Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
18-07-2020 18:57
Static task
static1
Behavioral task
behavioral1
Sample
f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
Resource
win7v200430
General
-
Target
f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
-
Size
100KB
-
MD5
fde71b1b68d5f4c94908d31d392ccf83
-
SHA1
33a3e35e341f7be883015d6492529fe965252a87
-
SHA256
f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53
-
SHA512
9b06ab39ed9b2fde39586b5b9beae10e6d57f0eb230399df0dd9042d32fc607f50f62771171d79f3052570852c7ff923959c804c2d690fd5cfeffc127ccdb5ed
Malware Config
Extracted
emotet
109.117.53.230:443
212.51.142.238:8080
190.160.53.126:80
139.59.60.244:8080
91.211.88.52:7080
190.108.228.62:443
186.208.123.210:443
46.105.131.87:80
173.91.22.41:80
222.214.218.37:4143
31.31.77.83:443
62.75.141.82:80
93.156.165.186:80
93.51.50.171:8080
185.94.252.104:443
78.189.165.52:8080
95.179.229.244:8080
73.11.153.178:8080
203.153.216.189:7080
95.213.236.64:8080
79.98.24.39:8080
41.60.200.34:80
61.19.246.238:443
104.131.11.150:443
162.241.92.219:8080
104.131.44.150:8080
58.153.68.176:80
153.126.210.205:7080
62.138.26.28:8080
168.235.67.138:7080
103.86.49.11:8080
116.203.32.252:8080
87.106.139.101:8080
101.187.97.173:80
113.160.130.116:8443
75.139.38.211:80
201.173.217.124:443
60.130.173.117:80
139.130.242.43:80
110.143.151.194:80
46.105.131.79:8080
162.154.38.103:80
121.124.124.40:7080
137.59.187.107:8080
81.2.235.111:8080
110.145.77.103:80
109.74.5.95:8080
200.41.121.90:80
91.205.215.66:443
108.48.41.69:80
176.111.60.55:8080
24.1.189.87:8080
190.144.18.198:80
87.106.136.232:8080
5.196.74.210:8080
209.141.54.221:8080
50.116.86.205:8080
78.24.219.147:8080
210.165.156.91:80
37.187.72.193:8080
157.245.99.39:8080
190.55.181.54:443
37.139.21.175:8080
169.239.182.217:8080
104.236.246.93:8080
200.55.243.138:8080
74.208.45.104:8080
5.39.91.110:7080
79.7.158.208:80
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe 2784 f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
Processes
Network
-
POSThttp://212.51.142.238:8080/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exeRemote address:212.51.142.238:8080RequestPOST /OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/ HTTP/1.1
Referer: http://212.51.142.238/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/
Content-Type: multipart/form-data; boundary=---------------------------486170786007135
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 212.51.142.238:8080
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 18 Jul 2020 18:58:23 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestdns.msftncsi.comIN AResponsedns.msftncsi.comIN A131.107.255.255
-
156 B 3
-
212.51.142.238:8080http://212.51.142.238:8080/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/httpf63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe5.7kB 620 B 16 8
HTTP Request
POST http://212.51.142.238:8080/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/HTTP Response
200 -
-
1.3kB 8
-
-
288 B 3
-
270 B 3
-
270 B 3
-
270 B 3
-
270 B 3
-
62 B 78 B 1 1
DNS Request
dns.msftncsi.com
DNS Response
131.107.255.255