Loading ...

Play interactive tourEdit tour

Analysis Report VYHauUUCLr.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:181833
Start date:10.10.2019
Start time:04:17:56
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:VYHauUUCLr.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal96.bank.troj.evad.winEXE@6/0@0/9
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 39.4% (good quality ratio 37.2%)
  • Quality average: 76.6%
  • Quality standard deviation: 27.4%
HCA Information:
  • Successful, ratio: 92%
  • Number of executed functions: 65
  • Number of non-executed functions: 226
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold960 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Service Execution2Valid Accounts1Valid Accounts1Masquerading2Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData Encrypted12Uncommonly Used Port11
Replication Through Removable MediaExecution through API1Modify Existing Service11Access Token Manipulation1Valid Accounts1Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22
Drive-by CompromiseWindows Management InstrumentationNew Service12New Service12Access Token Manipulation1Input CaptureProcess Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesSecurity Software Discovery3Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Service Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol12
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery32Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://192.254.173.31:8080/forced/forced/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: https://80.79.23.144:443/iab/Virustotal: Detection: 14%Perma Link
Source: http://67.225.229.55/bml/Virustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: VYHauUUCLr.exeVirustotal: Detection: 10%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,2_2_0057207B
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571F56 CryptGetHashParam,2_2_00571F56
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,2_2_0057215A
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,2_2_00571F75
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571F11 CryptExportKey,2_2_00571F11
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,2_2_00571FFC
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_0057207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_0057207B
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00571F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_00571F75
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00571F11 CryptExportKey,4_2_00571F11
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00571FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_00571FFC
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00571F56 CryptGetHashParam,4_2_00571F56
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_0057215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_0057215A

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00401650 FindFirstFileA,FindClose,0_2_00401650
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00401470 memset,memset,memset,_splitpath,GetDriveTypeA,FindFirstFileA,FindClose,0_2_00401470
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00401650 FindFirstFileA,FindClose,2_2_00401650
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00401470 memset,memset,memset,_splitpath,GetDriveTypeA,FindFirstFileA,FindClose,2_2_00401470

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49719 -> 94.192.225.46:80
Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49720 -> 80.11.163.139:443
Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.5:49724 -> 192.254.173.31:8080
Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.5:49725 -> 67.225.229.55:8080
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 7080
Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49721
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 24.45.195.162:7080
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 133.167.80.63:7080
Source: global trafficTCP traffic: 192.168.2.5:49722 -> 198.199.114.69:8080
Source: global trafficTCP traffic: 192.168.2.5:49725 -> 67.225.229.55:8080
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 80.11.163.139 80.11.163.139
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /prov/child/xian/ HTTP/1.1Referer: http://133.167.80.63/prov/child/xian/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 133.167.80.63:7080Content-Length: 619Connection: Keep-AliveCache-Control: no-cacheData Raw: 54 6d 7a 38 59 75 6a 47 56 32 49 76 75 44 44 48 55 69 3d 6b 30 77 49 34 72 62 73 68 59 33 66 36 31 41 52 36 44 56 73 67 57 33 6b 45 37 7a 74 72 36 6d 6c 64 34 4a 6b 48 71 6d 44 56 5a 71 58 25 32 46 4d 71 72 66 4f 4c 73 42 66 39 25 32 42 64 53 70 45 77 71 45 5a 58 68 76 42 32 50 73 30 56 50 68 4d 25 32 42 55 62 79 76 6b 35 6b 48 64 6a 4b 65 6a 6b 4e 52 79 74 31 73 41 59 57 49 68 50 68 76 31 4c 25 32 42 72 51 43 53 68 51 4d 69 63 50 74 45 36 35 68 25 32 42 34 68 42 54 4c 48 57 47 45 4f 62 57 45 6a 73 45 39 71 41 38 64 69 70 55 45 45 57 6a 49 6d 7a 7a 6e 6e 74 65 65 7a 41 42 65 47 52 53 6f 42 48 33 30 61 65 62 38
Source: global trafficHTTP traffic detected: POST /badge/report/xian/ HTTP/1.1Referer: http://198.199.114.69/badge/report/xian/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.199.114.69:8080Content-Length: 609Connection: Keep-AliveCache-Control: no-cacheData Raw: 30 55 6f 56 33 69 68 6e 76 34 33 39 70 70 3d 4e 64 36 4e 5a 4e 65 71 59 50 62 68 6c 52 43 25 32 42 64 34 58 67 6b 62 4e 51 37 4b 34 50 58 44 34 70 6a 44 59 6b 5a 71 72 45 75 4b 6f 68 59 4b 6e 6f 74 6f 6b 70 32 61 39 47 45 7a 6e 6a 43 46 6b 7a 52 67 43 79 37 77 71 53 49 37 36 41 42 4d 77 6b 54 47 25 32 42 56 65 54 36 59 61 62 69 42 75 4a 6c 51 75 75 5a 48 64 6e 49 33 4f 68 36 4c 46 4f 49 6c 73 58 62 34 72 59 4e 61 6e 34 45 76 4e 71 6c 77 4c 48 57 47 45 4f 62 57 45 6a 73 45 39 71 41 38 64 69 70 55 45 45 57 6a 49 6d 7a 7a 6e 6e 74 65 65 7a 41 42 65 47 52 53 6f 42 48 33 30 61 65 62 38 59 4f 5a 50 50 6f 6c 70
Source: global trafficHTTP traffic detected: POST /iab/ HTTP/1.1Referer: http://80.79.23.144/iab/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 80.79.23.144:443Content-Length: 613Connection: Keep-AliveCache-Control: no-cacheData Raw: 52 43 56 38 4c 61 6a 75 48 38 77 53 56 68 67 49 3d 48 6a 4b 78 7a 4e 45 45 5a 47 44 72 6e 7a 78 76 4f 39 50 61 63 52 38 6d 54 58 70 44 78 78 54 57 79 79 5a 43 34 62 64 75 36 50 34 70 49 74 65 38 54 56 25 32 46 37 61 6e 79 48 74 6b 25 32 46 4f 25 32 42 76 51 7a 57 46 45 68 4f 57 6a 63 4a 32 58 63 55 64 6a 69 79 42 63 53 70 47 4b 4f 30 31 4b 47 58 47 42 32 41 77 52 67 43 44 61 36 49 47 32 45 6e 36 35 41 77 5a 55 35 50 65 39 56 57 32 66 74 77 64 39 64 4c 48 57 47 45 4f 62 57 45 6a 73 45 39 71 41 38 64 69 70 55 45 45 57 6a 49 6d 7a 7a 6e 6e 74 65 65 7a 41 42 65 47 52 53 6f 42 48 33 30 61 65 62 38 59 4f 5a 50 50 6f 6c 70 25 32 46 6c 25 32 46
Source: global trafficHTTP traffic detected: POST /forced/forced/ HTTP/1.1Referer: http://192.254.173.31/forced/forced/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.254.173.31:8080Content-Length: 610Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 78 35 30 62 77 72 65 32 3d 69 67 71 64 66 4c 52 72 59 68 4f 6e 77 45 66 76 6f 34 69 48 71 45 48 54 7a 52 65 78 38 5a 4f 76 30 4f 50 38 44 42 4a 25 32 42 38 36 50 35 34 31 51 25 32 42 45 45 66 55 53 73 71 6e 73 30 35 32 6d 30 75 4f 76 66 42 6b 25 32 42 31 78 77 6e 38 55 7a 69 51 25 32 42 6a 45 25 32 42 35 4a 48 73 6e 49 71 4b 77 55 35 69 37 4f 78 75 4b 46 66 30 48 78 44 7a 61 77 47 6f 31 48 52 5a 37 49 6a 31 47 4a 34 51 59 61 4f 6a 6e 7a 4c 48 57 47 45 4f 62 57 45 6a 73 45 39 71 41 38 64 69 70 55 45 45 57 6a 49 6d 7a 7a 6e 6e 74 65 65 7a 41 42 65 47 52 53 6f 42 48 33 30 61 65 62 38 59 4f 5a 50 50 6f 6c 70 25 3
Source: global trafficHTTP traffic detected: POST /bml/ HTTP/1.1Referer: http://67.225.229.55/bml/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 67.225.229.55:8080Content-Length: 605Connection: Keep-AliveCache-Control: no-cacheData Raw: 49 61 56 58 3d 4d 4c 73 74 79 39 6d 61 64 65 72 79 4a 31 53 37 53 43 57 42 50 46 62 6e 47 73 51 42 70 53 4c 71 31 79 67 62 4c 63 36 70 25 32 42 52 4a 51 51 6b 58 74 59 62 30 4d 67 38 36 67 30 32 78 74 4a 72 42 41 51 77 52 25 32 42 44 4e 71 4e 7a 35 55 52 6b 70 4f 7a 37 68 6c 76 4d 73 25 32 42 6b 45 6d 78 37 62 47 43 31 53 62 56 36 4d 59 6e 25 32 46 47 25 32 42 50 77 53 34 70 68 6e 5a 52 72 54 50 4d 68 64 7a 53 57 76 67 48 45 4c 48 57 47 45 4f 62 57 45 6a 73 45 39 71 41 38 64 69 70 55 45 45 57 6a 49 6d 7a 7a 6e 6e 74 65 65 7a 41 42 65 47 52 53 6f 42 48 33 30 61 65 62 38 59 4f 5a 50 50 6f 6c 70 25 32 46 6c 25 32 46 68 55 68 55 64 64 54
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 201.184.105.242
Source: unknownTCP traffic detected without corresponding DNS query: 201.184.105.242
Source: unknownTCP traffic detected without corresponding DNS query: 201.184.105.242
Source: unknownTCP traffic detected without corresponding DNS query: 24.45.195.162
Source: unknownTCP traffic detected without corresponding DNS query: 24.45.195.162
Source: unknownTCP traffic detected without corresponding DNS query: 24.45.195.162
Source: unknownTCP traffic detected without corresponding DNS query: 24.45.195.162
Source: unknownTCP traffic detected without corresponding DNS query: 24.45.195.162
Source: unknownTCP traffic detected without corresponding DNS query: 24.45.195.162
Source: unknownTCP traffic detected without corresponding DNS query: 94.192.225.46
Source: unknownTCP traffic detected without corresponding DNS query: 94.192.225.46
Source: unknownTCP traffic detected without corresponding DNS query: 94.192.225.46
Source: unknownTCP traffic detected without corresponding DNS query: 80.11.163.139
Source: unknownTCP traffic detected without corresponding DNS query: 80.11.163.139
Source: unknownTCP traffic detected without corresponding DNS query: 80.11.163.139
Source: unknownTCP traffic detected without corresponding DNS query: 133.167.80.63
Source: unknownTCP traffic detected without corresponding DNS query: 133.167.80.63
Source: unknownTCP traffic detected without corresponding DNS query: 133.167.80.63
Source: unknownTCP traffic detected without corresponding DNS query: 133.167.80.63
Source: unknownTCP traffic detected without corresponding DNS query: 133.167.80.63
Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 192.254.173.31
Source: unknownTCP traffic detected without corresponding DNS query: 192.254.173.31
Source: unknownTCP traffic detected without corresponding DNS query: 192.254.173.31
Source: unknownTCP traffic detected without corresponding DNS query: 192.254.173.31
Source: unknownTCP traffic detected without corresponding DNS query: 192.254.173.31
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.229.55
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.229.55
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.229.55
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.229.55
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00402D40 recv,recv,memcpy,strstr,strstr,strstr,0_2_00402D40
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /prov/child/xian/ HTTP/1.1Referer: http://133.167.80.63/prov/child/xian/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 133.167.80.63:7080Content-Length: 619Connection: Keep-AliveCache-Control: no-cacheData Raw: 54 6d 7a 38 59 75 6a 47 56 32 49 76 75 44 44 48 55 69 3d 6b 30 77 49 34 72 62 73 68 59 33 66 36 31 41 52 36 44 56 73 67 57 33 6b 45 37 7a 74 72 36 6d 6c 64 34 4a 6b 48 71 6d 44 56 5a 71 58 25 32 46 4d 71 72 66 4f 4c 73 42 66 39 25 32 42 64 53 70 45 77 71 45 5a 58 68 76 42 32 50 73 30 56 50 68 4d 25 32 42 55 62 79 76 6b 35 6b 48 64 6a 4b 65 6a 6b 4e 52 79 74 31 73 41 59 57 49 68 50 68 76 31 4c 25 32 42 72 51 43 53 68 51 4d 69 63 50 74 45 36 35 68 25 32 42 34 68 42 54 4c 48 57 47 45 4f 62 57 45 6a 73 45 39 71 41 38 64 69 70 55 45 45 57 6a 49 6d 7a 7a 6e 6e 74 65 65 7a 41 42 65 47 52 53 6f 42 48 33 30 61 65 62 38
Urls found in memory or binary dataShow sources
Source: magnifymspterm.exe, 00000004.00000002.2143877771.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://67.225.229.55/bml/
Source: VYHauUUCLr.exeString found in binary or memory: http://www.monkeyheadsoftware.com/default.asp?app=Y
Source: VYHauUUCLr.exeString found in binary or memory: http://www.monkeyheadsoftware.com/default.asp?app=YYou
Source: VYHauUUCLr.exeString found in binary or memory: http://www.monkeyheadsoftware.com?psc=Y
Source: VYHauUUCLr.exeString found in binary or memory: http://www.monkeyheadsoftware.com?psc=YStatus:
Source: VYHauUUCLr.exeString found in binary or memory: http://www.somehost.com:8000/stream/1011)
Source: VYHauUUCLr.exeString found in binary or memory: http://www.somehost.com:8000/stream/1011)You
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057C2E22_2_0057C2E2
