Edit tour
Windows
Analysis Report
U9M1w8FHBW.exe
Overview
General Information
| Sample Name: | U9M1w8FHBW.exe (renamed file extension from exe to dll) |
| Analysis ID: | 745001 |
| MD5: | deab9f2826fa9d755e77a010c51effb8 |
| SHA1: | a44e1cd6ca3c8c7bad9ad286ba9e19ab2a6e8190 |
| SHA256: | b3dbb3902ed3e35a1f314f2b9385c2f020d4182cf0e93a9157cb0275548d72cc |
| Tags: | dllexe |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 5144 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\U9M 1w8FHBW.dl l" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 1128 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3808 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\U9M 1w8FHBW.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 1972 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\U9M1 w8FHBW.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 4808 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\DChihh ZAEIop\NZI CbhYKmnAVT .dll" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 3360 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\U9 M1w8FHBW.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 4516 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\YKYTbO gY\pyluVjQ OzYMsbAJk. dll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 5552 cmdline:
rundll32.e xe C:\User s\user\Des ktop\U9M1w 8FHBW.dll, DllRegiste rServer MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 4144 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\AvyZUm IIeGJLvcye \aPdTkvBLd rznCXG.dll " MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 3192 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\DahdrC XRHjoqlqPu \vvcfbAnuZ puTsj.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- regsvr32.exe (PID: 1788 cmdline:
C:\Windows \system32\ regsvr32.e xe" "C:\Wi ndows\syst em32\DChih hZAEIop\NZ ICbhYKmnAV T.dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 4784 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Use rs\user\Ap pData\Loca l\OQOuTpy\ WqdnfVdfYC xIlc.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.6115.178.55.2249714802404304 11/13/22-16:55:33.271971 |
| SID: | 2404304 |
| Source Port: | 49714 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_00007FFD14679410 | |
| Source: | Code function: | 3_2_00007FFD14679410 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FFD1466C334 | |
| Source: | Code function: | 3_2_00007FFD1466C334 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||