popup

Report - jooyu.exe

Gen2 Emotet PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.08 10:50 Machine s1_win7_x6402
Filename jooyu.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
7.8
ZERO API file : malware
VT API (file) 57 detected (AIDetect, malware2, malicious, high confidence, GenericKD, IgenericRI, S15903427, GenericRXAA, Unsafe, CookiesStealer, Save, confidence, CookieStealer, Eldorado, Attribute, HighConfidence, ACLN, Spyagent, PSWTool, hqsnsl, Gencirc, Malware@#dtfpxx1rbcg5, JazoStealer, znvpf, R002C0PE721, Score, ai score=100, ASMalwS, KVM003, kcloud, PassView, R356907, ZexaF, 8uW@a82JMxcj, BScope, Infospy, Facebook, CLASSIC, Convagent, WP9TbZjCMq4, Static AI, Suspicious PE, susgen, Genetic)
md5 aed57d50123897b0012c35ef5dec4184
sha256 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
ssdeep 24576:6dWdWjFMYKO1ZcqlHrorVCkTNkdBAnlXG6+Z1mbXEC:FSMYKO1ZcmHsrVCokUlXF+Z1IUC
imphash 2d61767a66f97802f04479dc222ea0b1
impfuzzy 48:J9PBQnc+F9YtoS1rMUZFuPZ7OjKEj6Nh6p2:Jcc+vYtoS1rMUZ07cKEeNYp2
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 57 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (8cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (16cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf
whois
NL ENZUINC 88.218.92.148 1396 mailcious
http://uyg5wye.2ihsfa.com/api/fbtime
whois
NL ENZUINC 88.218.92.148 1396 mailcious
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150
whois
US GOOGLE 216.58.220.206 clean
https://iplogger.org/18hh57
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://www.facebook.com/
whois
US FACEBOOK 157.240.215.35 clean
script.google.com
whois
US GOOGLE 172.217.25.238 clean
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
uyg5wye.2ihsfa.com
whois
NL ENZUINC 88.218.92.148 mailcious
www.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
88.218.92.148
whois
NL ENZUINC 88.218.92.148 malware
157.240.215.35
whois
US FACEBOOK 157.240.215.35 clean
216.58.220.206
whois
US GOOGLE 216.58.220.206 suspicious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x463014 LocalFree
 0x463018 SizeofResource
 0x46301c GetLastError
 0x463020 LockResource
 0x463024 LoadResource
 0x463028 FindResourceW
 0x46302c WinExec
 0x463030 WriteConsoleW
 0x463034 FormatMessageW
 0x463038 Sleep
 0x46303c GetTempPathA
 0x463040 lstrlenW
 0x463044 HeapSize
 0x463048 CreateFileW
 0x46304c SetStdHandle
 0x463050 GetProcessHeap
 0x463054 SetEnvironmentVariableW
 0x463058 FreeEnvironmentStringsW
 0x46305c GetEnvironmentStringsW
 0x463060 GetCommandLineW
 0x463064 GetCommandLineA
 0x463068 GetOEMCP
 0x46306c GetACP
 0x463070 IsValidCodePage
 0x463074 FindNextFileW
 0x463078 FindFirstFileExW
 0x46307c FindClose
 0x463080 GetTimeZoneInformation
 0x463084 MultiByteToWideChar
 0x463088 GetStringTypeW
 0x46308c WideCharToMultiByte
 0x463090 EnterCriticalSection
 0x463094 LeaveCriticalSection
 0x463098 DeleteCriticalSection
 0x46309c EncodePointer
 0x4630a0 DecodePointer
 0x4630a4 GetCPInfo
 0x4630a8 CompareStringW
 0x4630ac LCMapStringW
 0x4630b0 GetLocaleInfoW
 0x4630b4 SetLastError
 0x4630b8 InitializeCriticalSectionAndSpinCount
 0x4630bc CreateEventW
 0x4630c0 TlsAlloc
 0x4630c4 TlsGetValue
 0x4630c8 TlsSetValue
 0x4630cc TlsFree
 0x4630d0 GetSystemTimeAsFileTime
 0x4630d4 GetModuleHandleW
 0x4630d8 GetProcAddress
 0x4630dc CloseHandle
 0x4630e0 SetEvent
 0x4630e4 ResetEvent
 0x4630e8 WaitForSingleObjectEx
 0x4630ec UnhandledExceptionFilter
 0x4630f0 SetUnhandledExceptionFilter
 0x4630f4 GetCurrentProcess
 0x4630f8 TerminateProcess
 0x4630fc IsProcessorFeaturePresent
 0x463100 IsDebuggerPresent
 0x463104 GetStartupInfoW
 0x463108 QueryPerformanceCounter
 0x46310c GetCurrentProcessId
 0x463110 GetCurrentThreadId
 0x463114 InitializeSListHead
 0x463118 RtlUnwind
 0x46311c RaiseException
 0x463120 FreeLibrary
 0x463124 LoadLibraryExW
 0x463128 ExitProcess
 0x46312c GetModuleHandleExW
 0x463130 GetModuleFileNameW
 0x463134 GetStdHandle
 0x463138 WriteFile
 0x46313c HeapReAlloc
 0x463140 HeapFree
 0x463144 HeapAlloc
 0x463148 GetFileType
 0x46314c GetFileSizeEx
 0x463150 SetFilePointerEx
 0x463154 FlushFileBuffers
 0x463158 GetConsoleCP
 0x46315c GetConsoleMode
 0x463160 GetDateFormatW
 0x463164 GetTimeFormatW
 0x463168 IsValidLocale
 0x46316c GetUserDefaultLCID
 0x463170 EnumSystemLocalesW
 0x463174 DeleteFileW
 0x463178 ReadFile
 0x46317c ReadConsoleW
 0x463180 SetEndOfFile
ADVAPI32.dll
 0x463000 RegSetValueExW
 0x463004 RegOpenKeyExW
 0x463008 RegCreateKeyW
 0x46300c RegCloseKey
WINHTTP.dll
 0x463188 WinHttpQueryHeaders
 0x46318c WinHttpReadData
 0x463190 WinHttpOpenRequest
 0x463194 WinHttpSetOption
 0x463198 WinHttpCloseHandle
 0x46319c WinHttpAddRequestHeaders
 0x4631a0 WinHttpQueryAuthSchemes
 0x4631a4 WinHttpGetProxyForUrl
 0x4631a8 WinHttpSendRequest
 0x4631ac WinHttpSetCredentials
 0x4631b0 WinHttpConnect
 0x4631b4 WinHttpQueryDataAvailable
 0x4631b8 WinHttpReceiveResponse
 0x4631bc WinHttpOpen
 0x4631c0 WinHttpGetIEProxyConfigForCurrentUser

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure