Play interactive tourEdit tour
Windows Analysis Report 0TOEtGJHN8.exe
Overview
General Information
Detection
Emotet
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Query firmware table information (likely to detect VMs)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 1 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 5 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |