Play interactive tourEdit tour
Analysis Report BnJvVt951o.exe
Overview
General Information
Detection
Emotet
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 11 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Emotet_Jan20_1 | Detects Emotet malware | Florian Roth |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
MAL_Emotet_Jan20_1 | Detects Emotet malware | Florian Roth |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 23 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |