Loading ...

Play interactive tourEdit tour

Analysis Report E08ar33wan

Overview

General Information

Sample Name:E08ar33wan (renamed file extension from none to exe)
MD5:1c33624bb4805ff432dc6f458be9b0a4
SHA1:53685e4f5dc4d6935cf8af369395578444b1e9b1
SHA256:546c604339d0285a8ef648f0e539d0c678fd78cb3b58a3f025010e17fd6dbf63

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • E08ar33wan.exe (PID: 4752 cmdline: 'C:\Users\user\Desktop\E08ar33wan.exe' MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
    • E08ar33wan.exe (PID: 2692 cmdline: --83438383 MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
  • tranbackup.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\tranbackup.exe MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
    • tranbackup.exe (PID: 3052 cmdline: --15064f5f MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["216.98.148.181/chunk", "216.98.148.181:8080", "91.83.93.105:8080", "125.99.61.162:7080", "94.183.71.206/acquire", "94.183.71.206:7080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 29 02 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 5C 39 29 02 A3 58 39 29 02 39 05 90 03 29 02 74 18 40 A3 58 39 29 02 83 3C C5 90 03 ...
    00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 22 02 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 5C 39 22 02 A3 58 39 22 02 39 05 90 03 22 02 74 18 40 A3 58 39 22 02 83 3C C5 90 03 ...
      00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: E08ar33wan.exeAvira: detected
        Found malware configurationShow sources
        Source: tranbackup.exe.3052.3.memstrMalware Configuration Extractor: Emotet {"C2 list": ["216.98.148.181/chunk", "216.98.148.181:8080", "91.83.93.105:8080", "125.99.61.162:7080", "94.183.71.206/acquire", "94.183.71.206:7080"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: E08ar33wan.exeVirustotal: Detection: 80%Perma Link
        Source: E08ar33wan.exeMetadefender: Detection: 35%Perma Link
        Source: E08ar33wan.exeReversingLabs: Detection: 84%
        Source: 2.0.tranbackup.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 0.0.E08ar33wan.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 3.0.tranbackup.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 1.0.E08ar33wan.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_0228207B
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_0228215A
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F11 CryptExportKey,1_2_02281F11
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02281F75
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F56 CryptGetHashParam,1_2_02281F56
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_02281FFC

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00430651
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,0_2_00430BC9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00430651
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,1_2_00430BC9

        Source: global trafficTCP traffic: 192.168.2.6:49938 -> 125.99.61.162:7080
        Source: global trafficTCP traffic: 192.168.2.6:49940 -> 94.183.71.206:7080
        Source: global trafficTCP traffic: 192.168.2.6:49948 -> 91.83.93.105:8080
        Source: global trafficTCP traffic: 192.168.2.6:49949 -> 216.98.148.181:8080
        Source: Joe Sandbox ViewIP Address: 125.99.61.162 125.99.61.162
        Source: Joe Sandbox ViewIP Address: 94.183.71.206 94.183.71.206
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: Joe Sandbox ViewIP Address: 216.98.148.181 216.98.148.181
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmp, tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://125.99.61.162:7080/enabled/usbccid/xian/merge/
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://125.99.61.162:7080/enabled/usbccid/xian/merge/p
        Source: tranbackup.exe, 00000003.00000002.1454257924.0000000000198000.00000004.00000001.sdmp, tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181/chunk/
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181/chunk/T
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/32
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/jQf
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/l
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/~x
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://91.83.93.105:8080/teapot/stubs/xian/merge/
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://91.83.93.105:8080/teapot/stubs/xian/merge//
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://91.83.93.105:8080/teapot/stubs/xian/merge/QH
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206/acquire/symbols/xian/
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/5
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/:
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/H

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0044240B GetKeyState,GetKeyState,GetKeyState,0_2_0044240B
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_0043C995
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00440C03
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0042CF30
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_00429BB6
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0044240B GetKeyState,GetKeyState,GetKeyState,1_2_0044240B
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_0043C995
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_00440C03
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0042CF30
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_00429BB6

        E-Banking Fraud:

        barindex
        Detected Emotet e-Banking trojanShow sources
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D6571_2_0228D657
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02281F75

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D823 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_0228D823
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281D2B CreateProcessAsUserW,CreateProcessW,1_2_02281D2B
        Source: C:\Windows\SysWOW64\tranbackup.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile deleted: C:\Windows\SysWOW64\tranbackup.exe:Zone.IdentifierJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0042E1E80_2_0042E1E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004242330_2_00424233
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004283000_2_00428300
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00408A420_2_00408A42
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00423DA30_2_00423DA3
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022028C10_2_022028C1
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022030E40_2_022030E4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022030E80_2_022030E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022137A50_2_022137A5
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022137A90_2_022137A9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02212F820_2_02212F82
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0042E1E81_2_0042E1E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004242331_2_00424233
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004283001_2_00428300
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00408A421_2_00408A42
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00423DA31_2_00423DA3
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022728C11_2_022728C1
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022730E41_2_022730E4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022730E81_2_022730E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022837A91_2_022837A9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022837A51_2_022837A5
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02282F821_2_02282F82
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F130E42_2_00F130E4
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F130E82_2_00F130E8
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F128C12_2_00F128C1
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F237A52_2_00F237A5
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F237A92_2_00F237A9
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F22F822_2_00F22F82
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 0042C90B appears 40 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00409020 appears 114 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 0042A9D7 appears 62 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00409A16 appears 62 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00427CB5 appears 78 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00409DD1 appears 36 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 0042AB0C appears 56 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00442ED6 appears 68 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00405DA4 appears 932 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 004010B9 appears 70 times
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exe, 00000000.00000000.1035646358.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1079650740.0000000002960000.00000002.00000001.sdmpBinary or memory string: originalfilename vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1079650740.0000000002960000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1077545021.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1079581596.0000000002910000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs E08ar33wan.exe
        Source: E08ar33wan.exeBinary or memory string: OriginalFilenameMFCBind.EXEH vs E08ar33wan.exe
        Source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@6/0@0/4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00433326 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_00433326
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0228D8F3
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02211943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_02211943
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004345F5 DestroyMenu,DestroyMenu,FreeResource,DestroyMenu,FreeResource,DestroyMenu,FreeResource,0_2_004345F5
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0228D8F3
        Source: C:\Users\user\Desktop\E08ar33wan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M4FE3305E
        Source: C:\Users\user\Desktop\E08ar33wan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I4FE3305E
        Source: E08ar33wan.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: E08ar33wan.exeVirustotal: Detection: 80%
        Source: E08ar33wan.exeMetadefender: Detection: 35%
        Source: E08ar33wan.exeReversingLabs: Detection: 84%
        Source: C:\Users\user\Desktop\E08ar33wan.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-47537
        Source: C:\Windows\SysWOW64\tranbackup.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
        Source: unknownProcess created: C:\Users\user\Desktop\E08ar33wan.exe 'C:\Users\user\Desktop\E08ar33wan.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\E08ar33wan.exe --83438383
        Source: unknownProcess created: C:\Windows\SysWOW64\tranbackup.exe C:\Windows\SysWOW64\tranbackup.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\tranbackup.exe --15064f5f
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess created: C:\Users\user\Desktop\E08ar33wan.exe --83438383Jump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess created: C:\Windows\SysWOW64\tranbackup.exe --15064f5fJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
        Source: E08ar33wan.exeStatic PE information: section name: RT_CURSOR
        Source: E08ar33wan.exeStatic PE information: section name: RT_BITMAP
        Source: E08ar33wan.exeStatic PE information: section name: RT_ICON
        Source: E08ar33wan.exeStatic PE information: section name: RT_MENU
        Source: E08ar33wan.exeStatic PE information: section name: RT_DIALOG
        Source: E08ar33wan.exeStatic PE information: section name: RT_STRING
        Source: E08ar33wan.exeStatic PE information: section name: RT_ACCELERATOR
        Source: E08ar33wan.exeStatic PE information: section name: RT_GROUP_ICON

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004309A9
        Source: E08ar33wan.exeStatic PE information: real checksum: 0x8ec7c should be: 0x87d44
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040905B push ecx; ret 0_2_0040906B
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004058B0 push eax; ret 0_2_004058C4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004058B0 push eax; ret 0_2_004058EC
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00405DA4 push eax; ret 0_2_00405DC2
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0040905B push ecx; ret 1_2_0040906B
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004058B0 push eax; ret 1_2_004058C4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004058B0 push eax; ret 1_2_004058EC
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00405DA4 push eax; ret 1_2_00405DC2

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Windows\SysWOW64\tranbackup.exeExecutable created and started: C:\Windows\SysWOW64\tranbackup.exeJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exePE file moved: C:\Windows\SysWOW64\tranbackup.exeJump to behavior

