emotet

General

Target

Killer.exe
Size

30.1MB
Sample

240726-n9jjwswfql
MD5

3d8a1274c158597b5f19a3a5e3585359
SHA1

2e230262da6e67c3453f3a27d71f85368db28797
SHA256

86b81bf7f83767c4934acaacdc5969d71c3ba8d897447993a4a6ebaaf23dfb6b
SHA512

76031a816caa45a30d4cc14299b4d5b61a63f829212239db53e616e93503da62589c1fc4c62e16dec7e9d9ef4b7fb997ada6ea3d471585a5ee6ec57ad0ef9f29
SSDEEP

786432:bCG6YUg4E4NakUtnEfz7vr85ienl0Zsgf68S1eQ/7:GG6YU1E4NNY5grS1eQ/7

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  Killer.exe
- Size
  
  30.1MB
- MD5
  
  3d8a1274c158597b5f19a3a5e3585359
- SHA1
  
  2e230262da6e67c3453f3a27d71f85368db28797
- SHA256
  
  86b81bf7f83767c4934acaacdc5969d71c3ba8d897447993a4a6ebaaf23dfb6b
- SHA512
  
  76031a816caa45a30d4cc14299b4d5b61a63f829212239db53e616e93503da62589c1fc4c62e16dec7e9d9ef4b7fb997ada6ea3d471585a5ee6ec57ad0ef9f29
- SSDEEP
  
  786432:bCG6YUg4E4NakUtnEfz7vr85ienl0Zsgf68S1eQ/7:GG6YU1E4NNY5grS1eQ/7
Score

10^/10

emotet privateloader wannacry xmrig banker defense_evasion discovery evasion execution loader miner ransomware trojan upx vmprotect worm
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- System Binary Proxy Execution: Verclsid
  Adversaries may abuse Verclsid to proxy execution of malicious code.
  defense_evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1