Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

9a8f50ee90...9e.exe

windows7_x64

10

9a8f50ee90...9e.exe

windows10_x64

10

Analysis

  • max time kernel
    65s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    18/07/2020, 14:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a8f50ee90c6e2e2f530fcec9de98dd23dd4e52bda805aff978ff12ef404289e.exe

  • Size

    100KB

  • MD5

    d33b11d682f7c858e099f7e6664979b2

  • SHA1

    75e1ced690afd30b96d38da511fc163b20f9e4a3

  • SHA256

    9a8f50ee90c6e2e2f530fcec9de98dd23dd4e52bda805aff978ff12ef404289e

  • SHA512

    848691a02e87f2a613bd0208494d212a03dd23e7618b22f1d8fa4c9b999c350587d2ad8b960b14f441caf0e7c96a18cc842414301b0fcc2e745ba33a15a63086

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Family

emotet

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a8f50ee90c6e2e2f530fcec9de98dd23dd4e52bda805aff978ff12ef404289e.exe
    "C:\Users\Admin\AppData\Local\Temp\9a8f50ee90c6e2e2f530fcec9de98dd23dd4e52bda805aff978ff12ef404289e.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:3888

Network

  • flag-unknown
    POST
    http://177.144.135.2/vSDvwum6sIUL41D6F8/
    9a8f50ee90c6e2e2f530fcec9de98dd23dd4e52bda805aff978ff12ef404289e.exe
    Remote address:
    177.144.135.2:80
    Request
    POST /vSDvwum6sIUL41D6F8/ HTTP/1.1
    Referer: http://177.144.135.2/vSDvwum6sIUL41D6F8/
    Content-Type: multipart/form-data; boundary=---------------------------296263755502110
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 177.144.135.2
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 14:13:59 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 177.144.135.2:80
    http://177.144.135.2/vSDvwum6sIUL41D6F8/
    http
    9a8f50ee90c6e2e2f530fcec9de98dd23dd4e52bda805aff978ff12ef404289e.exe
    5.4kB
     580 B
     10
    7

    HTTP Request

    POST http://177.144.135.2/vSDvwum6sIUL41D6F8/

    HTTP Response

    200
  • 127.0.0.1:47001
  • 239.255.255.250:1900
    1.3kB
     8
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    288 B
     3
  • 10.10.0.13:137
    netbios-ns
    270 B
     3
  • 10.10.0.10:137
    netbios-ns
    270 B
     3
  • 10.10.0.34:137
    netbios-ns
    270 B
     3
  • 10.10.0.40:137
    netbios-ns
    270 B
     3
  • 10.10.0.20:137
    netbios-ns
    270 B
     3

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3888-0-0x0000000000A00000-0x0000000000A0C000-memory.dmp

    Filesize

    48KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.