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0228D8F3

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile opened: C:\Windows\SysWOW64\tranbackup.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,0_2_004044FD
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_0043E7D6
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00440CE7 IsWindowVisible,IsIconic,0_2_00440CE7
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004396C4 IsIconic,IsWindowVisible,0_2_004396C4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00433D1A GetParent,GetParent,IsIconic,GetParent,0_2_00433D1A
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,1_2_004044FD
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_0043E7D6
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00440CE7 IsWindowVisible,IsIconic,1_2_00440CE7
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004396C4 IsIconic,IsWindowVisible,1_2_004396C4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00433D1A GetParent,GetParent,IsIconic,GetParent,1_2_00433D1A
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Found evasive API chain (may stop execution after checking mutex)Show sources
        Source: C:\Windows\SysWOW64\tranbackup.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\E08ar33wan.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-48436
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,1_2_0228D657
        Source: C:\Users\user\Desktop\E08ar33wan.exeAPI coverage: 3.9 %
        Source: C:\Users\user\Desktop\E08ar33wan.exeAPI coverage: 5.7 %
        Source: C:\Windows\SysWOW64\tranbackup.exeAPI coverage: 9.9 %
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00430651
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,0_2_00430BC9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00430651
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,1_2_00430BC9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00409DD1 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_00409DD1
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\E08ar33wan.exeAPI call chain: ExitProcess graph end nodegraph_1-48353
        Source: C:\Windows\SysWOW64\tranbackup.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information queried: ProcessInformationJump to behavior

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004309A9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004015A6 mov eax, dword ptr fs:[00000030h]0_2_004015A6
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02200467 mov eax, dword ptr fs:[00000030h]0_2_02200467
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02200C0C mov eax, dword ptr fs:[00000030h]0_2_02200C0C
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02201743 mov eax, dword ptr fs:[00000030h]0_2_02201743
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022112CD mov eax, dword ptr fs:[00000030h]0_2_022112CD
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02211E04 mov eax, dword ptr fs:[00000030h]0_2_02211E04
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004015A6 mov eax, dword ptr fs:[00000030h]1_2_004015A6
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02270467 mov eax, dword ptr fs:[00000030h]1_2_02270467
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02270C0C mov eax, dword ptr fs:[00000030h]1_2_02270C0C
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02271743 mov eax, dword ptr fs:[00000030h]1_2_02271743
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022812CD mov eax, dword ptr fs:[00000030h]1_2_022812CD
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281E04 mov eax, dword ptr fs:[00000030h]1_2_02281E04
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F10467 mov eax, dword ptr fs:[00000030h]2_2_00F10467
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F10C0C mov eax, dword ptr fs:[00000030h]2_2_00F10C0C
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F11743 mov eax, dword ptr fs:[00000030h]2_2_00F11743
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F212CD mov eax, dword ptr fs:[00000030h]2_2_00F212CD
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F21E04 mov eax, dword ptr fs:[00000030h]2_2_00F21E04
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022114F2 GetProcessHeap,RtlAllocateHeap,0_2_022114F2
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00409B92 SetUnhandledExceptionFilter,0_2_00409B92
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00409BA6 SetUnhandledExceptionFilter,0_2_00409BA6
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00409B92 SetUnhandledExceptionFilter,1_2_00409B92
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00409BA6 SetUnhandledExceptionFilter,1_2_00409BA6

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,0_2_0044448C
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_strncpy,0_2_00410B3F
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,0_2_0040F054
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,0_2_00411076
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00401000
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_004110AD
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,0_2_00411133
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_00411188
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,0_2_00427456
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_00413CAE
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00413D6A
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_00413DDE
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_00413E91
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,1_2_0044448C
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_strncpy,1_2_00410B3F
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,1_2_0040F054
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,1_2_00411076
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_00401000
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,_strlen,EnumSystemLocalesA,1_2_004110AD
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,1_2_00411133
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,1_2_00411188
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,1_2_00427456
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,1_2_00413CAE
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,MultiByteToWideChar,1_2_00413D6A
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,1_2_00413DDE
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,WideCharToMultiByte,1_2_00413E91
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0220D9B7 cpuid 0_2_0220D9B7
        Source: C:\Users\user\Desktop\E08ar33wan.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\tranbackup.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040BE8A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040BE8A
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040DE3E __lock,_strlen,_strcat,_strncpy,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0040DE3E
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040436B GetVersionExA,0_2_0040436B
        Source: C:\Windows\SysWOW64\tranbackup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,0_2_00448089
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,0_2_0044BB18
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,0_2_00447B3B
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,1_2_00448089
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,1_2_0044BB18
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,1_2_00447B3B

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Execution through API111Hidden Files and Directories1Valid Accounts1Software Packing1Input Capture1System Time Discovery2Application Deployment SoftwareInput Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesService Execution12Modify Existing Service11Process Injection1File Deletion1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskNew Service2New Service2Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading12Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET