Analysis Report aEdlObiYav

Overview

General Information

Sample Name: aEdlObiYav (renamed file extension from none to exe)
Analysis ID: 376365
MD5: ae03a6f8fb74d401b403647d28e21574
SHA1: 6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256: 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: aEdlObiYav.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: aEdlObiYav.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: aEdlObiYav.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.picturerus.exe.e1053f.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.picturerus.exe.60053f.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0219207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 1_2_0219207B
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0219215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 1_2_0219215A
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191F11 CryptExportKey, 1_2_02191F11
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191F56 CryptGetHashParam, 1_2_02191F56
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 1_2_02191F75
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 1_2_02191FFC
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 4_2_00ED207B
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 4_2_00ED1FFC
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 4_2_00ED1F75
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1F11 CryptExportKey, 4_2_00ED1F11
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 4_2_00ED215A
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1F56 CryptGetHashParam, 4_2_00ED1F56

Compliance:

barindex
Uses 32bit PE files
Source: aEdlObiYav.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: aEdlObiYav.exe
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 0_2_0043AE3F
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 1_2_0043AE3F

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49717 -> 209.141.41.136:8080
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 104.236.246.93:8080
Source: global traffic TCP traffic: 192.168.2.5:49727 -> 198.199.114.69:8080
Source: global traffic TCP traffic: 192.168.2.5:49730 -> 152.89.236.214:8080
Source: global traffic TCP traffic: 192.168.2.5:49731 -> 87.106.136.232:8080
Source: global traffic TCP traffic: 192.168.2.5:49732 -> 178.210.51.222:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View IP Address: 87.106.136.232 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1383 InternetReadFile, 4_2_00ED1383
Source: picturerus.exe, 00000004.00000002.487408684.0000000000199000.00000004.00000001.sdmp String found in binary or memory: http://178.210.51.222/attrib/glitch/add/merge/
Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000005.00000002.487921047.000001F62F2A0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000005.00000002.491346023.000001F634C00000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.305368398.0000023F57C64000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.305042012.0000023F57C3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0043814C
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState, 0_2_0044C334
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 0_2_004450BA
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_0042F3FF
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 0_2_00449796
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00433B4D
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0043814C
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState, 1_2_0044C334
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 1_2_004450BA
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 1_2_0042F3FF
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 1_2_00449796
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_00433B4D

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojan
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0219C11B 1_2_0219C11B
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00EDC11B 4_2_00EDC11B
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 1_2_02191F75
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 4_2_00ED1F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Contains functionality to delete services
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0219C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle, 1_2_0219C2E7
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191D2B CreateProcessAsUserW,CreateProcessW, 1_2_02191D2B
Creates files inside the system directory
Source: C:\Windows\SysWOW64\picturerus.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\aEdlObiYav.exe File deleted: C:\Windows\SysWOW64\picturerus.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0041CB04 0_2_0041CB04
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004351C1 0_2_004351C1
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00419288 0_2_00419288
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0041CB04 1_2_0041CB04
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004351C1 1_2_004351C1
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00419288 1_2_00419288
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021828C1 1_2_021828C1
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021830E8 1_2_021830E8
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021830E4 1_2_021830E4
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021937A9 1_2_021937A9
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021937A5 1_2_021937A5
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02192F82 1_2_02192F82
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E130E4 3_2_00E130E4
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E130E8 3_2_00E130E8
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E128C1 3_2_00E128C1
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E237A5 3_2_00E237A5
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E237A9 3_2_00E237A9
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E22F82 3_2_00E22F82
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_006030E4 4_2_006030E4
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_006030E8 4_2_006030E8
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_006028C1 4_2_006028C1
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED37A9 4_2_00ED37A9
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED37A5 4_2_00ED37A5
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED2F82 4_2_00ED2F82
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 00401AB4 appears 46 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 004373E9 appears 31 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 0041C3B9 appears 57 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 004334D7 appears 64 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 0044D589 appears 86 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 00419937 appears 8618 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 0044FB2C appears 32 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 00419918 appears 483 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 0041923C appears 130 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 0041E3BF appears 79 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: String function: 0044D5AF appears 37 times
Sample file is different than original file name gathered from version info
Source: aEdlObiYav.exe, 00000000.00000002.221382669.0000000002280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs aEdlObiYav.exe
Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs aEdlObiYav.exe
Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs aEdlObiYav.exe
Source: aEdlObiYav.exe, 00000001.00000002.241858641.0000000002900000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs aEdlObiYav.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: aEdlObiYav.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@15/5@0/8
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_0043F939
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_0219C3B7
Source: C:\Windows\SysWOW64\picturerus.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 4_2_00EDC3B7
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_02191943
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 0_2_00416DE7
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_004315F6
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0219C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_0219C3B7
Source: C:\Users\user\Desktop\aEdlObiYav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\M765E845E
Source: C:\Users\user\Desktop\aEdlObiYav.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\I765E845E
Source: C:\Windows\SysWOW64\picturerus.exe Mutant created: \BaseNamedObjects\Global\I765E845E
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3896:120:WilError_01
Source: aEdlObiYav.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\aEdlObiYav.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: aEdlObiYav.exe ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\picturerus.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\aEdlObiYav.exe 'C:\Users\user\Desktop\aEdlObiYav.exe'
Source: C:\Users\user\Desktop\aEdlObiYav.exe Process created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32
Source: unknown Process created: C:\Windows\SysWOW64\picturerus.exe C:\Windows\SysWOW64\picturerus.exe
Source: C:\Windows\SysWOW64\picturerus.exe Process created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aEdlObiYav.exe Process created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32 Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: aEdlObiYav.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: aEdlObiYav.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_00432655
PE file contains an invalid checksum
Source: aEdlObiYav.exe Static PE information: real checksum: 0x7ffed should be: 0x800e5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00419277 push ecx; ret 0_2_00419287
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004193A0 push eax; ret 0_2_004193B4
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004193A0 push eax; ret 0_2_004193DC
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00419918 push eax; ret 0_2_00419936
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00419277 push ecx; ret 1_2_00419287
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004193A0 push eax; ret 1_2_004193B4
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004193A0 push eax; ret 1_2_004193DC
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00419918 push eax; ret 1_2_00419936
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0218E190 push BB276B01h; ret 1_2_0218E1C2
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E1E190 push BB276B01h; ret 3_2_00E1E1C2
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_0060E190 push BB276B01h; ret 4_2_0060E1C2

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\picturerus.exe Executable created and started: C:\Windows\SysWOW64\picturerus.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\aEdlObiYav.exe PE file moved: C:\Windows\SysWOW64\picturerus.exe Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0219C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_0219C3B7

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\aEdlObiYav.exe File opened: C:\Windows\SysWOW64\picturerus.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_004121E0
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, 0_2_0043ED39
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00412F6C
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 0_2_004415C2
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00449839 IsWindowVisible,IsIconic, 0_2_00449839
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_004121E0
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, 1_2_0043ED39
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00412F6C
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 1_2_004415C2
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00449839 IsWindowVisible,IsIconic, 1_2_00449839
Source: C:\Users\user\Desktop\aEdlObiYav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\picturerus.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\aEdlObiYav.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 1_2_0219C11B
Source: C:\Windows\SysWOW64\picturerus.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 4_2_00EDC11B
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\picturerus.exe API coverage: 9.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6064 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\aEdlObiYav.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 0_2_0043AE3F
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 1_2_0043AE3F
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00419156 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_00419156
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000005.00000002.490947713.000001F634A62000.00000004.00000001.sdmp Binary or memory string: (@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.490862849.000001F634A4C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000005.00000002.487748266.000001F62F229000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`C
Source: svchost.exe, 00000007.00000002.488350000.000001D9ACE64000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.487724636.00000157C782A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\picturerus.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\picturerus.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\picturerus.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\picturerus.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_00432655
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00401B93 mov eax, dword ptr fs:[00000030h] 0_2_00401B93
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00401BA2 mov eax, dword ptr fs:[00000030h] 0_2_00401BA2
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h] 1_2_00401B93
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h] 1_2_00401BA2
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02180467 mov eax, dword ptr fs:[00000030h] 1_2_02180467
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02180C0C mov eax, dword ptr fs:[00000030h] 1_2_02180C0C
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02181743 mov eax, dword ptr fs:[00000030h] 1_2_02181743
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021912CD mov eax, dword ptr fs:[00000030h] 1_2_021912CD
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_02191E04 mov eax, dword ptr fs:[00000030h] 1_2_02191E04
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E10467 mov eax, dword ptr fs:[00000030h] 3_2_00E10467
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E10C0C mov eax, dword ptr fs:[00000030h] 3_2_00E10C0C
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E11743 mov eax, dword ptr fs:[00000030h] 3_2_00E11743
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E212CD mov eax, dword ptr fs:[00000030h] 3_2_00E212CD
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 3_2_00E21E04 mov eax, dword ptr fs:[00000030h] 3_2_00E21E04
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00600467 mov eax, dword ptr fs:[00000030h] 4_2_00600467
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00600C0C mov eax, dword ptr fs:[00000030h] 4_2_00600C0C
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00601743 mov eax, dword ptr fs:[00000030h] 4_2_00601743
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED12CD mov eax, dword ptr fs:[00000030h] 4_2_00ED12CD
Source: C:\Windows\SysWOW64\picturerus.exe Code function: 4_2_00ED1E04 mov eax, dword ptr fs:[00000030h] 4_2_00ED1E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_021914F2 GetProcessHeap,RtlAllocateHeap, 1_2_021914F2
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00420406 SetUnhandledExceptionFilter, 0_2_00420406
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0042041A SetUnhandledExceptionFilter, 0_2_0042041A
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00420406 SetUnhandledExceptionFilter, 1_2_00420406
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0042041A SetUnhandledExceptionFilter, 1_2_0042041A

