Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    29-07-2020 05:22

General

  • Target

    16a2e3dd12713c0697f77dd211bc1698ebd7279b1386adf38e57426bab7ed2c0.exe

  • Size

    668KB

  • MD5

    754a5d8864b4d86e3fd3cad9a11af7b3

  • SHA1

    c0ceac3ac198cb0ab3f01ef2e4e5c11a9c5a881c

  • SHA256

    16a2e3dd12713c0697f77dd211bc1698ebd7279b1386adf38e57426bab7ed2c0

  • SHA512

    03b9cfcc545ac27d799c5ae88289085ad5cf358f1ee1d692fecc35687c3025eb56d1f3103861b8cdbc39d3e684c7df267421351f8df53c026759b719edea580c

Score
10/10

Malware Config

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16a2e3dd12713c0697f77dd211bc1698ebd7279b1386adf38e57426bab7ed2c0.exe
    "C:\Users\Admin\AppData\Local\Temp\16a2e3dd12713c0697f77dd211bc1698ebd7279b1386adf38e57426bab7ed2c0.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:2192

Network

  • flag-unknown
    POST
    http://76.27.179.47/LbK7RnDK/
    16a2e3dd12713c0697f77dd211bc1698ebd7279b1386adf38e57426bab7ed2c0.exe
    Remote address:
    76.27.179.47:80
    Request
    POST /LbK7RnDK/ HTTP/1.1
    Referer: http://76.27.179.47/LbK7RnDK/
    Content-Type: multipart/form-data; boundary=---------------------------528414442326894
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 76.27.179.47
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 29 Jul 2020 05:22:55 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 76.27.179.47:80
    http://76.27.179.47/LbK7RnDK/
    http
    16a2e3dd12713c0697f77dd211bc1698ebd7279b1386adf38e57426bab7ed2c0.exe
    5.3kB
    788 B
    9
    5

    HTTP Request

    POST http://76.27.179.47/LbK7RnDK/

    HTTP Response

    200
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2192-0-0x0000000002210000-0x000000000221C000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.