Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    18-07-2020 18:57

General

  • Target

    f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe

  • Size

    100KB

  • MD5

    fde71b1b68d5f4c94908d31d392ccf83

  • SHA1

    33a3e35e341f7be883015d6492529fe965252a87

  • SHA256

    f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53

  • SHA512

    9b06ab39ed9b2fde39586b5b9beae10e6d57f0eb230399df0dd9042d32fc607f50f62771171d79f3052570852c7ff923959c804c2d690fd5cfeffc127ccdb5ed

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
    "C:\Users\Admin\AppData\Local\Temp\f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:2784

Network

  • flag-unknown
    POST
    http://212.51.142.238:8080/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/
    f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
    Remote address:
    212.51.142.238:8080
    Request
    POST /OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/ HTTP/1.1
    Referer: http://212.51.142.238/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/
    Content-Type: multipart/form-data; boundary=---------------------------486170786007135
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 212.51.142.238:8080
    Content-Length: 4468
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 18:58:23 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • 109.117.53.230:443
    f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
    156 B
    3
  • 212.51.142.238:8080
    http://212.51.142.238:8080/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/
    http
    f63a548125a008ab8854dcbf8c7ff1c12ed8d4a00cedfc8f17a0c657fe14de53.exe
    5.7kB
    620 B
    16
    8

    HTTP Request

    POST http://212.51.142.238:8080/OsAdCRoQzFTf4Gq/JXOiL7dTp7s/SYLxZYszAbLaWoq/G3GrNI5vem/

    HTTP Response

    200
  • 127.0.0.1:47001
  • 239.255.255.250:1900
    1.3kB
    8
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    288 B
    3
  • 10.10.0.27:137
    netbios-ns
    270 B
    3
  • 10.10.0.23:137
    netbios-ns
    270 B
    3
  • 10.10.0.20:137
    netbios-ns
    270 B
    3
  • 10.10.0.40:137
    netbios-ns
    270 B
    3
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2784-0-0x0000000000A60000-0x0000000000A6C000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.