Analysis
-
max time kernel
122s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
18-07-2020 14:13
Static task
static1
Behavioral task
behavioral1
Sample
46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
Resource
win7
General
-
Target
46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
-
Size
100KB
-
MD5
954f0e99b7bf9d3e53f86bbc4cdc57b2
-
SHA1
37f759e4d98643e32f1bfd5a290d5e1d204f75a8
-
SHA256
46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f
-
SHA512
307d8af473ab129ff7ca96542af15c21e983111c912b7e403a95466aac9481ccb8be399a91695b1f2555b66948d68d5e2e17b6eecb05b0a3719572f0385d4fe0
Malware Config
Extracted
emotet
177.144.130.105:443
198.27.69.201:8080
157.7.164.178:8081
78.188.170.128:80
203.153.216.178:7080
77.74.78.80:443
178.33.167.120:8080
177.0.241.28:80
143.95.101.72:8080
51.38.201.19:7080
181.167.35.84:80
41.185.29.128:8080
192.163.221.191:8080
181.164.110.7:80
203.153.216.182:7080
80.211.32.88:8080
113.160.180.109:80
185.142.236.163:443
192.241.220.183:8080
87.106.231.60:8080
113.161.148.81:80
181.230.65.232:80
50.116.78.109:8080
91.83.93.103:443
179.5.118.12:80
75.127.14.170:8080
46.32.229.152:8080
37.70.131.107:80
140.207.113.106:443
181.134.9.162:80
139.59.12.63:8080
46.105.131.68:8080
37.208.106.146:8080
125.63.106.22:80
110.44.113.2:8080
81.214.253.80:443
37.46.129.215:8080
14.99.112.138:80
190.251.235.239:80
190.171.153.139:80
190.55.233.156:80
46.49.124.53:80
74.208.173.91:8080
163.172.107.70:8080
192.210.217.94:8080
115.79.195.246:80
212.112.113.235:80
211.20.154.102:80
220.128.125.18:80
45.118.136.92:8080
216.75.37.196:8080
195.201.56.70:8080
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 972 46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe"C:\Users\Admin\AppData\Local\Temp\46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
PID:972
Network
-
POSThttp://177.144.130.105:443/qYsI/L81X8eF/6bbISH/46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exeRemote address:177.144.130.105:443RequestPOST /qYsI/L81X8eF/6bbISH/ HTTP/1.1
Referer: http://177.144.130.105/qYsI/L81X8eF/6bbISH/
Content-Type: multipart/form-data; boundary=---------------------------640188282699745
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 177.144.130.105:443
Content-Length: 4500
Connection: Keep-Alive
Cache-Control: no-cache
-
POSThttp://77.74.78.80:443/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exeRemote address:77.74.78.80:443RequestPOST /jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/ HTTP/1.1
Referer: http://77.74.78.80/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/
Content-Type: multipart/form-data; boundary=---------------------------648781052949830
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 77.74.78.80:443
Content-Length: 4500
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 18 Jul 2020 14:12:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive
-
177.144.130.105:443http://177.144.130.105:443/qYsI/L81X8eF/6bbISH/http46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe5.3kB 212 B 9 5
HTTP Request
POST http://177.144.130.105:443/qYsI/L81X8eF/6bbISH/ -
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 3
-
156 B 120 B 3 3
-
77.74.78.80:443http://77.74.78.80:443/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/http46de4dfdfa694eb3502757c8e204aa8bb3d4f1ab6ff2a0e678144c605256999f.exe5.4kB 660 B 10 9
HTTP Request
POST http://77.74.78.80:443/jymWe9WD/7DWBxTFstFUVdZp6/E3oo71TcoCEXB/HTTP Response
200