File name:

29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a

Full analysis: https://app.any.run/tasks/774ac1c7-5603-4113-928d-c360a85c2b39
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 16, 2024, 15:33:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
emotet
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

E7474AB488167F2C9937C1A18AFCA44F

SHA1:

33657BA6CC60B86CFB5B0E3CE0B58944D9B3D897

SHA256:

29F6B63E894F8D36E74868307ADBF025E7C4AE996FBEF3DEBE910E680B1C8D0A

SSDEEP:

768:KvlMMX2JKv6YGxeuNPBgA1/sBtZ6Cv/ndViSXRUZxhDHuJa37x:0pGQyYGxeuNTGZ9/ndXssar

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET has been detected (SURICATA)

      • catsrv.exe (PID: 2620)

    • Connects to the CnC server

      • catsrv.exe (PID: 2620)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe (PID: 5828)

    • Executable content was dropped or overwritten

      • 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe (PID: 5828)

    • Starts itself from another location

      • 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe (PID: 5828)

    • Connects to the server without a host name

      • catsrv.exe (PID: 2620)

    • Contacting a server suspected of hosting an CnC

      • catsrv.exe (PID: 2620)

  • INFO

    • Checks supported languages

      • 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe (PID: 5828)
      • catsrv.exe (PID: 2620)

    • Reads the computer name

      • catsrv.exe (PID: 2620)
      • 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe (PID: 5828)

    • Reads the machine GUID from the registry

      • catsrv.exe (PID: 2620)

    • The process uses the downloaded file

      • 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe (PID: 5828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:11 19:39:59+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 49152
UninitializedDataSize: -
EntryPoint: 0x28ee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: UseShGetFileInfoDemo MFC Application
FileVersion: 1, 0, 0, 1
InternalName: UseShGetFileInfoDemo
LegalCopyright: Copyright (C) 2003
LegalTrademarks: -
OriginalFileName: UseShGetFileInfoDemo.EXE
ProductName: UseShGetFileInfoDemo Application
ProductVersion: 1, 0, 0, 1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe #EMOTET catsrv.exe

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\Users\admin\AppData\Local\mscpxl32\catsrv.exe"C:\Users\admin\AppData\Local\mscpxl32\catsrv.exe
29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe
User:
admin
Integrity Level:
MEDIUM
Description:
UseShGetFileInfoDemo MFC Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\mscpxl32\catsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5828"C:\Users\admin\Desktop\29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe" C:\Users\admin\Desktop\29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
587
Read events
584
Write events
3
Delete events
0

Modification events

(PID) Process:(2620) catsrv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2620) catsrv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2620) catsrv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
582829f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a.exeC:\Users\admin\AppData\Local\mscpxl32\catsrv.exeexecutable
MD5:E7474AB488167F2C9937C1A18AFCA44F
SHA256:29F6B63E894F8D36E74868307ADBF025E7C4AE996FBEF3DEBE910E680B1C8D0A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
33
DNS requests
8
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5640
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5640
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2620
catsrv.exe
POST
92.24.51.238:80
http://92.24.51.238/i2FTkQWbfg9w/WsIpKyihv4cTTA/7uVXfypUD/
unknown
malicious
2620
catsrv.exe
POST
188.166.25.84:8080
http://188.166.25.84:8080/sb8yagPn8eLaaXVv5/ZOer6/
unknown
unknown
2620
catsrv.exe
POST
139.99.157.213:8080
http://139.99.157.213:8080/QXCCRPpDvfPj7fP/CBn1/999U/aHamNafmQVX00nVP/D9Ke8asLz5B3VREnut/Fxg93Is7FLN9HQHTH/
unknown
unknown
2620
catsrv.exe
POST
5.79.70.250:8080
http://5.79.70.250:8080/p6JO9se59MYcCt3oqmO/fc1ltOo0TO1/MbnQ9i1EGW3VnzfwYW/XCYwNUcy/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5640
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.66:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5640
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.66
  • 92.123.104.62
  • 92.123.104.59
  • 92.123.104.61
  • 92.123.104.65
  • 92.123.104.60
  • 92.123.104.58
  • 92.123.104.64
  • 92.123.104.67
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

PID
Process
Class
Message
2620
catsrv.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
2620
catsrv.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Emotet CnC Activity (POST) M8
2620
catsrv.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
2620
catsrv.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Emotet CnC Activity (POST) M8
2620
catsrv.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
2620
catsrv.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2620
catsrv.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
2620
catsrv.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Emotet CnC Activity (POST) M8
2620
catsrv.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
2620
catsrv.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Emotet CnC Activity (POST) M8
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
29f6b63e894f8d36e74868307adbf025e7c4ae996fbef3debe910e680b1c8d0a