Analysis

  • max time kernel
    122s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    18-07-2020 14:13

General

  • Target

    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe

  • Size

    100KB

  • MD5

    954f0e99b7bf9d3e53f86bbc4cdc57b2

  • SHA1

    37f759e4d98643e32f1bfd5a290d5e1d204f75a8

  • SHA256

    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f

  • SHA512

    307d8af473ab129ff7ca96542af15c21e983111c912b7e403a95466aac9481ccb8be399a91695b1f2555b66948d68d5e2e17b6eecb05b0a3719572f0385d4fe0

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    "C:\Users\Admin\AppData\Local\Temp\46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:972

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/qYsI/L81X8eF/6bbISH/
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /qYsI/L81X8eF/6bbISH/ HTTP/1.1
    Referer: http://177.144.130.105/qYsI/L81X8eF/6bbISH/
    Content-Type: multipart/form-data; boundary=---------------------------640188282699745
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 177.144.130.105:443
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://77.74.78.80:443/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    Remote address:
    77.74.78.80:443
    Request
    POST /jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/ HTTP/1.1
    Referer: http://77.74.78.80/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/
    Content-Type: multipart/form-data; boundary=---------------------------648781052949830
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 77.74.78.80:443
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 14:12:09 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 177.144.130.105:443
    http://177.144.130.105:443/qYsI/L81X8eF/6bbISH/
    http
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    5.3kB
    212 B
    9
    5

    HTTP Request

    POST http://177.144.130.105:443/qYsI/L81X8eF/6bbISH/
  • 198.27.69.201:8080
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    156 B
    120 B
    3
    3
  • 157.7.164.178:8081
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    156 B
    120 B
    3
    3
  • 78.188.170.128:80
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    156 B
    3
  • 203.153.216.178:7080
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    156 B
    120 B
    3
    3
  • 77.74.78.80:443
    http://77.74.78.80:443/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/
    http
    46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
    5.4kB
    660 B
    10
    9

    HTTP Request

    POST http://77.74.78.80:443/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/

    HTTP Response

    200
  • 239.255.255.250:1900
    825 B
    5
  • 239.255.255.250:1900
  • 10.10.0.21:137
    netbios-ns
    270 B
    3
  • 10.10.0.255:137
    netbios-ns
    702 B
    9
  • 10.10.0.28:137
    netbios-ns
    270 B
    3
  • 10.10.0.23:137
    netbios-ns
    270 B
    3
  • 10.10.0.30:137
    netbios-ns
    270 B
    3
  • 10.10.0.38:137
    netbios-ns
    270 B
    3
  • 10.10.0.255:138
    netbios-dgm
    229 B
    1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/972-0-0x00000000005F0000-0x00000000005FC000-memory.dmp

    Filesize

    48KB

  • memory/972-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.