Edit tour

Windows Analysis Report
os.exe_

Overview

General Information

Sample Name:	os.exe_ (renamed file extension from exe_ to exe)
Analysis ID:	745620
MD5:	df3118872eafc944ad200ad462023a5d
SHA1:	afb8e59f0d39c614e6b7ac3486c7ea016342fb05
SHA256:	e81704d02356f7f9a1a54ff857fa3afb2b96680b99c23643e1ccbc16b750239e
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Writes to foreign memory regions

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

os.exe (PID: 4688 cmdline: C:\Users\user\Desktop\os.exe MD5: DF3118872EAFC944AD200AD462023A5D)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

kbuhkupik.exe (PID: 2040 cmdline: C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp MD5: EB199893441CED4BBBCB547FE411CF2D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
os.exe	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
os.exe	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x9fe2b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa66d6:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb606b:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb9b5c:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa8512:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x9f8b4:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x9fe19:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb6059:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa508e:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0xb795b:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xaa4e4:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0xa8526:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0xa0887:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
os.exe	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x9eec8:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x9efb9:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x9fe94:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0xa0561:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0xa07a9:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0xa0fe9:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0xa15f2:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0xa170c:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0xa4876:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0xa5284:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0xa57fd:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0xa5c7a:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0xa649d:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0xa67eb:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0xa6aee:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0xa7c9b:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0xa7d7b:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xaa646:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xab787:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xac2db:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xac614:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\6E8422DB.dll	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
C:\Users\user\Desktop\6E8422DB.dll	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
C:\Users\user\Desktop\6E8422DB.dll	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x1017:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x78c2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17257:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1ad48:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x96fe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0xaa0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x1005:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17245:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x627a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18b47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xb6d0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x9712:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1a73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0xb4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x1a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x1080:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x174d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1995:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x21d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x27de:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x28f8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5a62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x6470:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x69e9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x6e66:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x7689:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x79d7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x7cda:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x8e87:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x8f67:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xb832:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xc973:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xd4c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xd800:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
00000000.00000002.574382395.00007FF88EE12000.00000008.00000001.01000000.00000004.sdmp	SUSP_Four_Byte_XOR_PE_And_MZ	Look for 4 byte xor of a PE starting at offset 0	Wesley Shields <wxs@atarininja.org>
00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x4e62:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x5ad8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x5aec:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x6ba2:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x9fe2b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa66d6:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb606b:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb9b5c:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa8512:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x9f8b4:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x9fe19:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb6059:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa508e:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0xb795b:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xaa4e4:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0xa8526:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0xa0887:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x9eec8:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x9efb9:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x9fe94:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0xa0561:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0xa07a9:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0xa0fe9:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0xa15f2:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0xa170c:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0xa4876:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0xa5284:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0xa57fd:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0xa5c7a:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0xa649d:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0xa67eb:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0xa6aee:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0xa7c9b:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0xa7d7b:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xaa646:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xab787:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xac2db:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xac614:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.2.os.exe.7ff88edf0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.os.exe.7ff88edf0000.2.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.2.os.exe.7ff88edf0000.2.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
0.3.os.exe.1acdc970000.4.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcbdea14.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.3.os.exe.1acdcbdea14.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcbdea14.0.raw.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
0.3.os.exe.1acdc960000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.3.os.exe.1acdc970000.4.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdc960000.3.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x817:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x70c2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x16a57:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1a548:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x8efe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x805:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x16a45:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x5a7a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18347:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xaed0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x8f12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1273:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdc960000.3.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x880:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0xf4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1195:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x19d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x1fde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x20f8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5262:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x5c70:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x61e9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x6666:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x6e89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x71d7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x74da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x8687:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x8767:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xb032:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xc173:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xccc7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xd000:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00 0xd333:$calc1: C7 44 24 30 75 43 B6 7B C7 04 24 12 F0 F0 6D C7 44 24 28 D2 EF 4E 3D C7 44 24 38 13 F0 60 72 C7 44 24 20 00 A0 D9 00 0xd41a:$calc1: C7 44 24 30 9D 52 5A 4D C7 04 24 3A 88 39 50 C7 44 24 28 FA 07 FA 48 C7 44 24 38 3B 88 82 51 C7 44 24 20 00 C3 AC 00
2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcbdea14.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.3.os.exe.1acdcbdea14.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x817:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x70c2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x16a57:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1a548:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x8efe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x805:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x16a45:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x5a7a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18347:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xaed0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x8f12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1273:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcbdea14.0.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x880:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0xf4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1195:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x19d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x1fde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x20f8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5262:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x5c70:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x61e9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x6666:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x6e89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x71d7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x74da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x8687:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x8767:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xb032:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xc173:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xccc7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xd000:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00 0xd333:$calc1: C7 44 24 30 75 43 B6 7B C7 04 24 12 F0 F0 6D C7 44 24 28 D2 EF 4E 3D C7 44 24 38 13 F0 60 72 C7 44 24 20 00 A0 D9 00 0xd41a:$calc1: C7 44 24 30 9D 52 5A 4D C7 04 24 3A 88 39 50 C7 44 24 28 FA 07 FA 48 C7 44 24 38 3B 88 82 51 C7 44 24 20 00 C3 AC 00
2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdc960000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.3.os.exe.1acdc960000.3.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdc960000.3.raw.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
2.0.kbuhkupik.exe.7ff7e47d0000.4.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcbba850.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.3.os.exe.1acdcbba850.1.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x255db:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2be86:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x3b81b:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x3f30c:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2dcc2:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x25064:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x255c9:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x3b809:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a83e:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x3d10b:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2fc94:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0x2dcd6:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x26037:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcbba850.1.raw.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x24678:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x24769:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x25644:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0x25d11:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0x25f59:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0x26799:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0x26da2:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0x26ebc:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0x2a026:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0x2aa34:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0x2afad:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0x2b42a:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0x2bc4d:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0x2bf9b:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0x2c29e:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0x2d44b:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0x2d52b:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0x2fdf6:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0x30f37:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0x31a8b:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0x31dc4:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
0.3.os.exe.1acdcb40000.2.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x9c62b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9c0b4:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x9c619:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x9d087:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcb40000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.3.os.exe.1acdcb40000.2.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x9fe2b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa66d6:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb606b:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb9b5c:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa8512:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x9f8b4:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x9fe19:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xb6059:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0xa508e:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0xb795b:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0xaa4e4:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 0xa8526:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0xa0887:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
0.3.os.exe.1acdcb40000.2.raw.unpack	Windows_Trojan_Emotet_d6ac1ea4	unknown	unknown	0x9eec8:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00 0x9efb9:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00 0x9fe94:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00 0xa0561:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00 0xa07a9:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00 0xa0fe9:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00 0xa15f2:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00 0xa170c:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00 0xa4876:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00 0xa5284:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00 0xa57fd:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00 0xa5c7a:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00 0xa649d:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00 0xa67eb:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00 0xa6aee:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00 0xa7c9b:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00 0xa7d7b:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00 0xaa646:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00 0xab787:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00 0xac2db:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00 0xac614:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
2.0.kbuhkupik.exe.7ff7e47d0000.1.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
2.0.kbuhkupik.exe.7ff7e47d0000.2.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
2.0.kbuhkupik.exe.7ff7e47d0000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
Click to see the 28 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: os.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\6E8422DB.dll

Avira: detection malicious, Label: HEUR/AGEN.1251140

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\6E8422DB.dll

Virustotal: Detection: 57%

Perma Link

Machine Learning detection for sample

Source: os.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\os.exe

Code function: 0_2_00007FF6D40728F0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,

0_2_00007FF6D40728F0

Source: os.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: certutil.pdb source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
Source:	Binary string: certutil.pdbGCTL source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr

Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: os.exe, type: SAMPLE
Source: Yara match	File source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: os.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: os.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 0.3.os.exe.1acdc970000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 0.3.os.exe.1acdc970000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 0.3.os.exe.1acdcb40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown

Source: os.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: os.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc970000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc970000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
os.exe_

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

E-Banking Fraud

System Summary

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report os.exe_

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

E-Banking Fraud

System Summary

Windows Analysis Report
os.exe_