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_0057C2E24_2_0057C2E2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,2_2_00571F75
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00571F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_00571F75

System Summary:

barindex
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057C4AE GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,2_2_0057C4AE
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571D2B CreateProcessAsUserW,CreateProcessW,2_2_00571D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\Desktop\VYHauUUCLr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\Desktop\VYHauUUCLr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeFile deleted: C:\Windows\SysWOW64\magnifymspterm.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001E28C10_2_001E28C1
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001E30E80_2_001E30E8
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001E30E40_2_001E30E4
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001F28C12_2_001F28C1
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001F30E82_2_001F30E8
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001F30E42_2_001F30E4
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00572F822_2_00572F82
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_005737A52_2_005737A5
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_005737A92_2_005737A9
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_007537A53_2_007537A5
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_007537A93_2_007537A9
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_00752F823_2_00752F82
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E28C14_2_001E28C1
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E30E84_2_001E30E8
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E30E44_2_001E30E4
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00572F824_2_00572F82
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_005737A54_2_005737A5
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_005737A94_2_005737A9
PE file contains strange resourcesShow sources
Source: VYHauUUCLr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VYHauUUCLr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: VYHauUUCLr.exe, 00000000.00000002.1728215034.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMHMS.exe vs VYHauUUCLr.exe
Source: VYHauUUCLr.exe, 00000002.00000002.1769512284.0000000002990000.00000002.00000001.sdmpBinary or memory string: originalfilename vs VYHauUUCLr.exe
Source: VYHauUUCLr.exe, 00000002.00000002.1769512284.0000000002990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs VYHauUUCLr.exe
Source: VYHauUUCLr.exe, 00000002.00000002.1767823890.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMHMS.exe vs VYHauUUCLr.exe
Source: VYHauUUCLr.exe, 00000002.00000002.1769191043.00000000028A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs VYHauUUCLr.exe
Source: VYHauUUCLr.exeBinary or memory string: OriginalFilenameMHMS.exe vs VYHauUUCLr.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\VYHauUUCLr.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.1768138030.0000000000571000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1764687904.0000000000751000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1728147323.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1728340281.00000000004A1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1763857827.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2144296448.0000000000571000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2143897914.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1767689328.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Classification labelShow sources
Source: classification engineClassification label: mal96.bank.troj.evad.winEXE@6/0@0/9
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_0057C57E
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_0057C57E
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_00571943
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057C57E OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_0057C57E
PE file has an executable .text section and no other executable sectionShow sources
