Analysis

  • max time kernel
    146s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-07-2020 20:16

General

  • Target

    4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe

  • Size

    100KB

  • MD5

    5dbd14b5252f34d6200466b7d3ab5d10

  • SHA1

    564e4214753cecacb49bb5b0f7bb7cb8b7200bdb

  • SHA256

    4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b

  • SHA512

    4be10711d492012977bf2c8be2f9e9a80a3b7dfa0599796c581d7e98f60a0e14a765387311d9d0c64dbaa62f856480882e6579b810c976cafe6d71f8f8cb4900

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
    "C:\Users\Admin\AppData\Local\Temp\4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    • Suspicious use of SetWindowsHookEx
    PID:904

Network

  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN AAAA
    Response
    dns.msftncsi.com
    IN AAAA
    fd3e:4f5a:5b81::1
  • flag-unknown
    POST
    http://212.51.142.238:8080/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/
    4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
    Remote address:
    212.51.142.238:8080
    Request
    POST /h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/ HTTP/1.1
    Referer: http://212.51.142.238/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/
    Content-Type: multipart/form-data; boundary=---------------------------846420566985041
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 212.51.142.238:8080
    Content-Length: 4388
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 20:18:14 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 109.117.53.230:443
    4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
    152 B
    3
  • 109.117.53.230:443
    4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
    152 B
    3
  • 212.51.142.238:8080
    http://212.51.142.238:8080/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/
    http
    4e28731031a9f7d1b6c87386704da28cebc40e86425cadd308345fa232773b6b.exe
    5.7kB
    948 B
    15
    9

    HTTP Request

    POST http://212.51.142.238:8080/h4fJ6kBxfWA98MYh647/bnucVKz09Y93/qnAQkvM4n/plQLm7KKTpx/dyXsDRRMpMEqi/EpRo/

    HTTP Response

    200
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    234 B
    3
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    90 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-0-0x00000000002E0000-0x00000000002EC000-memory.dmp

    Filesize

    48KB

  • memory/904-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.