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_0218C477 cpuid 1_2_0218C477
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA,_strncpy, 0_2_00426F2A
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00401069
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00427449
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00427480
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 0_2_0042755B
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00427506
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA, 0_2_00427749
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_0044D759
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_004299EE
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_00429AAA
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_00429B1E
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_00429BD1
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA,_strncpy, 1_2_00426F2A
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_00401069
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: _strlen,EnumSystemLocalesA, 1_2_00427449
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 1_2_00427480
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 1_2_0042755B
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: _strlen,EnumSystemLocalesA, 1_2_00427506
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA, 1_2_00427749
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 1_2_0044D759
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 1_2_004299EE
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 1_2_00429AAA
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 1_2_00429B1E
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 1_2_00429BD1
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\aEdlObiYav.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00420151 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00420151
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004231DB __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 0_2_004231DB
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_0044A5CB GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA, 0_2_0044A5CB
Source: C:\Users\user\Desktop\aEdlObiYav.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: aEdlObiYav.exe, 00000000.00000002.221218933.00000000004B0000.00000004.00000020.sdmp Binary or memory string: Kav.exe
Source: svchost.exe, 0000000B.00000002.487696660.0000020979C3D000.00000004.00000001.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.487727705.0000020979D02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, 0_2_004514EB
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 0_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 0_2_00451B05
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, 1_2_004514EB
Source: C:\Users\user\Desktop\aEdlObiYav.exe Code function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 1_2_00451B05
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376365 Sample: aEdlObiYav Startdate: 26/03/2021 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 2 other signatures 2->41 7 picturerus.exe 4 2->7         started        10 aEdlObiYav.exe 4 2->10         started        12 svchost.exe 2->12         started        14 5 other processes 2->14 process3 dnsIp4 45 Detected Emotet e-Banking trojan 7->45 47 Found evasive API chain (may stop execution after checking mutex) 7->47 49 Drops executables to the windows directory (C:\Windows) and starts them 7->49 17 picturerus.exe 19 7->17         started        20 aEdlObiYav.exe 5 10->20         started        51 Changes security center settings (notifications, updates, antivirus, firewall) 12->51 23 MpCmdRun.exe 1 12->23         started        33 127.0.0.1 unknown unknown 14->33 signatures5 process6 dnsIp7 27 209.141.41.136, 8080 PONYNETUS United States 17->27 29 87.106.136.232, 49731, 8080 ONEANDONE-ASBrauerstrasse48DE Germany 17->29 31 5 other IPs or domains 17->31 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->43 25 conhost.exe 23->25         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.89.236.214
 unknown Germany
31400 ACCELERATED-ITDE false
198.199.114.69
 unknown United States
14061 DIGITALOCEAN-ASNUS false
104.236.246.93
 unknown United States
14061 DIGITALOCEAN-ASNUS false
178.210.51.222
 unknown Russian Federation
43727 KVANT-TELECOMRU false
45.33.54.74
 unknown United States
63949 LINODE-APLinodeLLCUS false
209.141.41.136
 unknown United States
53667 PONYNETUS false
87.106.136.232
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE false

Private
IP
127.0.0.1