Analysis

  • max time kernel
    117s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    18-07-2020 20:49

General

  • Target

    e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10.exe

  • Size

    100KB

  • MD5

    bf7242f87e5318be3e6b482c7f9600ac

  • SHA1

    f693558e91270f7224a7fa9d4a0ac31abcecd61a

  • SHA256

    e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10

  • SHA512

    83ea232844753d0557d748cef3227724bf67710d6a9bab8c976b8ce1f38ce602e329d1041fc83ca6b33e4978724b6b8c8e212fbde50588f507b1aa8892bf5af3

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10.exe
    "C:\Users\Admin\AppData\Local\Temp\e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:2016

Network

  • flag-unknown
    POST
    http://212.51.142.238:8080/2rYd/IIc9tGqP/UNWYE2Nc984qkSwev/pJ9pX2/UN02brH58CRc8o/
    e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10.exe
    Remote address:
    212.51.142.238:8080
    Request
    POST /2rYd/IIc9tGqP/UNWYE2Nc984qkSwev/pJ9pX2/UN02brH58CRc8o/ HTTP/1.1
    Referer: http://212.51.142.238/2rYd/IIc9tGqP/UNWYE2Nc984qkSwev/pJ9pX2/UN02brH58CRc8o/
    Content-Type: multipart/form-data; boundary=---------------------------117746154535996
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 212.51.142.238:8080
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 20:50:19 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 109.117.53.230:443
    e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10.exe
    156 B
    3
  • 212.51.142.238:8080
    http://212.51.142.238:8080/2rYd/IIc9tGqP/UNWYE2Nc984qkSwev/pJ9pX2/UN02brH58CRc8o/
    http
    e8021cba5a695e5509a9a77aedd5d958bef25fbcb069075df561632e6ca1dc10.exe
    5.7kB
    620 B
    16
    8

    HTTP Request

    POST http://212.51.142.238:8080/2rYd/IIc9tGqP/UNWYE2Nc984qkSwev/pJ9pX2/UN02brH58CRc8o/

    HTTP Response

    200
  • 239.255.255.250:1900
    330 B
    2
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    288 B
    3
  • 10.10.0.12:137
    netbios-ns
    270 B
    3

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2016-0-0x00000000006F0000-0x00000000006FC000-memory.dmp

    Filesize

    48KB

  • memory/2016-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.