Edit tour
Windows
Analysis Report
kOiaWLNKXpjayWeM.dll
Overview
General Information
| Sample Name: | kOiaWLNKXpjayWeM.dll |
| Analysis ID: | 750456 |
| MD5: | b7d93d2b47d14264b8b986b2d8fc7a49 |
| SHA1: | 9310b16c2d7f9195c65cdbecf8c5648525cb80e5 |
| SHA256: | 139c1faa496ae6c7d7c5140b9f4ac4e34f153bf40cd080c856b96bbd7ae716d2 |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Uses the system / local time for branch decision (may execute only at specific dates)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 6112 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\kOi aWLNKXpjay WeM.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 6096 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6044 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\kOi aWLNKXpjay WeM.dll",# 1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 6128 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\kOia WLNKXpjayW eM.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A) 
WerFault.exe (PID: 5204 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 6 128 -s 480 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - regsvr32.exe (PID: 6076 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\kO iaWLNKXpja yWeM.dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5252 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\WVVZhu ligM\KuLiE StglluewHb C.dll" MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 2424 cmdline:
rundll32.e xe C:\User s\user\Des ktop\kOiaW LNKXpjayWe M.dll,?Add ArrayStrin g@JKDefrag Lib@@QEAAP EAPEA_WPEA PEA_WPEA_W @Z MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 3332 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 424 -s 472 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 5228 cmdline:
rundll32.e xe C:\User s\user\Des ktop\kOiaW LNKXpjayWe M.dll,?Cal lShowStatu s@JKDefrag Lib@@QEAAX PEAUDefrag DataStruct @@HH@Z MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 1788 cmdline:
rundll32.e xe C:\User s\user\Des ktop\kOiaW LNKXpjayWe M.dll,?Col orizeItem@ JKDefragLi b@@QEAAXPE AUDefragDa taStruct@@ PEAUItemSt ruct@@_K2H @Z MD5: 73C519F050C20580F8A62C849D49215A)
- regsvr32.exe (PID: 6128 cmdline:
C:\Windows \system32\ regsvr32.e xe" "C:\Wi ndows\syst em32\WVVZh uligM\KuLi EStglluewH bC.dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5288 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Use rs\user\Ap pData\Loca l\WrWLj\Bw ssvzQrG.dl l" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
{"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0Hbtn0QADAJI=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWGLt60QACAIg="]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 14 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 13 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.3218.38.121.17497144432404324 11/21/22-03:33:25.830611 |
| SID: | 2404324 |
| Source Port: | 49714 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Networking | |
|---|
| Source: | Network Connect: | ||