Edit tour
Windows
Analysis Report
548IrCt4hj
Overview
General Information
| Sample Name: | 548IrCt4hj (renamed file extension from none to dll) |
| Analysis ID: | 672062 |
| MD5: | 7301880b88f87cd3a593f7106d5743cc |
| SHA1: | c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240 |
| SHA256: | c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875caf6cbb6f5ba3970cc3 |
| Tags: | exeOpenCTIBRSandboxed |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 6432 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\548 IrCt4hj.dl l" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA) 
cmd.exe (PID: 6488 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\548 IrCt4hj.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 6516 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\548I rCt4hj.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 6504 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\54 8IrCt4hj.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 6692 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\ZPLPsN KH\eFntQ.d ll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 6536 cmdline:
rundll32.e xe C:\User s\user\Des ktop\548Ir Ct4hj.dll, DllCanUnlo adNow MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 6704 cmdline:
rundll32.e xe C:\User s\user\Des ktop\548Ir Ct4hj.dll, DllGetClas sObject MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 6776 cmdline:
rundll32.e xe C:\User s\user\Des ktop\548Ir Ct4hj.dll, DllRegiste rServer MD5: 73C519F050C20580F8A62C849D49215A)
- svchost.exe (PID: 7076 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5072 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3972 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6700 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6636 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6092 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
{"C2 list": ["139.59.80.108:8080", "83.229.80.93:8080", "190.107.19.179:443", "202.134.4.210:7080", "165.232.185.110:8080", "104.244.79.94:443", "198.199.70.22:8080", "37.44.244.177:8080", "195.77.239.39:8080", "103.85.95.4:8080", "85.214.67.203:8080", "103.41.204.169:8080", "78.47.204.80:443", "190.145.8.4:443", "139.196.72.155:8080", "87.106.97.83:7080", "202.29.239.162:443", "202.28.34.99:8080", "54.37.106.167:8080", "103.224.241.74:8080", "103.254.12.236:7080", "188.165.79.151:443", "43.129.209.178:443", "37.187.114.15:8080", "5.253.30.17:7080", "54.37.228.122:443", "157.230.99.206:8080", "103.56.149.105:8080", "157.245.111.0:8080", "128.199.242.164:8080", "104.248.225.227:8080", "88.217.172.165:8080", "175.126.176.79:8080", "85.25.120.45:8080", "178.62.112.199:8080", "178.238.225.252:8080", "93.104.209.107:8080", "210.57.209.142:8080", "128.199.217.206:443", "103.71.99.57:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0EZiWsQAQAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW45gAsQAmAIg="]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.5174.138.33.494976870802404316 07/23/22-04:56:42.473067 |
| SID: | 2404316 |
| Source Port: | 49768 |
| Destination Port: | 7080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 5_2_000000018006680C | |
| Source: | Code function: | 5_2_00000001800671B0 | |
| Source: | Code function: | 5_2_00000001800677BC | |
| Source: | Code function: | 10_2_024CC9F0 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||