Analysis

  • max time kernel
    22s
  • max time network
    26s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    29-07-2020 06:39

General

  • Target

    d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe

  • Size

    688KB

  • MD5

    d325045bb323f6af78def49a5a659622

  • SHA1

    a7a2e698baee9264fcaddb46808f729a4e244497

  • SHA256

    d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06

  • SHA512

    3fdfdf829e876de7002454cece51c1ddf2380364ff059735814308f36f50693ccba25125487474965897080f11a49051b0fe5e1feb9793123072708ab0511601

Score
10/10

Malware Config

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe
    "C:\Users\Admin\AppData\Local\Temp\d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:720

Network

  • flag-unknown
    POST
    http://185.94.252.13:443/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/
    d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe
    Remote address:
    185.94.252.13:443
    Request
    POST /CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/ HTTP/1.1
    Referer: http://185.94.252.13/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/
    Content-Type: multipart/form-data; boundary=---------------------------694197354752676
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 185.94.252.13:443
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 29 Jul 2020 06:39:46 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 179.60.229.168:443
    d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe
    156 B
    120 B
    3
    3
  • 185.94.252.13:443
    http://185.94.252.13:443/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/
    http
    d95721663403395fcd94478e3b0b2644c177d96deb0f1ba7b8be82335e726e06.exe
    5.4kB
    620 B
    9
    8

    HTTP Request

    POST http://185.94.252.13:443/CDYaJ2zmFI2ovvA90/dWm0IxRvsVX/kZEhROz0OHKdnEuOZ/fi4NJxF8RNFUI/41VHb8vyuTgsrAEx0/QYJAs/

    HTTP Response

    200
  • 76.27.179.47:80
    40 B
    46 B
    1
    1
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/720-0-0x00000000005C0000-0x00000000005CC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.