Play interactive tour
Edit tourAnalysis Report zGeK5so94c
Overview
General Information
| Sample Name: | zGeK5so94c (renamed file extension from none to dll) |
| Analysis ID: | 344305 |
| MD5: | 49fbffd7602b52f05848a6016d42ec89 |
| SHA1: | b57bb387a15b3c0e10a236f3861420a9dac980cb |
| SHA256: | 1859099c09c69aa811c525e9e70787c49048e3c24814d31ea2a17905cfad9d18 |
Most interesting Screenshot:  | |
Detection
Emotet
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
Uses known network protocols on non-standard ports
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Emotet |
|---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKmd+Pam+7HWeoRnZCmLHfQX3/RRijh6\nbPqYGHGBBGcEQb+EOfmkdG0BnTZfvg2iXKB8yhPQsHPR9nZoyMt7OWPYA080O3zM\nzB7+nWmsc0YPpSte4JR7YPZYIpxXZs7fFwIDAQAB"}Yara Overview |
|---|
Initial Sample |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Suspicious Call by Ordinal | Show sources | ||
| Source: | Author: Florian Roth: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
| Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources | ||
| Source: | Static PE information: | ||
| Binary contains paths to debug symbols | Show sources | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Uses known network protocols on non-standard ports | Show sources | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||