Loading ...

Play interactive tourEdit tour

Analysis Report 26m2r5af2Z

Overview

General Information

Sample Name:26m2r5af2Z (renamed file extension from none to exe)
MD5:fac223dc0f2411ca13d665e87062d5e9
SHA1:800d7eacbc3887f736ed2de3a79dba2900356f84
SHA256:f4e8bb7744c69035652a8a6cce441e0fe649c2b770444889e73ebf59efcde2e7

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Query firmware table information (likely to detect VMs)
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 26m2r5af2Z.exe (PID: 5256 cmdline: 'C:\Users\user\Desktop\26m2r5af2Z.exe' MD5: FAC223DC0F2411CA13D665E87062D5E9)
    • JavaScriptCollectionAgent.exe (PID: 5312 cmdline: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe MD5: FAC223DC0F2411CA13D665E87062D5E9)
  • svchost.exe (PID: 4968 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["181.92.244.156/k1wKwudd9qVGkzP"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2487716761.0000000000541000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.783755382.00000000004A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.783780669.00000000004B1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.2487669112.0000000000530000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: JavaScriptCollectionAgent.exe.5312.1.memstrMalware Configuration Extractor: Emotet {"C2 list": ["181.92.244.156/k1wKwudd9qVGkzP"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 26m2r5af2Z.exeVirustotal: Detection: 18%Perma Link

          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005420D0 CryptDecodeObjectEx,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005420E8 CryptDecodeObjectEx,

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B3030 FindNextFileW,FindFirstFileW,FindClose,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /k1wKwudd9qVGkzPa7/5H2A/ HTTP/1.1Referer: http://181.92.244.156/k1wKwudd9qVGkzPa7/5H2A/Content-Type: multipart/form-data; boundary=---------------------------820502026808580User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 181.92.244.156Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownHTTP traffic detected: POST /k1wKwudd9qVGkzPa7/5H2A/ HTTP/1.1Referer: http://181.92.244.156/k1wKwudd9qVGkzPa7/5H2A/Content-Type: multipart/form-data; boundary=---------------------------820502026808580User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 181.92.244.156Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2487186277.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://181.92.244.156/k1wKwudd9qVGkzPa7/5H2A/
          Source: svchost.exe, 00000004.00000002.2487698488.0000017FC6229000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.2488055132.0000017FC6B1E000.00000004.00000001.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.4.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041C29F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041E6F7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00423F01 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00423F16 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041C29F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041E6F7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00423F01 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00423F16 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.2487716761.0000000000541000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783755382.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783780669.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2487669112.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile created: C:\Windows\SysWOW64\JavaScriptCollectionAgent\Jump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile deleted: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041B1A3
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A521F
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B58E0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041B1A3
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0053521F
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005458E0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: String function: 0040BC30 appears 90 times
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: String function: 0040BCE0 appears 43 times
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: String function: 0040BC30 appears 90 times
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: String function: 0040BCE0 appears 43 times
          Source: 26m2r5af2Z.exe, 00000000.00000002.786386207.0000000002FC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 26m2r5af2Z.exe
          Source: 26m2r5af2Z.exe, 00000000.00000002.786386207.0000000002FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 26m2r5af2Z.exe
          Source: 26m2r5af2Z.exe, 00000000.00000002.784457048.0000000002270000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 26m2r5af2Z.exe
          Source: classification engineClassification label: mal76.troj.evad.winEXE@4/1@0/1
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00544170 Process32NextW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040A80A __EH_prolog,LoadLibraryExW,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,GetCurrentProcess,VirtualAllocExNuma,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M55B61B38
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I55B61B38
          Source: 26m2r5af2Z.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: 26m2r5af2Z.exeVirustotal: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\26m2r5af2Z.exe 'C:\Users\user\Desktop\26m2r5af2Z.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess created: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_CURSOR
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_BITMAP
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_ICON
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_MENU
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_DIALOG
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_STRING
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_ACCELERATOR
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_GROUP_ICON

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00410AA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040BC30 push eax; ret
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040BD40 push eax; ret
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A93A7 push 00000071h; iretd
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040BC30 push eax; ret
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040BD40 push eax; ret
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005393A7 push 00000071h; iretd

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeExecutable created and started: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe
          Source: C:\Users\user\Desktop\26m2r5af2Z.exePE file moved: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile opened: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00420ADD GetParent,GetParent,GetParent,IsIconic,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00423FBE IsWindowVisible,IsIconic,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00420ADD GetParent,GetParent,GetParent,IsIconic,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00423FBE IsWindowVisible,IsIconic,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Query firmware table information (likely to detect VMs)Show sources
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B3030 FindNextFileW,FindFirstFileW,FindClose,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information queried: ProcessInformation

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00410AA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A0467 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A3BDF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A2E6F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B42A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B3530 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00530467 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00533BDF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00532E6F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005442A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00543530 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040F620 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040F640 SetUnhandledExceptionFilter,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040F620 SetUnhandledExceptionFilter,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040F640 SetUnhandledExceptionFilter,

          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004252DD GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.2487716761.0000000000541000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783755382.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783780669.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2487669112.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsExecution through API1Hidden Files and Directories1Process Injection2Masquerading12Input Capture1Virtualization/Sandbox Evasion1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection2Credentials in FilesSecurity Software Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Information Discovery24Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.