analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6423447920214016.zip

Full analysis: https://app.any.run/tasks/c64a4120-bcba-4b76-8c93-61681cb410e5
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 06:02:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B2BE54E0906BB478C63D5911DBA22D81

SHA1:

D0558D83111578420BCB0990551A86F886C96666

SHA256:

1C2C2FBF738D85ED06C50F96EF677033846B632D9A33D34BAD72F33C95AC9CA0

SSDEEP:

3072:PQ8ur8YjVfgdwGDxH1WrGt2V9OCag5V0JvujmVki0/OJCnYiVFuJImgAQIjpQv/P:oYmVfEwGDxH8Q2esmW+ki0kCnYiVMJIt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tvratings.exe (PID: 608)
      • 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe (PID: 2244)

    • EMOTET was detected

      • tvratings.exe (PID: 608)

    • Connects to CnC server

      • tvratings.exe (PID: 608)

  • SUSPICIOUS

    • Starts itself from another location

      • 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe (PID: 2244)

    • Executable content was dropped or overwritten

      • 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe (PID: 2244)
      • WinRAR.exe (PID: 2940)

    • Reads Internet Cache Settings

      • tvratings.exe (PID: 608)

    • Connects to server without host name

      • tvratings.exe (PID: 608)

    • Removes files from Windows directory

      • tvratings.exe (PID: 608)

  • INFO

    • Manual execution by user

      • 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe (PID: 2244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109
ZipUncompressedSize: 259072
ZipCompressedSize: 172220
ZipCRC: 0x655094de
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe #EMOTET tvratings.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6423447920214016.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2244"C:\Users\admin\Desktop\75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe" C:\Users\admin\Desktop\75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
608"C:\Windows\system32\ieapfltr\tvratings.exe"C:\Windows\system32\ieapfltr\tvratings.exe
75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe
User:
admin
Integrity Level:
HIGH
Total events
499
Read events
485
Write events
14
Delete events
0

Modification events

(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\6423447920214016.zip
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(608) tvratings.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2940.8936\75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109executable
MD5:58AC5DD2CD448C56F4C7B40C45DDED6C
SHA256:75B0A81C1D5EB02216E4D34C43DCF0371D01AF39DEE87E60287DCE4E2AEA9109
224475b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exeC:\Windows\System32\ieapfltr\tvratings.exeexecutable
MD5:58AC5DD2CD448C56F4C7B40C45DDED6C
SHA256:75B0A81C1D5EB02216E4D34C43DCF0371D01AF39DEE87E60287DCE4E2AEA9109
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
608
tvratings.exe
POST
190.192.39.136:80
http://190.192.39.136/ELDt/xJNNAifHQ/FdFyyrH/
AR
malicious
608
tvratings.exe
POST
200
190.85.46.52:7080
http://190.85.46.52:7080/m6qbaEkF/GIsfAgDVasfkBbpb9mG/LpA0Z4ZkmOndMGxAgC/
CO
binary
132 b
malicious
608
tvratings.exe
POST
5.189.168.53:8080
http://5.189.168.53:8080/0ZJAV5AfIt4BAfJp1/sRmrHQIVnNVDLKDE2VH/1szEs7FYfqf7NGNyca1/3XHG/N3Av02WEbVVbl7rlKC/9rGJ/
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
608
tvratings.exe
162.241.41.111:7080
CyrusOne LLC
US
malicious
608
tvratings.exe
190.192.39.136:80
Prima S.A.
AR
malicious
608
tvratings.exe
5.189.168.53:8080
Contabo GmbH
DE
malicious
608
tvratings.exe
190.85.46.52:7080
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
608
tvratings.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 11
608
tvratings.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 19
608
tvratings.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 5
608
tvratings.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
608
tvratings.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 12
608
tvratings.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
608
tvratings.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6423447920214016.zip