Analysis

  • max time kernel
    26s
  • max time network
    24s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    29-07-2020 07:19

General

  • Target

    df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207.exe

  • Size

    688KB

  • MD5

    c671c188f9c47077537fc5a60942dcf2

  • SHA1

    9c5899d8a5c381d524617ccf4ef8155fd2abe422

  • SHA256

    df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207

  • SHA512

    036a9dc181f6a04f7c0da9cd556ae6a078a032be04c357338079cd14cbcba69ca51c684e072eb6051c588e7f7b129046f61bc6edbaa3be636d6cc12b0f1d4299

Score
10/10

Malware Config

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207.exe
    "C:\Users\Admin\AppData\Local\Temp\df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:3828

Network

  • flag-unknown
    POST
    http://185.94.252.13:443/VZaQ9Gbd/
    df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207.exe
    Remote address:
    185.94.252.13:443
    Request
    POST /VZaQ9Gbd/ HTTP/1.1
    Referer: http://185.94.252.13/VZaQ9Gbd/
    Content-Type: multipart/form-data; boundary=---------------------------692649854527980
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 185.94.252.13:443
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 29 Jul 2020 07:20:36 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 179.60.229.168:443
    df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207.exe
    156 B
    120 B
    3
    3
  • 185.94.252.13:443
    http://185.94.252.13:443/VZaQ9Gbd/
    http
    df42a7e60cdff6390589d413720048607f9985427a8e38b9e625bbd18e8f6207.exe
    5.3kB
    620 B
    9
    8

    HTTP Request

    POST http://185.94.252.13:443/VZaQ9Gbd/

    HTTP Response

    200
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3828-0-0x0000000002230000-0x000000000223C000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.