File name: | 876.exe.zip |
Full analysis: | https://app.any.run/tasks/2279f104-ae61-4765-86d4-dd6dd4724c16 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 22:02:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E74C5C19BC9E7A21796F065846ED0AA7 |
SHA1: | 906C3D7BD643DA5C646152EEA38BEB70574EDE1A |
SHA256: | 263AC62C567F8516669ABB734C61B60C6607D8A78FC976F949A15D2AD462D5ED |
SSDEEP: | 3072:hrNPOEHQ4lbZG2sbKFrhQrqcXKRoDAsYJjfZYV/elSR97/1T+EudZbK:hh2E9tGJ4rhQmcxMsYJh2/2w97/16Euy |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:11:14 20:22:06 |
ZipCRC: | 0xb2fe9c4e |
ZipCompressedSize: | 148831 |
ZipUncompressedSize: | 421888 |
ZipFileName: | 876.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3032 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\876.exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3336 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3032.48452\876.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3032.48452\876.exe | — | WinRAR.exe |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
3360 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3032.48452\876.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3032.48452\876.exe | 876.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
2024 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 876.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
3176 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Version: 8.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3032 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3032.48452\876.exe | executable | |
MD5:BBBA81368267A5A2BB2AC77853B8C78B | SHA256:667CDA76B582C0771F85AD12167238E0F4BB12F479030D99C8A15D7F08EB9975 | |||
3360 | 876.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:BBBA81368267A5A2BB2AC77853B8C78B | SHA256:667CDA76B582C0771F85AD12167238E0F4BB12F479030D99C8A15D7F08EB9975 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3176 | lpiograd.exe | GET | — | 177.242.156.119:80 | http://177.242.156.119/ | MX | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3176 | lpiograd.exe | 177.242.156.119:80 | — | SERVICIO Y EQUIPO EN TELEFONÍA INTERNET Y TV S.A. DE C.V. | MX | malicious |
3176 | lpiograd.exe | 50.78.167.65:7080 | — | Comcast Cable Communications, LLC | US | malicious |