Source: VYHauUUCLr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: VYHauUUCLr.exeVirustotal: Detection: 10%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_3-2128
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\VYHauUUCLr.exe 'C:\Users\user\Desktop\VYHauUUCLr.exe'
Source: unknownProcess created: C:\Users\user\Desktop\VYHauUUCLr.exe --bb41076e
Source: unknownProcess created: C:\Windows\SysWOW64\magnifymspterm.exe C:\Windows\SysWOW64\magnifymspterm.exe
Source: unknownProcess created: C:\Windows\SysWOW64\magnifymspterm.exe --1447b0a7
Source: C:\Users\user\Desktop\VYHauUUCLr.exeProcess created: C:\Users\user\Desktop\VYHauUUCLr.exe --bb41076eJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess created: C:\Windows\SysWOW64\magnifymspterm.exe --1447b0a7Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057179C LoadLibraryA,GetProcAddress,2_2_0057179C
PE file contains an invalid checksumShow sources
Source: VYHauUUCLr.exeStatic PE information: real checksum: 0xa5a84 should be: 0x98ae8
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00408371 push ecx; ret 0_2_00408384
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001EE01E push ecx; retf 0_2_001EE01F
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001EDC5A push edi; ret 0_2_001EDC7B
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001EE264 push eax; retf 0_2_001EE26B
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001EE0FE push ecx; retf 0_2_001EE0FF
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001EDFF0 push eax; retf 0_2_001EDFF3
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00408371 push ecx; ret 2_2_00408384
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001FE01E push ecx; retf 2_2_001FE01F
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001FDC5A push edi; ret 2_2_001FDC7B
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001FE264 push eax; retf 2_2_001FE26B
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001FE0FE push ecx; retf 2_2_001FE0FF
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001FDFF0 push eax; retf 2_2_001FDFF3
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001EE01E push ecx; retf 4_2_001EE01F
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001EDC5A push edi; ret 4_2_001EDC7B
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001EE264 push eax; retf 4_2_001EE26B
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001EE0FE push ecx; retf 4_2_001EE0FF
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001EDFF0 push eax; retf 4_2_001EDFF3

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeExecutable created and started: C:\Windows\SysWOW64\magnifymspterm.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exePE file moved: C:\Windows\SysWOW64\magnifymspterm.exeJump to behavior
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00401800 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,0_2_00401800
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00401800 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,2_2_00401800

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057C57E OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_0057C57E

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeFile opened: C:\Windows\SysWOW64\magnifymspterm.exe:Zone.Identifier read attributes | deleteJump to behavior
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 7080
Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49721
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VYHauUUCLr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-2221
Source: C:\Users\user\Desktop\VYHauUUCLr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-7002
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,2_2_0057C2E2
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,4_2_0057C2E2
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-5309
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeAPI coverage: 5.3 %
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI coverage: 7.1 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00401650 FindFirstFileA,FindClose,0_2_00401650
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00401470 memset,memset,memset,_splitpath,GetDriveTypeA,FindFirstFileA,FindClose,0_2_00401470
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00401650 FindFirstFileA,FindClose,2_2_00401650
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00401470 memset,memset,memset,_splitpath,GetDriveTypeA,FindFirstFileA,FindClose,2_2_00401470
Program exit pointsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeAPI call chain: ExitProcess graph end nodegraph_2-6946
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI call chain: ExitProcess graph end nodegraph_3-2158
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI call chain: ExitProcess graph end nodegraph_4-4560
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI call chain: ExitProcess graph end nodegraph_4-4569
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00407DDD IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_00407DDD
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_0057179C LoadLibraryA,GetProcAddress,2_2_0057179C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00403370 mov eax, dword ptr fs:[00000030h]0_2_00403370
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001E0C0C mov eax, dword ptr fs:[00000030h]0_2_001E0C0C
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001E0467 mov eax, dword ptr fs:[00000030h]0_2_001E0467
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001E1743 mov eax, dword ptr fs:[00000030h]0_2_001E1743
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00403370 mov eax, dword ptr fs:[00000030h]2_2_00403370
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001F0C0C mov eax, dword ptr fs:[00000030h]2_2_001F0C0C
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001F0467 mov eax, dword ptr fs:[00000030h]2_2_001F0467
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_001F1743 mov eax, dword ptr fs:[00000030h]2_2_001F1743
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00571E04 mov eax, dword ptr fs:[00000030h]2_2_00571E04
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_005712CD mov eax, dword ptr fs:[00000030h]2_2_005712CD
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_00751E04 mov eax, dword ptr fs:[00000030h]3_2_00751E04
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_007512CD mov eax, dword ptr fs:[00000030h]3_2_007512CD
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E0C0C mov eax, dword ptr fs:[00000030h]4_2_001E0C0C
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E0467 mov eax, dword ptr fs:[00000030h]4_2_001E0467
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1743 mov eax, dword ptr fs:[00000030h]4_2_001E1743
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_00571E04 mov eax, dword ptr fs:[00000030h]4_2_00571E04
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_005712CD mov eax, dword ptr fs:[00000030h]4_2_005712CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_005714F2 GetProcessHeap,RtlAllocateHeap,2_2_005714F2
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_004080A5 SetUnhandledExceptionFilter,0_2_004080A5
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_00407DDD IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_00407DDD
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_004080A5 SetUnhandledExceptionFilter,2_2_004080A5
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00407DDD IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_00407DDD

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_001EC637 cpuid 0_2_001EC637
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 0_2_004083D8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004083D8
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\VYHauUUCLr.exeCode function: 2_2_00572398 RtlGetVersion,GetNativeSystemInfo,2_2_00572398
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VYHauUUCLr.exe10%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://80.79.23.144:443/iab/14%VirustotalBrowse
https://80.79.23.144:443/iab/0%Avira URL Cloudsafe
http://www.monkeyheadsoftware.com/default.asp?app=Y0%VirustotalBrowse
http://www.monkeyheadsoftware.com/default.asp?app=Y0%Avira URL Cloudsafe
http://www.somehost.com:8000/stream/1011)0%Avira URL Cloudsafe
http://133.167.80.63:7080/prov/child/xian/0%Avira URL Cloudsafe
http://67.225.229.55:8080/bml/0%Avira URL Cloudsafe
