Analysis Report SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111
Overview
General Information
Sample Name: | SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111 (renamed file extension from 9111 to doc) |
Analysis ID: | 255713 |
MD5: | 84b4a3bdfd680dc3fde940f31a74dc97 |
SHA1: | e0ca5c78044b5feee5e67dc4e74a7420d5705f05 |
SHA256: | 501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f |
Most interesting Screenshot: |
Detection
Emotet MailPassView
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Yara detected MailPassView
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
PowerShell case anomaly found
Powershell drops PE file
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
JoeSecurity_EmotetDownloader | Yara detected Emotet Downloader | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 20 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth |
| |
Click to see the 18 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious Process Creation | Show sources |
Source: | Author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 6_2_00444717 | |
Source: | Code function: | 6_2_004390BA | |
Source: | Code function: | 7_2_00444717 | |
Source: | Code function: | 7_2_004390BA | |
Source: | Code function: | 18_2_0040A1A7 | |
Source: | Code function: | 18_1_0040A1A7 |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Memory has grown: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found |