Windows Analysis Report 8U5snojV8p

Overview

General Information

Sample Name: 8U5snojV8p (renamed file extension from none to exe)
Analysis ID: 481919
MD5: 0df4aaffd21acf21ff44429ca485fab8
SHA1: 6915e92d42c5588b8fb254b6e7f69fcefc8d5c82
SHA256: 3147bee916b63c96acc5fb06cac93846d13bb44804931f390f66348abf603941
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.8U5snojV8p.exe.67053f.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["94.49.254.194:80", "212.51.142.238:8080", "91.231.166.124:8080", "162.241.92.219:8080", "79.98.24.39:8080", "109.117.53.230:443", "121.124.124.40:7080", "101.187.97.173:80", "168.235.67.138:7080", "104.131.44.150:8080", "5.39.91.110:7080", "139.59.60.244:8080", "81.2.235.111:8080", "116.203.32.252:8080", "61.19.246.238:443", "176.111.60.55:8080", "190.55.181.54:443", "108.48.41.69:80", "203.153.216.189:7080", "103.86.49.11:8080", "104.236.246.93:8080", "75.139.38.211:80", "169.239.182.217:8080", "62.75.141.82:80", "93.156.165.186:80", "73.11.153.178:8080", "157.245.99.39:8080", "41.60.200.34:80", "50.116.86.205:8080", "31.31.77.83:443", "209.182.216.177:443", "62.138.26.28:8080", "95.213.236.64:8080", "95.179.229.244:8080", "209.141.54.221:8080", "91.211.88.52:7080", "37.187.72.193:8080", "137.59.187.107:8080", "139.130.242.43:80", "46.105.131.87:80", "87.106.139.101:8080", "200.55.243.138:8080", "5.196.74.210:8080", "79.7.158.208:80", "185.94.252.104:443", "104.131.11.150:443", "37.139.21.175:8080", "190.108.228.62:443", "24.1.189.87:8080", "91.205.215.66:443", "186.208.123.210:443", "108.26.231.214:80", "201.173.217.124:443", "110.145.77.103:80", "190.160.53.126:80", "162.154.38.103:80", "78.24.219.147:8080", "210.165.156.91:80", "109.74.5.95:8080", "95.9.185.228:443", "93.51.50.171:8080", "200.41.121.90:80", "46.105.131.79:8080", "124.45.106.173:443", "74.208.45.104:8080", "153.126.210.205:7080", "87.106.136.232:8080"]}
Multi AV Scanner detection for submitted file
Source: 8U5snojV8p.exe Metadefender: Detection: 60% Perma Link
Source: 8U5snojV8p.exe ReversingLabs: Detection: 77%
Antivirus / Scanner detection for submitted sample
Source: 8U5snojV8p.exe Avira: detected
Antivirus detection for URL or domain
Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R Avira URL Cloud: Label: malware
Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/ Avira URL Cloud: Label: malware
Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0 Avira URL Cloud: Label: malware
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.8U5snojV8p.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 0.2.8U5snojV8p.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 10.2.Windows.System.Profile.RetailInfo.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 10.0.Windows.System.Profile.RetailInfo.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00781D73 CryptDecodeObjectEx, 10_2_00781D73

Compliance:

barindex
Uses 32bit PE files
Source: 8U5snojV8p.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Binary string: C:\Users\User\Desktop\VC 6.0\21.7.20\chatwithusdi_src\Chat Client\Release\Chat Client.pdb source: 8U5snojV8p.exe
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_007828A3 FindFirstFileW,FindNextFileW,FindClose, 10_2_007828A3

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 94.49.254.194:80
Source: Malware configuration extractor IPs: 212.51.142.238:8080
Source: Malware configuration extractor IPs: 91.231.166.124:8080
Source: Malware configuration extractor IPs: 162.241.92.219:8080
Source: Malware configuration extractor IPs: 79.98.24.39:8080
Source: Malware configuration extractor IPs: 109.117.53.230:443
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 101.187.97.173:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 104.131.44.150:8080
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 81.2.235.111:8080
Source: Malware configuration extractor IPs: 116.203.32.252:8080
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 190.55.181.54:443
Source: Malware configuration extractor IPs: 108.48.41.69:80
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 103.86.49.11:8080
Source: Malware configuration extractor IPs: 104.236.246.93:8080
Source: Malware configuration extractor IPs: 75.139.38.211:80
Source: Malware configuration extractor IPs: 169.239.182.217:8080
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 93.156.165.186:80
Source: Malware configuration extractor IPs: 73.11.153.178:8080
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 41.60.200.34:80
Source: Malware configuration extractor IPs: 50.116.86.205:8080
Source: Malware configuration extractor IPs: 31.31.77.83:443
Source: Malware configuration extractor IPs: 209.182.216.177:443
Source: Malware configuration extractor IPs: 62.138.26.28:8080
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 95.179.229.244:8080
Source: Malware configuration extractor IPs: 209.141.54.221:8080
Source: Malware configuration extractor IPs: 91.211.88.52:7080
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 137.59.187.107:8080
Source: Malware configuration extractor IPs: 139.130.242.43:80
Source: Malware configuration extractor IPs: 46.105.131.87:80
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 200.55.243.138:8080
Source: Malware configuration extractor IPs: 5.196.74.210:8080
Source: Malware configuration extractor IPs: 79.7.158.208:80
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 190.108.228.62:443
Source: Malware configuration extractor IPs: 24.1.189.87:8080
Source: Malware configuration extractor IPs: 91.205.215.66:443
Source: Malware configuration extractor IPs: 186.208.123.210:443
Source: Malware configuration extractor IPs: 108.26.231.214:80
Source: Malware configuration extractor IPs: 201.173.217.124:443
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 190.160.53.126:80
Source: Malware configuration extractor IPs: 162.154.38.103:80
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 210.165.156.91:80
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 95.9.185.228:443
Source: Malware configuration extractor IPs: 93.51.50.171:8080
Source: Malware configuration extractor IPs: 200.41.121.90:80
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 124.45.106.173:443
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 153.126.210.205:7080
Source: Malware configuration extractor IPs: 87.106.136.232:8080
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.5:49748 -> 94.49.254.194:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LIQUID-ASGB LIQUID-ASGB
Source: Joe Sandbox View ASN Name: ASN-IBSNAZIT ASN-IBSNAZIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 109.117.53.230 109.117.53.230
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ HTTP/1.1Referer: http://162.241.92.219/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/Content-Type: multipart/form-data; boundary=---------------------------978213554566447User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 162.241.92.219:8080Content-Length: 4548Connection: Keep-AliveCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49760 -> 212.51.142.238:8080
Source: global traffic TCP traffic: 192.168.2.5:49793 -> 91.231.166.124:8080
Source: global traffic TCP traffic: 192.168.2.5:49794 -> 162.241.92.219:8080
Source: global traffic TCP traffic: 192.168.2.5:49795 -> 79.98.24.39:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 28
Source: unknown TCP traffic detected without corresponding DNS query: 94.49.254.194
Source: unknown TCP traffic detected without corresponding DNS query: 94.49.254.194
Source: unknown TCP traffic detected without corresponding DNS query: 94.49.254.194
Source: unknown TCP traffic detected without corresponding DNS query: 212.51.142.238
Source: unknown TCP traffic detected without corresponding DNS query: 212.51.142.238
Source: unknown TCP traffic detected without corresponding DNS query: 212.51.142.238
Source: unknown TCP traffic detected without corresponding DNS query: 91.231.166.124
Source: unknown TCP traffic detected without corresponding DNS query: 91.231.166.124
Source: unknown TCP traffic detected without corresponding DNS query: 91.231.166.124
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown TCP traffic detected without corresponding DNS query: 79.98.24.39
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown TCP traffic detected without corresponding DNS query: 79.98.24.39
Source: unknown TCP traffic detected without corresponding DNS query: 79.98.24.39
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp String found in binary or memory: http://162.241.92.219:080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp String found in binary or memory: http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp String found in binary or memory: http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/J=c
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmp String found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.511264828.000000000018D000.00000004.00000001.sdmp String found in binary or memory: http://79.98.24.39/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/#
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/0
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/04u%04u%04u%03u
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/E
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513847532.00000000025F4000.00000004.00000001.sdmp String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/x
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp String found in binary or memory: http://91.231.166.124/pvpiKpofI5CEEveCsq/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmp String found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp String found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/G
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp String found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/H
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://94.49.254.194
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421590586.0000000002690000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp String found in binary or memory: http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/n
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421622177.0000000002692000.00000004.00000001.sdmp String found in binary or memory: http://94.49.254.194/vHzRXBVyW/bm
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp String found in binary or memory: http://94.49.254.194d
Source: svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp String found in binary or memory: http://schemas.m
Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.
Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/E
Source: svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comds
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.313210088.0000018424863000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000002.322075880.000001842483B000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown HTTP traffic detected: POST /YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ HTTP/1.1Referer: http://162.241.92.219/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/Content-Type: multipart/form-data; boundary=---------------------------978213554566447User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 162.241.92.219:8080Content-Length: 4548Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 8U5snojV8p.exe, 00000000.00000002.296595279.000000000079A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_004240C6 GetAsyncKeyState,GetAsyncKeyState,#2864,#4083,#4083,GetParent,#2864,#4083,GetAsyncKeyState, 0_2_004240C6

