Play interactive tourEdit tour
Windows Analysis Report boI88C399w.exe
Overview
General Information
Detection
Emotet
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "202.141.243.254:443", "75.143.247.51:80", "85.105.111.166:80", "216.139.123.119:80", "113.61.66.94:80", "162.241.140.129:8080", "190.12.119.180:443", "2.58.16.89:8080", "91.211.88.52:7080", "93.147.212.206:80", "71.15.245.148:8080", "157.245.99.39:8080", "27.114.9.93:80", "50.91.114.38:80", "174.106.122.139:80", "47.36.140.164:80", "139.162.60.124:8080", "209.54.13.14:80", "217.20.166.178:7080", "185.94.252.104:443", "72.186.136.247:443", "172.86.188.251:8080", "41.185.28.84:8080", "87.106.139.101:8080", "89.216.122.92:80", "108.46.29.236:80", "184.180.181.202:80", "173.63.222.65:80", "120.150.60.189:80", "62.30.7.67:443", "139.99.158.11:443", "220.245.198.194:80", "138.68.87.218:443", "201.241.127.190:80", "186.74.215.34:80", "190.162.215.233:80", "24.178.90.49:80", "89.121.205.18:80", "5.39.91.110:7080", "59.125.219.109:443", "182.208.30.18:443", "123.176.25.234:80", "24.137.76.62:80", "74.208.45.104:8080", "194.187.133.160:443", "37.179.204.33:80", "194.4.58.192:7080", "95.9.5.93:80", "67.170.250.203:443", "61.33.119.226:443", "96.245.227.43:80", "68.115.186.26:80", "190.108.228.27:443", "112.185.64.233:80", "176.111.60.55:8080", "91.146.156.228:80", "190.240.194.77:443", "115.94.207.99:443", "62.171.142.179:8080", "134.209.144.106:443", "168.235.67.138:7080", "124.41.215.226:80", "172.104.97.173:8080", "202.134.4.216:8080", "94.200.114.161:80", "67.163.161.107:80", "61.76.222.210:80", "97.82.79.83:80", "74.214.230.200:80", "46.105.131.79:8080", "78.188.106.53:443", "186.70.56.94:443", "120.150.218.241:443", "50.245.107.73:443", "123.142.37.166:80", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "94.230.70.6:80", "154.91.33.137:443", "104.131.11.150:443", "95.213.236.64:8080", "49.50.209.131:80", "187.161.206.24:80", "37.139.21.175:8080", "121.124.124.40:7080", "200.116.145.225:443", "24.230.141.169:80", "194.190.67.75:80", "209.141.54.221:7080", "137.59.187.107:8080", "217.123.207.149:80", "24.133.106.23:80", "79.137.83.50:443", "24.179.13.119:80", "202.134.4.211:8080", "78.24.219.147:8080", "76.175.162.101:80", "121.7.31.214:80", "62.75.141.82:80", "109.74.5.95:8080", "75.188.96.231:80", "176.113.52.6:443", "50.35.17.13:80", "118.83.154.64:443", "110.142.236.207:80", "188.219.31.12:80", "72.143.73.234:443", "102.182.93.220:80", "66.76.12.94:8080", "103.86.49.11:8080", "190.164.104.62:80", "203.153.216.189:7080", "119.59.116.21:8080", "172.105.13.66:443", "94.23.237.171:443", "49.3.224.99:8080", "139.59.60.244:8080", "172.91.208.86:80"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 1 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 5 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |