Edit tour
Windows
Analysis Report
UC2DFXQIBiE2kQ.dll
Overview
General Information
| Sample Name: | UC2DFXQIBiE2kQ.dll |
| Analysis ID: | 747450 |
| MD5: | e2ec88ae31e147d1976368c6a8988d3c |
| SHA1: | 937a21ced7f2663c923c9c614cbe06d95def511a |
| SHA256: | ae7e655db35a71a3b2df96051d722d7995ec94feea3cbd59bec501042ab40847 |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 4348 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\UC2 DFXQIBiE2k Q.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 2260 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 812 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\UC2 DFXQIBiE2k Q.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 1516 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\UC2D FXQIBiE2kQ .dll",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 4640 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\UC 2DFXQIBiE2 kQ.dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5316 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\NzmNpN Pvo\tzEWj. dll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 4360 cmdline:
rundll32.e xe C:\User s\user\Des ktop\UC2DF XQIBiE2kQ. dll,ACeujV ZMknFDjv MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 1092 cmdline:
rundll32.e xe C:\User s\user\Des ktop\UC2DF XQIBiE2kQ. dll,AHuDGM flBfPryOEY juTfbzJdEM MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 1916 cmdline:
rundll32.e xe C:\User s\user\Des ktop\UC2DF XQIBiE2kQ. dll,ATjQPk InxPUGuUu MD5: 73C519F050C20580F8A62C849D49215A)
- regsvr32.exe (PID: 1960 cmdline:
C:\Windows \system32\ regsvr32.e xe" "C:\Wi ndows\syst em32\NzmNp NPvo\tzEWj .dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5628 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Use rs\user\Ap pData\Loca l\VfjAKsbR VDLoO\aeuw PIzDFvIwK. dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0mhn6vQAbAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWaBkovQARAJA="]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.5115.178.55.2249702802404304 11/16/22-11:48:03.539047 |
| SID: | 2404304 |
| Source Port: | 49702 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 3_2_000000018004A020 | |
| Source: | Code function: | 3_2_0000000180029290 | |
| Source: | Code function: | 3_2_000000018002972C | |
| Source: | Code function: | 3_2_0000000180028B30 | |
| Source: | Code function: | 3_2_0000000180028B30 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||