File name: | 10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934 |
Full analysis: | https://app.any.run/tasks/ba41614d-b17b-4fab-be3b-4adef9c876f6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2018, 10:56:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3B2679E388397DF2103BCFBE6A361400 |
SHA1: | 46153362E25CF338CD1062EAC96A56898A91F17D |
SHA256: | 10C74B4550A1E551087CDBC2E7F2334C16FDE5CF02E1156E31D8E1E04C91F934 |
SSDEEP: | 3072:pKNj2XeWWkWxDYM2L/w78UsK852ZnHrtM455TZK:gNj6Whgw8rn52ZLtM455T |
.dll | | | Win32 Dynamic Link Library (generic) (38.3) |
---|---|---|
.exe | | | Win32 Executable (generic) (26.2) |
.exe | | | Win16/32 Executable Delphi generic (12) |
.exe | | | Generic Win/DOS Executable (11.6) |
.exe | | | DOS Executable Generic (11.6) |
tVersion: | 1 |
---|---|
ercaexe: | - |
ht: | © Microsoft Corporation. All r |
InternalName: | wmvde |
FileVersion: | 6. |
FileDescription: | Windows M |
CompanyName: | Micro |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.6.0.0 |
FileVersionNumber: | 1.6.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | 1.1 |
OSVersion: | 6 |
EntryPoint: | 0x3d40 |
UninitializedDataSize: | - |
InitializedDataSize: | 155648 |
CodeSize: | 16384 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 1996:06:16 23:58:56+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2788 | "C:\Users\admin\AppData\Local\Temp\10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe" | C:\Users\admin\AppData\Local\Temp\10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe | — | explorer.exe |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
3300 | "C:\Users\admin\AppData\Local\Temp\10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe" | C:\Users\admin\AppData\Local\Temp\10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe | 10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
3212 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
2356 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Version: 6. |
PID | Process | Filename | Type | |
---|---|---|---|---|
3300 | 10c74b4550a1e551087cdbc2e7f2334c16fde5cf02e1156e31d8e1e04c91f934.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:3B2679E388397DF2103BCFBE6A361400 | SHA256:10C74B4550A1E551087CDBC2E7F2334C16FDE5CF02E1156E31D8E1E04C91F934 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2356 | lpiograd.exe | GET | — | 207.255.59.231:443 | http://207.255.59.231:443/ | US | — | — | malicious |
2356 | lpiograd.exe | GET | 404 | 118.69.186.155:8080 | http://118.69.186.155:8080/ | VN | xml | 345 b | malicious |
2356 | lpiograd.exe | GET | 404 | 187.163.174.149:8080 | http://187.163.174.149:8080/ | MX | xml | 345 b | malicious |
2356 | lpiograd.exe | GET | 404 | 70.60.50.60:8080 | http://70.60.50.60:8080/ | US | xml | 345 b | malicious |
2356 | lpiograd.exe | GET | 404 | 50.21.147.8:8090 | http://50.21.147.8:8090/ | US | xml | 345 b | malicious |
— | — | GET | 404 | 5.32.65.50:8080 | http://5.32.65.50:8080/ | AE | xml | 345 b | malicious |
2356 | lpiograd.exe | GET | 404 | 216.176.21.143:80 | http://216.176.21.143/ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2356 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
2356 | lpiograd.exe | 118.69.186.155:8080 | — | The Corporation for Financing & Promoting Technology | VN | malicious |
2356 | lpiograd.exe | 70.60.50.60:8080 | — | Time Warner Cable Internet LLC | US | malicious |
2356 | lpiograd.exe | 50.21.147.8:8090 | — | Otelco Telephone, LLC | US | malicious |
2356 | lpiograd.exe | 216.176.21.143:80 | — | Great Lakes Comnet, Inc. | US | malicious |
— | — | 5.32.65.50:8080 | — | Emirates Integrated Telecommunications Company PJSC (EITC-DU) | AE | malicious |
2356 | lpiograd.exe | 207.255.59.231:443 | — | Atlantic Broadband Finance, LLC | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2356 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2356 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2356 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2356 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2356 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2356 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |