File name:

fwalsbpvui.uif

Full analysis: https://app.any.run/tasks/a8a79bed-f155-4b67-9069-db5cdefe37d3
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: June 20, 2023, 01:46:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

782F98C00905F1B80F0DFC6DC287CD6E

SHA1:

6575CAF3D68D899E83C4B352E985F86B53E804C7

SHA256:

06040E1406A3B99DA60E639EDCF14DDB1F3C812993B408A8164285F2A580CAAF

SSDEEP:

3072:va99Ky1S0SD8MHjO73Ba01/H/7FlwZ2RJJBvX+WUE742Lg:vaGy1nS8MHi7xai73JtkWUEn0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET was detected

      • rundll32.exe (PID: 3328)

    • Unusual connection from system programs

      • rundll32.exe (PID: 3328)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2696)
      • rundll32.exe (PID: 3096)
      • rundll32.exe (PID: 3328)

    • Connects to the CnC server

      • rundll32.exe (PID: 3328)

    • EMOTET detected by memory dumps

      • rundll32.exe (PID: 3328)

  • SUSPICIOUS

    • Application launched itself

      • rundll32.exe (PID: 2544)
      • rundll32.exe (PID: 2696)
      • rundll32.exe (PID: 3096)

    • Connects to the server without a host name

      • rundll32.exe (PID: 3328)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 2696)

    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 2544)
      • rundll32.exe (PID: 2696)
      • rundll32.exe (PID: 3096)

    • Connects to unusual port

      • rundll32.exe (PID: 3328)

    • Reads the Internet Settings

      • rundll32.exe (PID: 3328)

  • INFO

    • The process checks LSA protection

      • rundll32.exe (PID: 2696)
      • rundll32.exe (PID: 3328)

    • Loads main object executable

      • rundll32.exe (PID: 2544)

    • Checks proxy server information

      • rundll32.exe (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)
.vxd | VXD Driver (0.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 3
EntryPoint: 0x2190
UninitializedDataSize: -
InitializedDataSize: 334848
CodeSize: 15872
LinkerVersion: 2.5
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, DLL
TimeStamp: 2021:01:20 21:14:23+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Jan-2021 21:14:23

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 20-Jan-2021 21:14:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00003641
0x00003800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.24479
.rdata
0x00005000
0x0000002C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.521354
.data
0x00006000
0x0000043C
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.28099
.text4
0x00007000
0x00050EFC
0x00051000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.01521
.text7
0x00058000
0x00000064
0x00000200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
0
.text6
0x00059000
0x00000064
0x00000200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
0
.text5
0x0005A000
0x00000064
0x00000200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
0
.reloc
0x0005B000
0x000003A0
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.28317

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs rundll32.exe rundll32.exe no specs #EMOTET rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2544"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\fwalsbpvui.uif.dll", #1C:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2696C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Temp\fwalsbpvui.uif.dll",#1C:\Windows\System32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3096C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Eddtfltejwmowclk\vsluekmmpnpirbo.pdh",ogeMvzoIUKC:\Windows\System32\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3328C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Eddtfltejwmowclk\vsluekmmpnpirbo.pdh",#1C:\Windows\System32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
457
Read events
453
Write events
4
Delete events
0

Modification events

(PID) Process:(3328) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3328) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3328) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3328) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2696rundll32.exeC:\Users\admin\AppData\Local\Eddtfltejwmowclk\vsluekmmpnpirbo.pdhexecutable
MD5:782F98C00905F1B80F0DFC6DC287CD6E
SHA256:06040E1406A3B99DA60E639EDCF14DDB1F3C812993B408A8164285F2A580CAAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
12
DNS requests
0
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3328
rundll32.exe
POST
404
206.189.232.2:8080
http://206.189.232.2:8080/v8rptiojc11r4r/tzuq91qlx/mu8qzuuf25xzq/
US
xml
341 b
malicious
3328
rundll32.exe
POST
404
178.250.54.208:8080
http://178.250.54.208:8080/33n35gqp/nqc0s/w7tojct8/53xeckhp/phe5c2938wvz/
GB
xml
341 b
malicious
3328
rundll32.exe
POST
167.71.148.58:443
http://167.71.148.58:443/awqrhirvqolx/85pama0ncpo/u87msim7/pa5v1ta2n5g/8v3mcezp1m58ijj3rn/
US
malicious
3328
rundll32.exe
POST
404
2.58.16.88:8080
http://2.58.16.88:8080/3xpga9bpvfhc7ccm2/y2nam9xl3fucs5783/s298iml/tnyz7n4a779/
unknown
xml
341 b
malicious
3328
rundll32.exe
POST
404
181.10.46.92:80
http://181.10.46.92/rzvi8cm07so78/15ttalq4uf2mhmsgr4u/n133350z/3lb00o2xlt/has2pmgi8l7l0crbocf/58amw1z4w08r9trze/
AR
xml
341 b
malicious
3328
rundll32.exe
POST
404
202.134.4.210:7080
http://202.134.4.210:7080/ynpr/
ID
xml
341 b
malicious
3328
rundll32.exe
POST
404
187.162.248.237:80
http://187.162.248.237/5jqd/
MX
xml
341 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
2084
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3328
rundll32.exe
181.10.46.92:80
Telecom Argentina S.A.
AR
malicious
3328
rundll32.exe
2.58.16.88:8080
SERTEX SIA
LV
malicious
3328
rundll32.exe
206.189.232.2:8080
DIGITALOCEAN-ASN
US
malicious
3328
rundll32.exe
178.250.54.208:8080
Iomart Cloud Services Limited
GB
malicious
3328
rundll32.exe
167.71.148.58:443
DIGITALOCEAN-ASN
US
malicious
3328
rundll32.exe
202.134.4.210:7080
PT Telekomunikasi Indonesia
ID
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3328
rundll32.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
3328
rundll32.exe
A Network Trojan was detected
AV TROJAN Emotet Second Stage CnC Request
3328
rundll32.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin M4
3328
rundll32.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
3328
rundll32.exe
A Network Trojan was detected
AV TROJAN Emotet Second Stage CnC Request
3328
rundll32.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin M4
3328
rundll32.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
3328
rundll32.exe
A Network Trojan was detected
AV TROJAN Emotet Second Stage CnC Request
3328
rundll32.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin M4
3328
rundll32.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fwalsbpvui.uif