Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
18-07-2020 20:16
Static task
static1
Behavioral task
behavioral1
Sample
4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
Resource
win7v200430
General
-
Target
4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
-
Size
100KB
-
MD5
5dbd14b5252f34d6200466b7d3ab5d10
-
SHA1
564e4214753cecacb49bb5b0f7bb7cb8b7200bdb
-
SHA256
4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b
-
SHA512
4be10711d492012977bf2c8be2f9e9a80a3b7dfa0599796c581d7e98f60a0e14a765387311d9d0c64dbaa62f856480882e6579b810c976cafe6d71f8f8cb4900
Malware Config
Extracted
emotet
109.117.53.230:443
212.51.142.238:8080
190.160.53.126:80
139.59.60.244:8080
91.211.88.52:7080
190.108.228.62:443
186.208.123.210:443
46.105.131.87:80
173.91.22.41:80
222.214.218.37:4143
31.31.77.83:443
62.75.141.82:80
93.156.165.186:80
93.51.50.171:8080
185.94.252.104:443
78.189.165.52:8080
95.179.229.244:8080
73.11.153.178:8080
203.153.216.189:7080
95.213.236.64:8080
79.98.24.39:8080
41.60.200.34:80
61.19.246.238:443
104.131.11.150:443
162.241.92.219:8080
104.131.44.150:8080
58.153.68.176:80
153.126.210.205:7080
62.138.26.28:8080
168.235.67.138:7080
103.86.49.11:8080
116.203.32.252:8080
87.106.139.101:8080
101.187.97.173:80
113.160.130.116:8443
75.139.38.211:80
201.173.217.124:443
60.130.173.117:80
139.130.242.43:80
110.143.151.194:80
46.105.131.79:8080
162.154.38.103:80
121.124.124.40:7080
137.59.187.107:8080
81.2.235.111:8080
110.145.77.103:80
109.74.5.95:8080
200.41.121.90:80
91.205.215.66:443
108.48.41.69:80
176.111.60.55:8080
24.1.189.87:8080
190.144.18.198:80
87.106.136.232:8080
5.196.74.210:8080
209.141.54.221:8080
50.116.86.205:8080
78.24.219.147:8080
210.165.156.91:80
37.187.72.193:8080
157.245.99.39:8080
190.55.181.54:443
37.139.21.175:8080
169.239.182.217:8080
104.236.246.93:8080
200.55.243.138:8080
74.208.45.104:8080
5.39.91.110:7080
79.7.158.208:80
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 904 4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe 904 4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe 904 4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 904 4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 904 4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe 904 4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe"C:\Users\Admin\AppData\Local\Temp\4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:904
Network
-
Remote address:8.8.8.8:53Requestdns.msftncsi.comIN AResponsedns.msftncsi.comIN A131.107.255.255
-
Remote address:8.8.8.8:53Requestdns.msftncsi.comIN AAAAResponsedns.msftncsi.comIN AAAAfd3e:4f5a:5b81::1
-
POSThttp://212.51.142.238:8080/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exeRemote address:212.51.142.238:8080RequestPOST /h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/ HTTP/1.1
Referer: http://212.51.142.238/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/
Content-Type: multipart/form-data; boundary=---------------------------846420566985041
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 212.51.142.238:8080
Content-Length: 4388
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 18 Jul 2020 20:18:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive
-
152 B 3
-
152 B 3
-
212.51.142.238:8080http://212.51.142.238:8080/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/http4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe5.7kB 948 B 15 9
HTTP Request
POST http://212.51.142.238:8080/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/HTTP Response
200
-
100 B 2
-
234 B 3
-
966 B 6
-
-
62 B 78 B 1 1
DNS Request
dns.msftncsi.com
DNS Response
131.107.255.255
-
62 B 90 B 1 1
DNS Request
dns.msftncsi.com
DNS Response
fd3e:4f5a:5b81::1