Play interactive tourEdit tour
Windows Analysis Report tcpmdmaus.exe
Overview
General Information
Detection
Emotet
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Machine Learning detection for sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to enumerate running services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 3 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 3 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_013114C9 | |
Source: | Code function: | 1_2_013114C9 | |
Source: | Code function: | 1_2_01252129 | |
Source: | Code function: | 1_2_01252195 | |
Source: | Code function: | 1_2_01252435 | |
Source: | Code function: | 1_2_01252336 | |
Source: | Code function: | 1_2_01252261 | |
Source: | Code function: | 1_2_012522A6 | |
Source: | Code function: | 2_2_013114C9 | |
Source: | Code function: | 7_2_013114C9 | |
Source: | Code function: | 7_2_01452195 | |
Source: | Code function: | 7_2_01452336 | |
Source: | Code function: | 7_2_014522A6 | |
Source: | Code function: | 7_2_01452129 | |
Source: | Code function: | 7_2_01452435 | |
Source: | Code function: | 7_2_01452261 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |