 BitBlt
0x4170a4 CreateCompatibleDC
0x4170a8 Polygon
Library WINSPOOL.DRV:
0x4173e4 DocumentPropertiesA
0x4173e8 ClosePrinter
0x4173ec OpenPrinterA
Library ADVAPI32.dll:
0x417000 RegSetValueExA
0x417004 RegCloseKey
0x417008 RegOpenKeyExA
0x41700c RegCreateKeyExA
Library COMCTL32.dll:
0x417014

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.