Analysis
-
max time kernel
14s -
max time network
14s -
platform
windows10_x64 -
resource
win10 -
submitted
29-07-2020 07:20
Static task
static1
General
-
Target
a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe
-
Size
688KB
-
MD5
e934d61c7f001cdb39cf4dd50c90b0cf
-
SHA1
c8ba39222444e1171ea0ea1a5b824f8714a7902e
-
SHA256
a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486
-
SHA512
b2c15e7ac05408ea0fe6907dcb87870512b702b6fb00d67185b844f8acc74062b5a98cf48dfc9d39031416a72654bcd50eae3ac3bdd09e6b1dbd351b3455ce28
Malware Config
Extracted
emotet
76.27.179.47:80
212.51.142.238:8080
189.212.199.126:443
61.19.246.238:443
162.154.38.103:80
91.211.88.52:7080
83.110.223.58:443
124.45.106.173:443
116.203.32.252:8080
109.117.53.230:443
5.196.74.210:8080
75.139.38.211:80
168.235.67.138:7080
176.111.60.55:8080
169.239.182.217:8080
74.208.45.104:8080
31.31.77.83:443
222.214.218.37:4143
37.139.21.175:8080
91.205.215.66:443
93.156.165.186:80
78.24.219.147:8080
87.106.136.232:8080
87.106.139.101:8080
81.2.235.111:8080
62.75.141.82:80
181.230.116.163:80
95.9.185.228:443
173.91.22.41:80
153.126.210.205:7080
113.160.130.116:8443
190.55.181.54:443
137.59.187.107:8080
209.182.216.177:443
91.231.166.124:8080
95.179.229.244:8080
201.173.217.124:443
5.39.91.110:7080
109.74.5.95:8080
104.131.11.150:443
104.236.246.93:8080
209.141.54.221:8080
95.213.236.64:8080
210.165.156.91:80
46.105.131.79:8080
24.43.99.75:80
203.153.216.189:7080
180.92.239.110:8080
62.138.26.28:8080
104.131.44.150:8080
139.130.242.43:80
79.98.24.39:8080
41.60.200.34:80
93.51.50.171:8080
47.153.182.47:80
185.94.252.104:443
71.208.216.10:80
200.41.121.90:80
70.167.215.250:8080
121.124.124.40:7080
157.245.99.39:8080
139.59.60.244:8080
103.86.49.11:8080
50.116.86.205:8080
46.105.131.87:80
162.241.92.219:8080
152.168.248.128:443
200.55.243.138:8080
190.160.53.126:80
24.234.133.205:80
37.187.72.193:8080
108.48.41.69:80
110.145.77.103:80
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3888 a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe 3888 a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3888 a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe 3888 a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe 3888 a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe 3888 a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe -
Emotet Payload 1 IoCs
Detects Emotet payload in memory.
resource yara_rule behavioral1/memory/3888-0-0x0000000000670000-0x000000000067C000-memory.dmp emotet
Processes
Network
-
POSThttp://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exeRemote address:76.27.179.47:80RequestPOST /qbroRZrv/spNDLzsW/ID1Zjir/ HTTP/1.1
Referer: http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/
Content-Type: multipart/form-data; boundary=---------------------------250154921170666
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 76.27.179.47
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 29 Jul 2020 07:21:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive
-
76.27.179.47:80http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/httpa804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe5.3kB 748 B 9 4
HTTP Request
POST http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/HTTP Response
200