31.0.0 Emerald
IR
383022
CloudBasic
06:49:03
07/04/2021
lK8vF3n2e7.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
d7cd602eb9e9ad8272d4ad0910815835
cefae0fd990a5491e893796ab8ab56fc9edc015b
bca575b21c8b02010cde26b2bd7b2e8cdc313f135f97363b34f8bf0f389a990b
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
96
0
100
5
0
5
false
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\1942f959aae25ff5e177f0a0e912022f_d06ed635-68f6-4e9a-955c-4899f5f57b9a
false
B5D2B9D74D52DAC47A3F3CB1D065305F
41A4742BC23F3A6FF61C60884604DA6448FFF274
6359A4FCB0DABE70B88913A6A03CC21385459B8A924A6B3688A2E185C54DAAFA
C:\ProgramData\Microsoft\Network\Downloader\edb.log
false
EE33D31FF892664207CCEE077BC0DA79
76344E225B25AA8FE2584E88573AC064F16ED9A0
42847F4E3B3FAD67FF583317573DADB548FCD5BDDDABF52BA48C055B4808CA60
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
false
72C62EED75E947FD4F5C02C8754C617F
3A219E17B34703056103C80AE4DF358CB9FD901F
BFAFB13DB37CC356454D9D2FCA9C47D16B4B41A99B327FD7750AA25C320AEC90
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
false
299061F0C8B90EF6008852D1A202C96C
06FF5DEA569AAB763896569B61080DFAEB9A391C
83C03C421693C7747E6B4BB7E26DFE7C7711B5B89759F9754769F5CAD1181795
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
false
356ED824D17C6734D7692DEB0C729C6D
BEED0339DA6E4BE12FE5F660F699FE4DB84B9B46
A1EBD349905CBCBB8FF3CE369627B426E504B2ED557FE9BF394781EF6361F6D6
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
false
16F7720BEA0C5A0F5A1752B8987B6389
DDD97BD847C44ABF2EEE27CDB19480125E14CE9D
BB22FE8174EAC43C8E3712AABB3387AA61221F9D289677C1D7E848C31FF30BFF
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
false
92A832C33E993A27A4642B0CB90C9278
6CCE3DFD7A34E4054902A2A6759CDE3055F6D7F5
EF5A296E6A22D5D7A829EA10D7F17BA4DC1543633C1F4786A89417B5A659106B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
false
89CA7E02D8B79ED50986F098D5686EC9
A602E0D4398F00C827BFCF711066E67718CA1377
30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
false
DCA83F08D448911A14C22EBCACC5AD57
91270525521B7FE0D986DB19747F47D34B6318AD
2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
false
CE4B18BBA8B894A0D4C6EE141395DAC7
7B2C06A4E267DBCB28514DB6859A08BF8F7F2952
0A5B1FDCB57000156122272E9F8514F8D2A6D691CEECABA3C9938820A44B4133
192.168.2.1
190.146.131.105
85.234.143.94
119.59.124.163
104.236.137.72
172.104.233.225
127.0.0.1
213.189.36.51
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet