Loading ...

Play interactive tourEdit tour

Analysis Report OGa0dC4QVI

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:216485
Start date:19.03.2020
Start time:12:15:12
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 50s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:OGa0dC4QVI (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.troj.evad.winEXE@3/0@0/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 50.7% (good quality ratio 23.5%)
  • Quality average: 36.8%
  • Quality standard deviation: 42.4%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WMIADAP.exe
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/216485/sample/OGa0dC4QVI.exe
  • Timeout during Intezer genetic analysis for unpackpe/0.2.OGa0dC4QVI.exe.470000.1.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold920 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API11Hidden Files and Directories1Process Injection2Masquerading12Input Capture1Process Discovery3Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureFile and Directory Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection2Credentials in FilesSystem Information Discovery13Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: OGa0dC4QVI.exeAvira: detection malicious, Label: HEUR/AGEN.1046856
Found malware configurationShow sources
Source: Microsoft.Bluetooth.Proxy.exe.2288.1.memstrMalware Configuration Extractor: Emotet {"C2 list": ["95.6.84.189/9WPXPGjefBrSA4s", "198.58.119.85/avufuRyr", "198.58.119.85:8080", "113.193.29.98/h8EPWT99bJKY50V"]}
Multi AV Scanner detection for submitted fileShow sources
Source: OGa0dC4QVI.exeVirustotal: Detection: 64%Perma Link
Source: OGa0dC4QVI.exeReversingLabs: Detection: 80%
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 1.0.Microsoft.Bluetooth.Proxy.exe.400000.0.unpackAvira: Label: TR/Kryptik.xxmrs
Source: 0.0.OGa0dC4QVI.exe.400000.0.unpackAvira: Label: TR/Kryptik.xxmrs

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A73030 FindNextFileW,FindFirstFileW,0_2_00A73030

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.5:49749 -> 113.193.29.98:80
Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49750 -> 95.6.84.189:80
Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.5:49751 -> 198.58.119.85:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49751 -> 198.58.119.85:8080
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49749 -> 113.193.29.98:80
Source: global trafficTCP traffic: 192.168.2.5:49750 -> 95.6.84.189:80
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /avufuRyr/A29W2D/EznOnxZsFrO/CDyT/cPZImXPTtFsqlrjf0h/ HTTP/1.1Referer: http://198.58.119.85/avufuRyr/A29W2D/EznOnxZsFrO/CDyT/cPZImXPTtFsqlrjf0h/Content-Type: multipart/form-data; boundary=---------------------------531015067015255User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.58.119.85:8080Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 113.193.29.98
Source: unknownTCP traffic detected without corresponding DNS query: 113.193.29.98
Source: unknownTCP traffic detected without corresponding DNS query: 113.193.29.98
Source: unknownTCP traffic detected without corresponding DNS query: 95.6.84.189
Source: unknownTCP traffic detected without corresponding DNS query: 95.6.84.189
Source: unknownTCP traffic detected without corresponding DNS query: 95.6.84.189
Source: unknownTCP traffic detected without corresponding DNS query: 198.58.119.85
Source: unknownTCP traffic detected without corresponding DNS query: 198.58.119.85
Source: unknownTCP traffic detected without corresponding DNS query: 198.58.119.85
Source: unknownTCP traffic detected without corresponding DNS query: 198.58.119.85
Source: unknownTCP traffic detected without corresponding DNS query: 198.58.119.85
Source: unknownTCP traffic detected without corresponding DNS query: 198.58.119.85
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /avufuRyr/A29W2D/EznOnxZsFrO/CDyT/cPZImXPTtFsqlrjf0h/ HTTP/1.1Referer: http://198.58.119.85/avufuRyr/A29W2D/EznOnxZsFrO/CDyT/cPZImXPTtFsqlrjf0h/Content-Type: multipart/form-data; boundary=---------------------------531015067015255User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.58.119.85:8080Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmpString found in binary or memory: http://113.193.29.98/h8EPWT99bJKY50Vmq/XdvhKAcsAuPBZKj/
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmp, Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1159617037.000000000018E000.00000004.00000001.sdmpString found in binary or memory: http://198.58.119.85/avufuRyr/A29W2D/EznOnxZsFrO/CDyT/cPZImXPTtFsqlrjf0h/
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmpString found in binary or memory: http://198.58.119.85:8080/avufuRyr/A29W2D/EznOnxZsFrO/CDyT/cPZImXPTtFsqlrjf0h/
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmpString found in binary or memory: http://95.6.84.189/9WPXPGjefBrSA4sqgDd/HOuh/bD6GBA/LUki1j/b9jciYWg1gOAaUM/VqzQ/
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmpString found in binary or memory: http://95.6.84.189/9WPXPGjefBrSA4sqgDd/HOuh/bD6GBA/LUki1j/b9jciYWg1gOAaUM/VqzQ/5

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000000.00000002.774209796.0000000000A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.774177979.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1160213516.0000000000671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1160179016.0000000000660000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeFile created: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Jump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeFile deleted: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A6521F0_2_00A6521F
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A758E00_2_00A758E0
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_0066521F1_2_0066521F
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_006758E01_2_006758E0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: String function: 00408270 appears 36 times
PE file contains strange resourcesShow sources
Source: OGa0dC4QVI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OGa0dC4QVI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OGa0dC4QVI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OGa0dC4QVI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: OGa0dC4QVI.exe, 00000000.00000002.776090178.0000000002E70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs OGa0dC4QVI.exe
Source: OGa0dC4QVI.exe, 00000000.00000002.776090178.0000000002E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs OGa0dC4QVI.exe
Source: OGa0dC4QVI.exe, 00000000.00000000.734296835.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen Wednesday, China reported far fewer cases of the novel coronavirus vs OGa0dC4QVI.exe
Source: OGa0dC4QVI.exe, 00000000.00000002.773577714.0000000000470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs OGa0dC4QVI.exe
Source: OGa0dC4QVI.exe, 00000000.00000002.775759109.0000000002D70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs OGa0dC4QVI.exe
Source: OGa0dC4QVI.exeBinary or memory string: OriginalFilenamen Wednesday, China reported far fewer cases of the novel coronavirus vs OGa0dC4QVI.exe
Classification labelShow sources
Source: classification engineClassification label: mal92.troj.evad.winEXE@3/0@0/3
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_00674170 Process32NextW,CreateToolhelp32Snapshot,1_2_00674170
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M2A4F33C3
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I2A4F33C3
PE file has an executable .text section and no other executable sectionShow sources
Source: OGa0dC4QVI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: OGa0dC4QVI.exeVirustotal: Detection: 64%
Source: OGa0dC4QVI.exeReversingLabs: Detection: 80%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\OGa0dC4QVI.exe 'C:\Users\user\Desktop\OGa0dC4QVI.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exe C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exe
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess created: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exe C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00402848 LoadLibraryW,GetProcAddress,0_2_00402848
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_004082C0 push eax; ret 0_2_004082EE

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeExecutable created and started: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exePE file moved: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeFile opened: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-10817
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A73030 FindNextFileW,FindFirstFileW,0_2_00A73030
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160273074.00000000006A0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00402848 LoadLibraryW,GetProcAddress,0_2_00402848
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_004011FF mov eax, dword ptr fs:[00000030h]0_2_004011FF
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A60467 mov eax, dword ptr fs:[00000030h]0_2_00A60467
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A62E6F mov eax, dword ptr fs:[00000030h]0_2_00A62E6F
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A63BDF mov eax, dword ptr fs:[00000030h]0_2_00A63BDF
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A742A0 mov eax, dword ptr fs:[00000030h]0_2_00A742A0
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeCode function: 0_2_00A73530 mov eax, dword ptr fs:[00000030h]0_2_00A73530
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_00660467 mov eax, dword ptr fs:[00000030h]1_2_00660467
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_00662E6F mov eax, dword ptr fs:[00000030h]1_2_00662E6F
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_00663BDF mov eax, dword ptr fs:[00000030h]1_2_00663BDF
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_00673530 mov eax, dword ptr fs:[00000030h]1_2_00673530
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeCode function: 1_2_006742A0 mov eax, dword ptr fs:[00000030h]1_2_006742A0

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160744547.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160744547.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160744547.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: Microsoft.Bluetooth.Proxy.exe, 00000001.00000002.1160744547.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\Microsoft.Bluetooth.Proxy\Microsoft.Bluetooth.Proxy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\OGa0dC4QVI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000000.00000002.774209796.0000000000A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.774177979.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1160213516.0000000000671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1160179016.0000000000660000.00000040.00000001.sdmp, type: MEMORY