http://www.monkeyheadsoftware.com/default.asp?app=YYou0%Avira URL Cloudsafe
http://192.254.173.31:8080/forced/forced/100%Avira URL Cloudmalware
http://67.225.229.55/bml/11%VirustotalBrowse
http://67.225.229.55/bml/0%Avira URL Cloudsafe
http://www.monkeyheadsoftware.com?psc=YStatus:0%Avira URL Cloudsafe
http://www.somehost.com:8000/stream/1011)You0%Avira URL Cloudsafe
http://198.199.114.69:8080/badge/report/xian/0%Avira URL Cloudsafe
http://www.monkeyheadsoftware.com?psc=Y0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1768138030.0000000000571000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000003.00000002.1764687904.0000000000751000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000000.00000002.1728147323.00000000001E0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000000.00000002.1728340281.00000000004A1000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000003.00000002.1763857827.00000000001E0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.2144296448.0000000000571000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.2143897914.00000000001E0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000002.00000002.1767689328.00000000001F0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
198.199.114.69http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/Get hashmaliciousBrowse
  • 198.199.114.69:8080/jit/
https://newwell.studio/test/DOC/NtnDpOmWbTdPEdBxrLyy/Get hashmaliciousBrowse
  • 198.199.114.69:8080/json/
80.11.163.139Inf_401618511914_40750550398.docGet hashmaliciousBrowse
  • 80.11.163.139:443/enabled/xian/jit/
UNTITLED-859793-68333876.docGet hashmaliciousBrowse
  • 80.11.163.139:443/devices/add/xian/merge/
UNTITLED-859793-68333876.docGet hashmaliciousBrowse
  • 80.11.163.139:443/sess/free/free/merge/
UNTITLED-859793-68333876.docGet hashmaliciousBrowse
  • 80.11.163.139:443/entries/mult/jit/

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownshlprouter.exeGet hashmaliciousBrowse
  • 80.79.23.144
http://dna789537.typeform.comGet hashmaliciousBrowse
  • 104.18.27.190
http://click.icptrack.com/icp/relay.php?r=30000099&msgid=6080008&act=F00B&c=1778479&destination=https%3A%2F%2F091020191045.azureedge.net/testGet hashmaliciousBrowse
  • 40.123.16.21
Profile Properties Project Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
SCAN08364720 #45836(PDF).pdf.htmGet hashmaliciousBrowse
  • 198.7.58.222
changing-american-families.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://u12003579.ct.sendgrid.net/wf/click?upn=R2yM0As7GsE3XQjcHokWWmr-2Fyq3uiCrlMY5ruCa9nKaxFfGFz-2FjjhpS0-2FYdpAHxh1egTyYr1N1q4XZhNWqZk4Umg06FgNCQHC5yNWDEHQsk-3D_vi-2BtvAE60BrIVVVZJCsaxyggZGLEnqVa6oIzKHnRejyamXH1IDRGVPeo2oQQjVQ9bvGpEfU3DUUbYhrwFKqaBMF5-2BYefbRZpp74aIZEsqes7A7mylvp3hy0DCz5RytLeCI4z1EQ9SOI4MAxSK-2FBQxZUCwi6JVZedGt41M-2FN7ROKQ0ZDIgUI-2BDK-2BLtLYSq5VCGB8WrQ7uGhm3-2FmHhvbACf-2Fsatb5jD2FLlF40HsDez5lceL0bAFdFNG1BiieCqYUuGet hashmaliciousBrowse
  • 52.222.173.95
https://mediasignonline.com/itelds/fire-3Get hashmaliciousBrowse
  • 74.120.188.204
https://omegavehicleservices.com/wp-includes/owa/owa.vcccd.edu.htmlGet hashmaliciousBrowse
  • 72.47.244.96
https://voiceplaybackauth.z13.web.core.windows.net/Get hashmaliciousBrowse
  • 52.239.152.65
Fin-Report-xls-19.htmlGet hashmaliciousBrowse
  • 143.95.80.178
https://mkjhelp.net//cgi--bin/PPDDFGet hashmaliciousBrowse
  • 81.169.145.81
https://app.box.com/s/cbmjqykrzeazvzo4jv68i2g1dbqudg5qGet hashmaliciousBrowse
  • 147.75.84.181
Physiotherapy Board Payment and Draft Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://www.tamildbox.topGet hashmaliciousBrowse
  • 34.98.67.61
https://annuragenmbiopro.com/@%23&%5e%5e%23&&%5e%23%25@$$@%25%25%23%5e%23%5e%23&%23%5e%23%25%5e%23&**$&%5e&*()(*&%5e%23(*&%5e$$@%25%25%23%5e%5e%25$%25%23%5e%25%23Get hashmaliciousBrowse
  • 104.206.225.200
https://claims-southhollandmanorhrc.org/adobe/email/securityGet hashmaliciousBrowse
  • 142.11.209.226
ACCESS IMPORTANT FILE.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://devoslaan.top/oneGet hashmaliciousBrowse
  • 104.18.51.6
tiempo.apkGet hashmaliciousBrowse
  • 204.236.227.23
unknownshlprouter.exeGet hashmaliciousBrowse
  • 80.79.23.144
http://dna789537.typeform.comGet hashmaliciousBrowse
  • 104.18.27.190
http://click.icptrack.com/icp/relay.php?r=30000099&msgid=6080008&act=F00B&c=1778479&destination=https%3A%2F%2F091020191045.azureedge.net/testGet hashmaliciousBrowse
  • 40.123.16.21
Profile Properties Project Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
SCAN08364720 #45836(PDF).pdf.htmGet hashmaliciousBrowse
  • 198.7.58.222
changing-american-families.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://u12003579.ct.sendgrid.net/wf/click?upn=R2yM0As7GsE3XQjcHokWWmr-2Fyq3uiCrlMY5ruCa9nKaxFfGFz-2FjjhpS0-2FYdpAHxh1egTyYr1N1q4XZhNWqZk4Umg06FgNCQHC5yNWDEHQsk-3D_vi-2BtvAE60BrIVVVZJCsaxyggZGLEnqVa6oIzKHnRejyamXH1IDRGVPeo2oQQjVQ9bvGpEfU3DUUbYhrwFKqaBMF5-2BYefbRZpp74aIZEsqes7A7mylvp3hy0DCz5RytLeCI4z1EQ9SOI4MAxSK-2FBQxZUCwi6JVZedGt41M-2FN7ROKQ0ZDIgUI-2BDK-2BLtLYSq5VCGB8WrQ7uGhm3-2FmHhvbACf-2Fsatb5jD2FLlF40HsDez5lceL0bAFdFNG1BiieCqYUuGet hashmaliciousBrowse
  • 52.222.173.95
https://mediasignonline.com/itelds/fire-3Get hashmaliciousBrowse
  • 74.120.188.204
https://omegavehicleservices.com/wp-includes/owa/owa.vcccd.edu.htmlGet hashmaliciousBrowse
  • 72.47.244.96
https://voiceplaybackauth.z13.web.core.windows.net/Get hashmaliciousBrowse
  • 52.239.152.65
Fin-Report-xls-19.htmlGet hashmaliciousBrowse
  • 143.95.80.178
https://mkjhelp.net//cgi--bin/PPDDFGet hashmaliciousBrowse
  • 81.169.145.81
https://app.box.com/s/cbmjqykrzeazvzo4jv68i2g1dbqudg5qGet hashmaliciousBrowse
  • 147.75.84.181
Physiotherapy Board Payment and Draft Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://www.tamildbox.topGet hashmaliciousBrowse
  • 34.98.67.61
https://annuragenmbiopro.com/@%23&%5e%5e%23&&%5e%23%25@$$@%25%25%23%5e%23%5e%23&%23%5e%23%25%5e%23&**$&%5e&*()(*&%5e%23(*&%5e$$@%25%25%23%5e%5e%25$%25%23%5e%25%23Get hashmaliciousBrowse
  • 104.206.225.200
https://claims-southhollandmanorhrc.org/adobe/email/securityGet hashmaliciousBrowse
  • 142.11.209.226
ACCESS IMPORTANT FILE.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://devoslaan.top/oneGet hashmaliciousBrowse
  • 104.18.51.6
tiempo.apkGet hashmaliciousBrowse
  • 204.236.227.23
unknownshlprouter.exeGet hashmaliciousBrowse
  • 80.79.23.144
http://dna789537.typeform.comGet hashmaliciousBrowse
  • 104.18.27.190
http://click.icptrack.com/icp/relay.php?r=30000099&msgid=6080008&act=F00B&c=1778479&destination=https%3A%2F%2F091020191045.azureedge.net/testGet hashmaliciousBrowse
  • 40.123.16.21
Profile Properties Project Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
SCAN08364720 #45836(PDF).pdf.htmGet hashmaliciousBrowse
  • 198.7.58.222
changing-american-families.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://u12003579.ct.sendgrid.net/wf/click?upn=R2yM0As7GsE3XQjcHokWWmr-2Fyq3uiCrlMY5ruCa9nKaxFfGFz-2FjjhpS0-2FYdpAHxh1egTyYr1N1q4XZhNWqZk4Umg06FgNCQHC5yNWDEHQsk-3D_vi-2BtvAE60BrIVVVZJCsaxyggZGLEnqVa6oIzKHnRejyamXH1IDRGVPeo2oQQjVQ9bvGpEfU3DUUbYhrwFKqaBMF5-2BYefbRZpp74aIZEsqes7A7mylvp3hy0DCz5RytLeCI4z1EQ9SOI4MAxSK-2FBQxZUCwi6JVZedGt41M-2FN7ROKQ0ZDIgUI-2BDK-2BLtLYSq5VCGB8WrQ7uGhm3-2FmHhvbACf-2Fsatb5jD2FLlF40HsDez5lceL0bAFdFNG1BiieCqYUuGet hashmaliciousBrowse
  • 52.222.173.95
https://mediasignonline.com/itelds/fire-3Get hashmaliciousBrowse
  • 74.120.188.204
https://omegavehicleservices.com/wp-includes/owa/owa.vcccd.edu.htmlGet hashmaliciousBrowse
  • 72.47.244.96
https://voiceplaybackauth.z13.web.core.windows.net/Get hashmaliciousBrowse
  • 52.239.152.65
Fin-Report-xls-19.htmlGet hashmaliciousBrowse
  • 143.95.80.178
https://mkjhelp.net//cgi--bin/PPDDFGet hashmaliciousBrowse
  • 81.169.145.81
https://app.box.com/s/cbmjqykrzeazvzo4jv68i2g1dbqudg5qGet hashmaliciousBrowse
  • 147.75.84.181
Physiotherapy Board Payment and Draft Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://www.tamildbox.topGet hashmaliciousBrowse
  • 34.98.67.61
https://annuragenmbiopro.com/@%23&%5e%5e%23&&%5e%23%25@$$@%25%25%23%5e%23%5e%23&%23%5e%23%25%5e%23&**$&%5e&*()(*&%5e%23(*&%5e$$@%25%25%23%5e%5e%25$%25%23%5e%25%23Get hashmaliciousBrowse
  • 104.206.225.200
https://claims-southhollandmanorhrc.org/adobe/email/securityGet hashmaliciousBrowse
  • 142.11.209.226
ACCESS IMPORTANT FILE.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://devoslaan.top/oneGet hashmaliciousBrowse
  • 104.18.51.6
tiempo.apkGet hashmaliciousBrowse
  • 204.236.227.23

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.