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.2.8U5snojV8p.exe.67053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8U5snojV8p.exe.67053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 8U5snojV8p.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\8U5snojV8p.exe File deleted: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\8U5snojV8p.exe File created: C:\Windows\SysWOW64\dbgeng\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_00401370 0_2_00401370
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00401370 10_2_00401370
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: String function: 004269E6 appears 230 times
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: String function: 004269E6 appears 230 times
Sample file is different than original file name gathered from version info
Source: 8U5snojV8p.exe, 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameChat Client.EXE vs 8U5snojV8p.exe
Source: 8U5snojV8p.exe Binary or memory string: OriginalFilenameChat Client.EXE vs 8U5snojV8p.exe
PE file contains strange resources
Source: 8U5snojV8p.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: 8U5snojV8p.exe Metadefender: Detection: 60%
Source: 8U5snojV8p.exe ReversingLabs: Detection: 77%
Source: 8U5snojV8p.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8U5snojV8p.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\8U5snojV8p.exe 'C:\Users\user\Desktop\8U5snojV8p.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process created: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process created: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@16/5@0/69
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_0041F987 CoCreateInstance, 0_2_0041F987
Source: C:\Users\user\Desktop\8U5snojV8p.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00783501 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification, 10_2_00783501
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2076:120:WilError_01
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_00420930 _EH_prolog,#1168,FindResourceA,LoadResource,SizeofResource,LockResource,ExtCreateRegion,#1641,#2452,SetWindowRgn,#2414, 0_2_00420930
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 8U5snojV8p.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\User\Desktop\VC 6.0\21.7.20\chatwithusdi_src\Chat Client\Release\Chat Client.pdb source: 8U5snojV8p.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_004269B0 push eax; ret 0_2_004269DE
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_0067834C push esi; iretd 0_2_00678354
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_0067862D push eax; ret 0_2_00678649
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_004269B0 push eax; ret 10_2_004269DE
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_0077834C push esi; iretd 10_2_00778354
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_0077862D push eax; ret 10_2_00778649
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00777E3C push eax; ret 10_2_00777E69

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\8U5snojV8p.exe Executable created and started: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\8U5snojV8p.exe PE file moved: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\8U5snojV8p.exe File opened: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_004012F3 _EH_prolog,OpenFileMappingA,#800,MapViewOfFile,#521,#567,#1651,GetLastActivePopup,#2864,IsIconic,#6215,SetForegroundWindow,#2463,#818,UnmapViewOfFile,CloseHandle,#6307,CloseHandle, 0_2_004012F3
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_004012F3 _EH_prolog,OpenFileMappingA,#800,MapViewOfFile,#521,#567,#1651,GetLastActivePopup,#2864,IsIconic,#6215,SetForegroundWindow,#2463,#818,UnmapViewOfFile,CloseHandle,#6307,CloseHandle, 10_2_004012F3
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\8U5snojV8p.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6684 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_007828A3 FindFirstFileW,FindNextFileW,FindClose, 10_2_007828A3
Source: C:\Users\user\Desktop\8U5snojV8p.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000004.00000002.513647631.00000196D6C5F000.00000004.00000001.sdmp Binary or memory string: $@Hyper-V RAW
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW3
Source: svchost.exe, 00000004.00000002.513593270.00000196D6C47000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.511644682.000002B42C002000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000004.00000002.511712314.00000196D1629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@Q
Source: svchost.exe, 00000005.00000002.511838410.000002B42C03E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.512377920.000001792586A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.512136478.000001D969029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_00670467 mov eax, dword ptr fs:[00000030h] 0_2_00670467
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_00672674 mov eax, dword ptr fs:[00000030h] 0_2_00672674
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00770467 mov eax, dword ptr fs:[00000030h] 10_2_00770467
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00772674 mov eax, dword ptr fs:[00000030h] 10_2_00772674
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00772F59 mov eax, dword ptr fs:[00000030h] 10_2_00772F59
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_0078361A mov eax, dword ptr fs:[00000030h] 10_2_0078361A
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Code function: 10_2_00782D35 mov eax, dword ptr fs:[00000030h] 10_2_00782D35
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\8U5snojV8p.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe Code function: 0_2_00401A91 GetVersion,malloc,GetVersionExA,malloc,GetVersionExA,free, 0_2_00401A91

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000B.00000002.511726753.000001DFFA640000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.511862494.000001DFFA702000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.2.8U5snojV8p.exe.67053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8U5snojV8p.exe.67053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481919 Sample: 8U5snojV8p Startdate: 13/09/2021 Architecture: WINDOWS Score: 96 25 169.239.182.217 xneeloZA South Africa 2->25 27 124.45.106.173 XEPHIONNTT-MECorporationJP Japan 2->27 29 60 other IPs or domains 2->29 41 Found malware configuration 2->41 43 Antivirus detection for URL or domain 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 3 other signatures 2->47 8 8U5snojV8p.exe 2 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 8 other processes 2->16 signatures3 process4 dnsIp5 49 Drops executables to the windows directory (C:\Windows) and starts them 8->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 18 Windows.System.Profile.RetailInfo.exe 12 8->18         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 11->53 21 MpCmdRun.exe 1 11->21         started        37 127.0.0.1 unknown unknown 13->37 39 192.168.2.1 unknown unknown 16->39 signatures6 process7 dnsIp8 31 162.241.92.219, 49794, 8080 UNIFIEDLAYER-AS-1US United States 18->31 33 94.49.254.194, 80 SAUDINETSTC-ASSA Saudi Arabia 18->33 35 3 other IPs or domains 18->35 23 conhost.exe 21->23         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
41.60.200.34
 unknown Mauritius
30844 LIQUID-ASGB true
79.7.158.208
 unknown Italy
3269 ASN-IBSNAZIT true
162.154.38.103
 unknown United States
10796 TWC-10796-MIDWESTUS true
201.173.217.124
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX true
91.205.215.66
 unknown Netherlands
61349 MAXITELNL true
109.117.53.230
 unknown Italy
30722 VODAFONE-IT-ASNIT true
121.124.124.40
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
139.59.60.244
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
169.239.182.217
 unknown South Africa
37153 xneeloZA true
61.19.246.238
 unknown Thailand
9335 CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH true
190.108.228.62
 unknown Argentina
27751 NeunetSAAR true
104.131.11.150
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.111.60.55
 unknown Ukraine
24703 UN-UKRAINE-ASKievUkraineUA true
168.235.67.138
 unknown United States
3842 RAMNODEUS true
137.59.187.107
 unknown Hong Kong
18106 VIEWQWEST-SG-APViewqwestPteLtdSG true
95.9.185.228
 unknown Turkey
9121 TTNETTR true
108.26.231.214
 unknown United States
701 UUNETUS true
24.1.189.87
 unknown United States
7922 COMCAST-7922US true
200.41.121.90
 unknown Argentina
52444 PogliottiPogliottiConstruccionesSAAR true
93.51.50.171
 unknown Italy
12874 FASTWEBIT true
116.203.32.252
 unknown Germany
24940 HETZNER-ASDE true
5.196.74.210
 unknown France
16276 OVHFR true
87.106.139.101
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
79.98.24.39
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
200.55.243.138
 unknown Argentina
27988 ServiciosyTelecomunicacionesSAAR true
74.208.45.104
 unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE true
162.241.92.219
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
75.139.38.211
 unknown United States
20115 CHARTER-20115US true
31.31.77.83
 unknown Czech Republic
197019 WEDOSCZ true
104.131.44.150
 unknown United States
14061 DIGITALOCEAN-ASNUS true
87.106.136.232
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
62.75.141.82
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
153.126.210.205
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
91.231.166.124
 unknown Italy
198090 ASLIBRAIT true
210.165.156.91
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP true
37.139.21.175
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
124.45.106.173
 unknown Japan 9595 XEPHIONNTT-MECorporationJP true
73.11.153.178
 unknown United States
7922 COMCAST-7922US true
95.213.236.64
 unknown Russian Federation
49505 SELECTELRU true
209.182.216.177
 unknown United States
47869 NETROUTING-ASNL true
37.187.72.193
 unknown France
16276 OVHFR true
46.105.131.79
 unknown France
16276 OVHFR true
212.51.142.238
 unknown Switzerland
13030 INIT7CH true
139.130.242.43
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
110.145.77.103
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
186.208.123.210
 unknown Brazil
53162 VOIPGLOBESERVICOSDECOMMULTIMIDIAVIAINTERNETBR true
190.160.53.126
 unknown Chile
22047 VTRBANDAANCHASACL true
81.2.235.111
 unknown Czech Republic
24806 INTERNET-CZKtis238403KtisCZ true
95.179.229.244
 unknown Netherlands
20473 AS-CHOOPAUS true
109.74.5.95
 unknown Sweden
43948 GLESYS-ASSE true
91.211.88.52
 unknown Ukraine
206638 HOSTFORYUA true
62.138.26.28
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
94.49.254.194
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA true
103.86.49.11
 unknown Thailand
58955 BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH true
190.55.181.54
 unknown Argentina
27747 TelecentroSAAR true
157.245.99.39
 unknown United States
14061 DIGITALOCEAN-ASNUS true
209.141.54.221
 unknown United States
53667 PONYNETUS true
203.153.216.189
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
5.39.91.110
 unknown France
16276 OVHFR true
185.94.252.104
 unknown Germany
197890 MEGASERVERS-DE true
101.187.97.173
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
46.105.131.87
 unknown France
16276 OVHFR true
108.48.41.69
 unknown United States
701 UUNETUS true
104.236.246.93
 unknown United States
14061 DIGITALOCEAN-ASNUS true
50.116.86.205
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
78.24.219.147
 unknown Russian Federation
29182 THEFIRST-ASRU true
93.156.165.186
 unknown Spain
12946 TELECABLESpainES true

Private
IP
192.168.2.1
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ true
  • Avira URL Cloud: safe
 unknown