Malware Configuration

Threatname: Emotet

{"C2 list": ["95.6.84.189/9WPXPGjefBrSA4s", "198.58.119.85/avufuRyr", "198.58.119.85:8080", "113.193.29.98/h8EPWT99bJKY50V"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OGa0dC4QVI.exe64%VirustotalBrowse
OGa0dC4QVI.exe81%ReversingLabsWin32.Trojan.Emotet
OGa0dC4QVI.exe100%AviraHEUR/AGEN.1046856

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.OGa0dC4QVI.exe.400000.0.unpack100%AviraHEUR/AGEN.1046856Download File
1.0.Microsoft.Bluetooth.Proxy.exe.400000.0.unpack100%AviraTR/Kryptik.xxmrsDownload File
0.0.OGa0dC4QVI.exe.400000.0.unpack100%AviraTR/Kryptik.xxmrsDownload File
1.2.Microsoft.Bluetooth.Proxy.exe.400000.0.unpack100%AviraHEUR/AGEN.1046856Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://113.193.29.98/h8EPWT99bJKY50Vmq/XdvhKAcsAuPBZKj/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.774209796.0000000000A71000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.774177979.0000000000A60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.1160213516.0000000000671000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.1160179016.0000000000660000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Unpacked PEs

          No yara matches

          Sigma Overview

          No Sigma rule has matched

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknownhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.e.vailresorts.com%2Fr%2F%3Fid%3Dh136d0d7a%2C40a0676%2C40a3cb9%26p1%3Ds0na.blob.core.windows.net%252Fbhu%252FXp2.html%2523YnJldHQud29sbGVuQHZ5YWlyZS5jb20%3D&data=02%7C01%7CGMB-GLB-Phishing%40vyaire.com%7C53dd4ab2e44f427fbf0d08d7cbee0d30%7C67cf4ad46a1a4a019dfeaf94c1adbc07%7C0%7C0%7C637202095592205657&sdata=VajxY34sWJ%2FgjNyjauh9wFBU4qqN8XgEXXAl6c9voGM%3D&reserved=0Get hashmaliciousBrowse
          • 52.239.232.36
          F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
          • 127.0.0.1
          DOC Q0017 - 3512C.htmlGet hashmaliciousBrowse
          • 23.253.181.252
          CCF202018038477.htmlGet hashmaliciousBrowse
          • 52.87.111.218
          job_attach_c9v.jsGet hashmaliciousBrowse
          • 8.209.72.245
          http://www.is-two.biz/Get hashmaliciousBrowse
          • 195.22.26.248
          xYwmyCik8i.docGet hashmaliciousBrowse
          • 52.114.6.46
          AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
          • 79.143.87.146
          AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
          • 79.143.87.146
          DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
          • 52.213.114.86
          COVID 19 Relief.docGet hashmaliciousBrowse
          • 209.141.54.161
          https://bjru.us17.list-manage.com/track/click?u=05866771f816c6ee662dd8649&id=501ae5cfeb&e=6668efedceGet hashmaliciousBrowse
          • 13.224.96.50
          eCzadGXtGI.exeGet hashmaliciousBrowse
          • 31.44.184.50
          VOUCHER Kontik.ppamGet hashmaliciousBrowse
          • 186.243.111.60
          VOUCHER Kontik.ppamGet hashmaliciousBrowse
          • 186.243.111.60
          Christmass.exeGet hashmaliciousBrowse
          • 192.168.2.232
          Doc n#U00b058357_202003186781.xlsGet hashmaliciousBrowse
          • 47.252.85.163
          Nova Launcher_v6.2.9_apkpure.com.apkGet hashmaliciousBrowse
          • 172.217.23.194
          18.jsGet hashmaliciousBrowse
          • 104.41.56.12
          AgentSetup-Rivo.exeGet hashmaliciousBrowse
          • 127.0.0.1
          unknownhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.e.vailresorts.com%2Fr%2F%3Fid%3Dh136d0d7a%2C40a0676%2C40a3cb9%26p1%3Ds0na.blob.core.windows.net%252Fbhu%252FXp2.html%2523YnJldHQud29sbGVuQHZ5YWlyZS5jb20%3D&data=02%7C01%7CGMB-GLB-Phishing%40vyaire.com%7C53dd4ab2e44f427fbf0d08d7cbee0d30%7C67cf4ad46a1a4a019dfeaf94c1adbc07%7C0%7C0%7C637202095592205657&sdata=VajxY34sWJ%2FgjNyjauh9wFBU4qqN8XgEXXAl6c9voGM%3D&reserved=0Get hashmaliciousBrowse
          • 52.239.232.36
          F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
          • 127.0.0.1
          DOC Q0017 - 3512C.htmlGet hashmaliciousBrowse
          • 23.253.181.252
          CCF202018038477.htmlGet hashmaliciousBrowse
          • 52.87.111.218
          job_attach_c9v.jsGet hashmaliciousBrowse
          • 8.209.72.245
          http://www.is-two.biz/Get hashmaliciousBrowse
          • 195.22.26.248
          xYwmyCik8i.docGet hashmaliciousBrowse
          • 52.114.6.46
          AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
          • 79.143.87.146
          AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
          • 79.143.87.146
          DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
          • 52.213.114.86
          COVID 19 Relief.docGet hashmaliciousBrowse
          • 209.141.54.161
          https://bjru.us17.list-manage.com/track/click?u=05866771f816c6ee662dd8649&id=501ae5cfeb&e=6668efedceGet hashmaliciousBrowse
          • 13.224.96.50
          eCzadGXtGI.exeGet hashmaliciousBrowse
          • 31.44.184.50
          VOUCHER Kontik.ppamGet hashmaliciousBrowse
          • 186.243.111.60
          VOUCHER Kontik.ppamGet hashmaliciousBrowse
          • 186.243.111.60
          Christmass.exeGet hashmaliciousBrowse
          • 192.168.2.232
          Doc n#U00b058357_202003186781.xlsGet hashmaliciousBrowse
          • 47.252.85.163
          Nova Launcher_v6.2.9_apkpure.com.apkGet hashmaliciousBrowse
          • 172.217.23.194
          18.jsGet hashmaliciousBrowse
          • 104.41.56.12
          AgentSetup-Rivo.exeGet hashmaliciousBrowse
          • 127.0.0.1
          unknownhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.e.vailresorts.com%2Fr%2F%3Fid%3Dh136d0d7a%2C40a0676%2C40a3cb9%26p1%3Ds0na.blob.core.windows.net%252Fbhu%252FXp2.html%2523YnJldHQud29sbGVuQHZ5YWlyZS5jb20%3D&data=02%7C01%7CGMB-GLB-Phishing%40vyaire.com%7C53dd4ab2e44f427fbf0d08d7cbee0d30%7C67cf4ad46a1a4a019dfeaf94c1adbc07%7C0%7C0%7C637202095592205657&sdata=VajxY34sWJ%2FgjNyjauh9wFBU4qqN8XgEXXAl6c9voGM%3D&reserved=0Get hashmaliciousBrowse
          • 52.239.232.36
          F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
          • 127.0.0.1
          DOC Q0017 - 3512C.htmlGet hashmaliciousBrowse
          • 23.253.181.252
          CCF202018038477.htmlGet hashmaliciousBrowse
          • 52.87.111.218
          job_attach_c9v.jsGet hashmaliciousBrowse
          • 8.209.72.245
          http://www.is-two.biz/Get hashmaliciousBrowse
          • 195.22.26.248
          xYwmyCik8i.docGet hashmaliciousBrowse
          • 52.114.6.46
          AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
          • 79.143.87.146
          AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
          • 79.143.87.146
          DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
          • 52.213.114.86
          COVID 19 Relief.docGet hashmaliciousBrowse
          • 209.141.54.161
          https://bjru.us17.list-manage.com/track/click?u=05866771f816c6ee662dd8649&id=501ae5cfeb&e=6668efedceGet hashmaliciousBrowse
          • 13.224.96.50
          eCzadGXtGI.exeGet hashmaliciousBrowse
          • 31.44.184.50
          VOUCHER Kontik.ppamGet hashmaliciousBrowse
          • 186.243.111.60
          VOUCHER Kontik.ppamGet hashmaliciousBrowse
          • 186.243.111.60
          Christmass.exeGet hashmaliciousBrowse
          • 192.168.2.232
          Doc n#U00b058357_202003186781.xlsGet hashmaliciousBrowse
          • 47.252.85.163
          Nova Launcher_v6.2.9_apkpure.com.apkGet hashmaliciousBrowse
          • 172.217.23.194
          18.jsGet hashmaliciousBrowse
          • 104.41.56.12
          AgentSetup-Rivo.exeGet hashmaliciousBrowse
          • 127.0.0.1

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.