Analysis
-
max time kernel
22s -
max time network
26s -
platform
windows10_x64 -
resource
win10 -
submitted
29-07-2020 06:39
Static task
static1
General
-
Target
d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe
-
Size
688KB
-
MD5
d325045bb323f6af78def49a5a659622
-
SHA1
a7a2e698baee9264fcaddb46808f729a4e244497
-
SHA256
d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06
-
SHA512
3fdfdf829e876de7002454cece51c1ddf2380364ff059735814308f36f50693ccba25125487474965897080f11a49051b0fe5e1feb9793123072708ab0511601
Malware Config
Extracted
emotet
179.60.229.168:443
185.94.252.13:443
189.218.165.63:80
77.90.136.129:8080
217.199.160.224:7080
104.131.41.185:8080
2.47.112.152:80
185.94.252.27:443
186.250.52.226:8080
51.255.165.160:8080
68.183.170.114:8080
191.99.160.58:80
104.131.103.37:8080
181.31.211.181:80
202.62.39.111:80
83.169.21.32:7080
87.106.46.107:8080
72.47.248.48:7080
177.75.143.112:443
190.17.195.202:80
137.74.106.111:7080
181.129.96.162:8080
82.196.15.205:8080
61.92.159.208:8080
190.6.193.152:8080
181.167.96.215:80
143.0.87.101:80
12.162.84.2:8080
212.71.237.140:8080
217.13.106.14:8080
46.214.11.172:80
114.109.179.60:80
89.32.150.160:8080
185.94.252.12:80
177.72.13.80:80
192.241.146.84:8080
189.1.185.98:8080
187.106.41.99:80
219.92.13.25:80
181.30.69.50:80
68.183.190.199:8080
212.231.60.98:80
190.181.235.46:80
157.7.199.53:8080
178.79.163.131:8080
77.55.211.77:8080
204.225.249.100:7080
170.81.48.2:80
104.236.161.64:8080
5.196.35.138:7080
190.194.242.254:443
50.28.51.143:8080
187.162.248.237:80
46.28.111.142:7080
70.32.84.74:8080
203.25.159.3:8080
190.163.31.26:80
177.144.135.2:80
177.73.0.98:443
177.139.131.143:443
177.74.228.34:80
191.182.6.118:80
94.176.234.118:443
45.161.242.102:80
149.62.173.247:8080
144.139.91.187:443
181.120.79.227:80
80.249.176.206:80
71.50.31.38:80
172.104.169.32:8080
192.241.143.52:8080
111.67.12.221:8080
190.96.118.251:443
186.70.127.199:8090
190.147.137.153:443
177.66.190.130:80
70.32.115.157:8080
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe 720 d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe -
Emotet Payload 1 IoCs
Detects Emotet payload in memory.
resource yara_rule behavioral1/memory/720-0-0x00000000005C0000-0x00000000005CC000-memory.dmp emotet
Processes
Network
-
POSThttp://185.94.252.13:443/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exeRemote address:185.94.252.13:443RequestPOST /CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/ HTTP/1.1
Referer: http://185.94.252.13/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/
Content-Type: multipart/form-data; boundary=---------------------------694197354752676
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 185.94.252.13:443
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 29 Jul 2020 06:39:46 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive
-
156 B 120 B 3 3
-
185.94.252.13:443http://185.94.252.13:443/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/httpd95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe5.4kB 620 B 9 8
HTTP Request
POST http://185.94.252.13:443/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/HTTP Response
200 -
40 B 46 B 1 1