Edit tour
Windows
Analysis Report
jYzNEOocXJ.exe
Overview
General Information
| Sample Name: | jYzNEOocXJ.exe (renamed file extension from exe to dll) |
| Analysis ID: | 745049 |
| MD5: | c0f0068b25ecdd1a5cd3c6d38143b15a |
| SHA1: | d8d3ca380c13761b9f78407caa626000d150c289 |
| SHA256: | fbfd3ffa1c73410da17ad4f695976a4667b6e47361fbc459e1d3c60973cc8bf6 |
| Tags: | dllexe |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 5088 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\jYz NEOocXJ.dl l" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 2244 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1172 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\jYz NEOocXJ.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 5092 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\jYzN EOocXJ.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 2188 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\SlbehL \VFRyzv.dl l" MD5: D78B75FC68247E8A63ACBA846182740E) - conhost.exe (PID: 5844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - regsvr32.exe (PID: 4648 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\jY zNEOocXJ.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 1240 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\IGITGY feMHnijDRf h\YUPGSgcO A.dll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 4352 cmdline:
rundll32.e xe C:\User s\user\Des ktop\jYzNE OocXJ.dll, DllRegiste rServer MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 1308 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\MTGBtR nw\JNSgzav rCOAZ.dll" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 1128 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\NiLEPs eQYt\GYKBf nsNfiUmNl. dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- regsvr32.exe (PID: 3100 cmdline:
C:\Windows \system32\ regsvr32.e xe" "C:\Wi ndows\syst em32\Slbeh L\VFRyzv.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5912 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Use rs\user\Ap pData\Loca l\DjbPAkHw GwShv\clUE IwbdI.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.4115.178.55.2249695802404304 11/13/22-18:23:45.534335 |
| SID: | 2404304 |
| Source Port: | 49695 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_00007FF875EB9410 | |
| Source: | Code function: | 3_2_00007FF875EB9410 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF875EAC334 | |
| Source: | Code function: | 3_2_00007FF875EAC334 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | |||