6.6
高危
45 个模型检测该样本为恶意!
重新分析
更多

4ca30cbe9d94646c3461d37de278743499b68ea53d222b13c351f58ef073002c

e2890df484d0c792a422a31f4214c378.exe

分析耗时

98s

最近分析

文件大小

303.0KB
静态报毒 动态报毒 100% 15ZWA9Z AEXSYHWUVEA AI SCORE=80 ATTRIBUTE AUSL BSCOPE CLASSIC CONFIDENCE ELDORADO EMOTET EMOTETPMF EMVXZ GCPE GENCIRC GENERICKDZ GENETIC HIGH CONFIDENCE HIGHCONFIDENCE HTCTPL KRYPTIK MALWARE@#3KE4KAKLXFK07 PLUROXMTD R + TROJ R349415 S15684563 SYY@A8ZA4ZLI TROJANBANKER ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.55ea3a09 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent Malware.Win32.Gencirc.10cdf578 20201023 1.0.0.1
Kingsoft 20201023 2013.8.14.323
McAfee Emotet-FRX!E2890DF484D0 20201023 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619967383.32475
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619967367.40275
CryptGenKey
crypto_handle: 0x005ae480
algorithm_identifier: 0x0000660e ()
provider_handle: 0x005ad688
flags: 1
key: fo S[=Ô|ʇEî·K:
success 1 0
1619967383.34075
CryptExportKey
crypto_handle: 0x005ae480
crypto_export_handle: 0x005ad648
buffer: f¤Måâ»Úâ\(C$¢âyú]'÷»Øx5-õôÞdӀºøêâeßaÀ±d+’¶¨0ô’ÝËÓ*¦Ãô+Eމ ©bP`õàbå'ó|&ž—øópèH’É7E¾ŸÌ„N
blob_type: 1
flags: 64
success 1 0
1619967411.32475
CryptExportKey
crypto_handle: 0x005ae480
crypto_export_handle: 0x005ad648
buffer: f¤Ån‚ffÖ h¬hêïLíС PK3MÇT¬o¬×ZXúZ¯vúõÃi0„³]|_G_1F¨ukƒÓHrå ¯™ywøŠ5l‘ø¡Õ…ØçÕ?^)«ýéîX
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer InstallShield 2000
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619967366.40275
NtAllocateVirtualMemory
process_identifier: 1108
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619967384.90275
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process e2890df484d0c792a422a31f4214c378.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619967383.62175
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 71.197.211.156
host 87.118.70.45
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619967387.48175
RegSetValueExA
key_handle: 0x00000374
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619967387.48175
RegSetValueExA
key_handle: 0x00000374
value: ¤'X?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619967387.48175
RegSetValueExA
key_handle: 0x00000374
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619967387.48175
RegSetValueExW
key_handle: 0x00000374
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619967387.48175
RegSetValueExA
key_handle: 0x0000038c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619967387.48175
RegSetValueExA
key_handle: 0x0000038c
value: ¤'X?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619967387.48175
RegSetValueExA
key_handle: 0x0000038c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619967387.49675
RegSetValueExW
key_handle: 0x00000370
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 个事件)
Bkav W32.PluroxMTD.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69752
FireEye Generic.mg.e2890df484d0c792
CAT-QuickHeal Trojan.EmotetPMF.S15684563
ALYac Trojan.Agent.Emotet
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.55ea3a09
K7GW Riskware ( 0040eff71 )
BitDefenderTheta Gen:NN.ZexaF.34570.syY@a8za4zli
Cyren W32/Emotet.ARG.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Banker.Win32.Emotet.gcpe
BitDefender Trojan.GenericKDZ.69752
NANO-Antivirus Trojan.Win32.Emotet.htctpl
AegisLab Trojan.Win32.Emotet.L!c
Tencent Malware.Win32.Gencirc.10cdf578
Ad-Aware Trojan.GenericKDZ.69752
Comodo Malware@#3ke4kaklxfk07
DrWeb Trojan.Emotet.1006
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/Emotet-CLU
McAfee-GW-Edition BehavesLike.Win32.Emotet.fm
Sophos Troj/Emotet-CLU
Ikarus Trojan-Banker.Emotet
Jiangmin Trojan.Banker.Emotet.ofp
Avira TR/Kryptik.emvxz
Microsoft Trojan:Win32/Emotet.ARJ!MTB
ViRobot Trojan.Win32.Emotet.300032.A
ZoneAlarm Trojan-Banker.Win32.Emotet.gcpe
GData Win32.Trojan.PSE.15ZWA9Z
TACHYON Banker/W32.Emotet.310272
AhnLab-V3 Trojan/Win32.RL_Emotet.R349415
McAfee Emotet-FRX!E2890DF484D0
MAX malware (ai score=80)
VBA32 BScope.TrojanBanker.Emotet
ESET-NOD32 Win32/Emotet.CD
Rising Trojan.Emotet!1.CB4A (CLASSIC)
Yandex Trojan.Emotet!AEXsYHWuVEA
Fortinet W32/Zenpak.AUSL!tr
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Win32/Trojan.ee5
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 71.197.211.156:80
dead_host 87.118.70.45:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-27 00:39:32

Imports

Library KERNEL32.dll:
0x4321d4 GetLastError
0x4321d8 VirtualAlloc
0x4321dc ExitProcess
0x4321e0 GetStringTypeW
0x4321e4 GetStringTypeA
0x4321ec CompareStringW
0x4321f0 CompareStringA
0x4321f4 MultiByteToWideChar
0x4321f8 FindFirstFileA
0x4321fc FindNextFileA
0x432200 FindClose
0x43220c HeapFree
0x432210 RtlUnwind
0x432214 HeapAlloc
0x432218 GetModuleHandleA
0x43221c GetStartupInfoA
0x432220 GetCommandLineA
0x432224 GetVersion
0x432228 RaiseException
0x43222c TerminateProcess
0x432230 GetCurrentProcess
0x432234 CloseHandle
0x432238 SetFilePointer
0x43223c SetHandleCount
0x432240 GetStdHandle
0x432244 GetFileType
0x432248 WriteFile
0x432250 ReadFile
0x432254 GetFileAttributesA
0x432258 HeapDestroy
0x43225c HeapCreate
0x432260 VirtualFree
0x432264 HeapReAlloc
0x432268 HeapSize
0x43226c WideCharToMultiByte
0x432270 LCMapStringA
0x432274 LCMapStringW
0x43227c GetModuleFileNameA
0x432290 GetCPInfo
0x432294 GetACP
0x432298 GetOEMCP
0x43229c FlushFileBuffers
0x4322a4 SetStdHandle
0x4322a8 CreateFileA
0x4322ac GetExitCodeProcess
0x4322b0 WaitForSingleObject
0x4322b4 CreateProcessA
0x4322b8 IsBadReadPtr
0x4322bc IsBadWritePtr
0x4322c0 IsBadCodePtr
0x4322c4 GetProcAddress
0x4322c8 LoadLibraryA
0x4322cc SetEndOfFile
Library USER32.dll:
0x432330 SendMessageA
0x432334 InSendMessage
0x432338 CreateWindowExA
0x43233c ShowWindow

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.