Analysis

  • max time kernel
    114s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 07:08

General

  • Target

    34da147e75c9bc46840b176fd97c6450ba791ab84ffd7caa02bcd08f9fd2b6bb.exe

  • Size

    100KB

  • MD5

    f73b1f94fa1693c1fd3070dfb2730c6a

  • SHA1

    40524a8ea485ce1c79a93860e1dae139c6c1a4fb

  • SHA256

    34da147e75c9bc46840b176fd97c6450ba791ab84ffd7caa02bcd08f9fd2b6bb

  • SHA512

    f4c0f16f66c4e7231e5d6fe8c79d52969211fd5c46f3709358e93e781279b04911ca598a7bcdd4c4f21eeb7571793cacfe23d49a2816485aa47258e4ee2069ee

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\34da147e75c9bc46840b176fd97c6450ba791ab84ffd7caa02bcd08f9fd2b6bb.exe
    "C:\Users\Admin\AppData\Local\Temp\34da147e75c9bc46840b176fd97c6450ba791ab84ffd7caa02bcd08f9fd2b6bb.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:1124

Network

  • flag-unknown
    POST
    http://109.117.53.230:443/FLsl/
    34da147e75c9bc46840b176fd97c6450ba791ab84ffd7caa02bcd08f9fd2b6bb.exe
    Remote address:
    109.117.53.230:443
    Request
    POST /FLsl/ HTTP/1.1
    Referer: http://109.117.53.230/FLsl/
    Content-Type: multipart/form-data; boundary=---------------------------421378661494238
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 109.117.53.230:443
    Content-Length: 4372
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jul 2020 07:08:51 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 109.117.53.230:443
    http://109.117.53.230:443/FLsl/
    http
    34da147e75c9bc46840b176fd97c6450ba791ab84ffd7caa02bcd08f9fd2b6bb.exe
    5.3kB
    868 B
    11
    7

    HTTP Request

    POST http://109.117.53.230:443/FLsl/

    HTTP Response

    200
  • 10.7.0.255:138
    netbios-dgm
    458 B
    2
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    234 B
    3
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-0-0x00000000002F0000-0x00000000002FC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.