Edit tour
Windows
Analysis Report
PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300
Overview
General Information
| Sample Name: | PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300 (renamed file extension from com_15e2f984de986ecb59e38a1c3a4a2300 to dll) |
| Analysis ID: | 666431 |
| MD5: | 15e2f984de986ecb59e38a1c3a4a2300 |
| SHA1: | 795383a71c9030a2c52624795a1e539bfedbf84c |
| SHA256: | 1e9a7692e74e98ac5d21a4d3bfb3696d69d8306e4e42d53bcb4604b3dff420bb |
| Tags: | droppedexe |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 6924 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\PYC kUgesWB.dl l" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA) 
cmd.exe (PID: 6940 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\PYC kUgesWB.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 6960 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\PYCk UgesWB.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 6948 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\PY CkUgesWB.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5304 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\XSYhmb \vuKI.dll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 6972 cmdline:
rundll32.e xe C:\User s\user\Des ktop\PYCkU gesWB.dll, AjkRVrFNny QmqXQdrCom yaiwV MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 7024 cmdline:
rundll32.e xe C:\User s\user\Des ktop\PYCkU gesWB.dll, AkMhEGvNFp nSswjeCw MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 7044 cmdline:
rundll32.e xe C:\User s\user\Des ktop\PYCkU gesWB.dll, BMIWqtk MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 2820 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\AfzDfn hsGeYDyd\O smuofIfhwE GDVL.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- svchost.exe (PID: 2444 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6052 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5732 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4924 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4884 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6628 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5100 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
{"C2 list": ["87.106.97.83:7080", "118.98.72.86:443", "93.104.209.107:8080", "157.230.99.206:8080", "104.244.79.94:443", "88.217.172.165:8080", "103.41.204.169:8080", "85.214.67.203:8080", "196.44.98.190:8080", "198.199.70.22:8080", "62.171.178.147:8080", "210.57.209.142:8080", "178.238.225.252:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.71.99.57:8080", "157.245.111.0:8080", "128.199.242.164:8080", "103.56.149.105:8080", "128.199.217.206:443", "85.25.120.45:8080", "190.145.8.4:443", "165.232.185.110:8080", "178.62.112.199:8080", "103.85.95.4:8080", "188.225.32.231:4143", "103.126.216.86:443", "37.44.244.177:8080", "64.227.55.231:8080", "190.107.19.179:443", "83.229.80.93:8080", "103.254.12.236:7080", "104.248.225.227:8080", "36.67.23.59:443", "43.129.209.178:443", "165.22.254.236:8080", "175.126.176.79:8080", "202.134.4.210:7080", "202.29.239.162:443", "46.101.98.60:8080", "54.37.228.122:443", "5.253.30.17:7080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0yb8XUwABAI4=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW6785UwAHAJM="]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 9 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.7174.138.33.494978670802404316 07/16/22-19:12:04.677504 |
| SID: | 2404316 |
| Source Port: | 49786 |
| Destination Port: | 7080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 11_2_000000018001C9F0 | |
| Source: | Code function: | 0_2_10005790 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||