Edit tour
Windows
Analysis Report
5CUFfVMSaQ
Overview
General Information
| Sample Name: | 5CUFfVMSaQ (renamed file extension from none to dll) |
| Analysis ID: | 671666 |
| MD5: | 5d4728494832d03bbfb75367836fef4e |
| SHA1: | abcbd283801a05390995862f59dcb5310f3d3d88 |
| SHA256: | caa60b9025dfba07efac6cae5438a8e20d9b7c210a721a4cf1f9d7b6df4d7d90 |
| Tags: | exeOpenCTIBRSandboxed |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
PE file contains more sections than normal
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 7016 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\5CU FfVMSaQ.dl l" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA) 
cmd.exe (PID: 7024 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\5CU FfVMSaQ.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 7044 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\5CUF fVMSaQ.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 7032 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\5C UFfVMSaQ.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 7132 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\NCybOK cMqaEIN\jn EWIdoCfnPf .dll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 7052 cmdline:
rundll32.e xe C:\User s\user\Des ktop\5CUFf VMSaQ.dll, ABeFtrnwmg Aedx MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 7108 cmdline:
rundll32.e xe C:\User s\user\Des ktop\5CUFf VMSaQ.dll, AEjATaIExp Qg MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 6160 cmdline:
rundll32.e xe C:\User s\user\Des ktop\5CUFf VMSaQ.dll, AbfBlUFQKb pevAFdaCpE lBdscB MD5: 73C519F050C20580F8A62C849D49215A)
- svchost.exe (PID: 6476 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6448 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4520 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5216 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5092 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
{"C2 list": ["108.194.0.0:443", "40.4.0.0:1", "4.4.0.0:1", "8.4.0.0:1", "24.4.0.0:1", "232.3.0.0:1", "20.4.0.0:1", "236.3.0.0:1", "36.4.0.0:1", "139.247.2.0:2096", "160.153.244.0:1", "21.115.0.0:4", "133.247.2.0:4048", "4.1.0.0:92", "224.146.244.0:1", "120.247.2.0:4048", "121.247.2.0:5104", "160.154.244.0:1", "141.247.2.0:5104", "160.147.244.0:1", "143.247.2.0:4544", "160.156.244.0:1", "145.247.2.0:2912", "224.150.244.0:1", "153.247.2.0:1324"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_2 | Yara detected Emotet | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_3 | Joe Security | |||
| Click to see the 6 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 5 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.5188.165.79.151497724432404320 07/22/22-13:16:45.923727 |
| SID: | 2404320 |
| Source Port: | 49772 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Malware Configuration Extractor: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00000001800426C8 | |
| Source: | Code function: | 2_2_00000001800436B4 | |
| Source: | Code function: | 2_2_000000018004383C | |
| Source: | Code function: | 2_2_0000000180043DBC | |
| Source: | Code function: | 6_2_02930A20 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||