Play interactive tour
Edit tourWindows Analysis Report methodsnetsh.exe
Overview
General Information
| Sample Name: | methodsnetsh.exe |
| Analysis ID: | 450352 |
| MD5: | 8e22080fe62e462723d231fe5c8ba98a |
| SHA1: | 8b58fd7bcd7083e5a326e7a04e10c0e0626ac4ca |
| SHA256: | d082395ca1ce0c118edbff1e5bf1b1d4ad2db5aefa5691cc4c15bd94208a3cc0 |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Emotet
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Emotet | Emotet Payload | kevoreilly |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Emotet | Emotet Payload | kevoreilly |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 11 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MAL_Emotet_Jan20_1 | Detects Emotet malware | Florian Roth |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Emotet | Emotet Payload | kevoreilly |
| |
| Win32_Trojan_Emotet | unknown | ReversingLabs |
| |
| MAL_Emotet_Jan20_1 | Detects Emotet malware | Florian Roth |
| |
| Click to see the 23 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Code function: | 1_2_009D207B | |
| Source: | Code function: | 1_2_009D1FFC | |
| Source: | Code function: | 1_2_009D1F11 | |
| Source: | Code function: | 1_2_009D215A | |
| Source: | Code function: | 1_2_009D1F56 | |
| Source: | Code function: | 1_2_009D1F75 | |
| Source: | Code function: | 7_2_00EC207B | |
| Source: | Code function: | 7_2_00EC1FFC | |
| Source: | Code function: | 7_2_00EC1F75 | |
| Source: | Code function: | 7_2_00EC1F11 | |
| Source: | Code function: | 7_2_00EC215A | |
| Source: | Code function: | 7_2_00EC1F56 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0042A049 | |
| Source: | Code function: | 0_2_0042A18A | |
| Source: | Code function: | 1_2_0042A049 | |
| Source: | Code function: | 1_2_0042A18A | |
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 7_2_00EC1383 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0042CB9E | |
| Source: | Code function: | 1_2_0042CB9E | |
E-Banking Fraud: | |
|---|
| Detected Emotet e-Banking trojan | Show sources | ||
| Source: | Code function: | 1_2_009DDE9C | |
| Source: | Code function: | 7_2_00ECDE9C | |
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 1_2_009D1F75 | |
| Source: | Code function: | 7_2_00EC1F75 | |
System Summary: | |
|---|
| Malicious sample detected (through community Yara rule) | Show sources | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 1_2_009DE068 | |
| Source: | Code function: | 1_2_009D1D2B | |
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 0_2_0041D2A4 | |
| Source: | Code function: | 0_2_0042DBF6 | |
| Source: | Code function: | 0_2_00420CE2 | |
| Source: | Code function: | 1_2_0041D2A4 | |
| Source: | Code function: | 1_2_0042DBF6 | |
| Source: | Code function: | 1_2_00420CE2 | |
| Source: | Code function: | 1_2_006F30E8 | |
| Source: | Code function: | 1_2_006F30E4 | |
| Source: | Code function: | 1_2_006F28C1 | |
| Source: | Code function: | 1_2_009D2F82 | |
| Source: | Code function: | 1_2_009D37A9 | |
| Source: | Code function: | 1_2_009D37A5 | |
| Source: | Code function: | 6_2_00AB30E8 | |
| Source: | Code function: | 6_2_00AB30E4 | |
| Source: | Code function: | 6_2_00AB28C1 | |
| Source: | Code function: | 6_2_00F637A5 | |
| Source: | Code function: | 6_2_00F637A9 | |
| Source: | Code function: | 6_2_00F62F82 | |
| Source: | Code function: | 7_2_00EA30E8 | |
| Source: | Code function: | 7_2_00EA30E4 | |
| Source: | Code function: | 7_2_00EA28C1 | |
| Source: | Code function: | 7_2_00EC37A9 | |
| Source: | Code function: | 7_2_00EC37A5 | |
| Source: | Code function: | 7_2_00EC2F82 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_009DE138 | |
| Source: | Code function: | 7_2_00ECE138 | |
| Source: | Code function: | 1_2_009D1943 | |
| Source: | Code function: | 0_2_00402170 | |
| Source: | Code function: | |