URL: | http://smelecpro.com/wordpress/NJ/ |
Full analysis: | https://app.any.run/tasks/d8220887-e850-4043-a361-91b7d1e277ba |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 21, 2019, 10:54:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 20BB73FD486669C3ED63350ACF5C4893 |
SHA1: | E242879E6FD7BEE686C563153B474FCC466289C2 |
SHA256: | 2B8D7376FA4E02D97954B90364FF46490A70772776010F7C0281E12E335A79B7 |
SSDEEP: | 3:N1KNIAOCXQGwRVDxK:CaAOQ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1476 | "C:\Program Files\Opera\opera.exe" http://smelecpro.com/wordpress/NJ/ | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 | ||||
1308 | "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\KYFg.exe" | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\KYFg.exe | — | opera.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Timeline Wizard command line exe Exit code: 0 Version: 12.0.4518.1014 | ||||
2692 | --d003b24c | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\KYFg.exe | KYFg.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Timeline Wizard command line exe Exit code: 0 Version: 12.0.4518.1014 | ||||
2388 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | KYFg.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Timeline Wizard command line exe Exit code: 0 Version: 12.0.4518.1014 | ||||
2876 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Timeline Wizard command line exe Version: 12.0.4518.1014 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr8E3D.tmp | — | |
MD5:— | SHA256:— | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr8E3E.tmp | — | |
MD5:— | SHA256:— | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr8E7D.tmp | — | |
MD5:— | SHA256:— | |||
1476 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp | — | |
MD5:— | SHA256:— | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:AF0B26104C72F3841D1C714C60FCC1AE | SHA256:C2EC6EDFCFAEED41738DC8F3DD59FA3AEB0CE5ADDA7AF9C1BD13457DA24A6F5F | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:236B50B73435017712BFE55B3D437750 | SHA256:0858676110BD01CD9D5402DDB4EE04905E75B8131F707E4B63942F44F56682A2 | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat | binary | |
MD5:7F5DCBF9F067F258078D5071195D5C51 | SHA256:FEC0BE3946FE4780375CEE50EB647BEA4FB130AF228E473FE442B39FF19D0492 | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:91D927246D7D2526FDECD08A46DCE5F8 | SHA256:3F17AC3B16FB5D43A3BDEA7CE665DF46F13ED5D39DA4EA39920FACF1B5CF64EB | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat | binary | |
MD5:82F1A2B1176A5ECC457D32301E2AD833 | SHA256:A783052804DD4C232BE2ED3DC00C430CB67A20370890E235562ED2B27B5A602E | |||
1476 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat | binary | |
MD5:1AA8644C9261DC10F7247F6A145C1DD2 | SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1476 | opera.exe | GET | 200 | 66.225.197.197:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 543 b | whitelisted |
1476 | opera.exe | GET | — | 185.26.182.111:80 | http://sitecheck2.opera.com/?host=smelecpro.com&hdn=v5bsu0lOzHkiADNtKbty4g== | unknown | — | — | whitelisted |
1476 | opera.exe | GET | — | 104.27.186.223:80 | http://smelecpro.com/cdn-cgi/styles/fonts/opensans-300.woff | US | — | — | malicious |
1476 | opera.exe | GET | — | 104.27.187.223:80 | http://smelecpro.com/cdn-cgi/images/icon-exclamation.png?1376755637 | US | — | — | malicious |
1476 | opera.exe | GET | — | 104.27.187.223:80 | http://smelecpro.com/cdn-cgi/styles/fonts/opensans-400.woff | US | — | — | malicious |
1476 | opera.exe | GET | 200 | 104.27.186.223:80 | http://smelecpro.com/wordpress/NJ/ | US | html | 1.50 Kb | malicious |
1476 | opera.exe | GET | 200 | 104.27.187.223:80 | http://smelecpro.com/cdn-cgi/styles/fonts/opensans-300i.woff | US | woff | 15.1 Kb | malicious |
1476 | opera.exe | GET | 200 | 104.27.187.223:80 | http://smelecpro.com/cdn-cgi/styles/fonts/opensans-700.woff | US | woff | 14.2 Kb | malicious |
1476 | opera.exe | GET | 200 | 104.27.186.223:80 | http://smelecpro.com/cdn-cgi/styles/cf.errors.css | US | text | 4.77 Kb | malicious |
1476 | opera.exe | GET | 200 | 104.27.187.223:80 | http://smelecpro.com/cdn-cgi/scripts/cf.common.js | US | text | 1.94 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1476 | opera.exe | 82.145.215.40:443 | certs.opera.com | Opera Software AS | — | whitelisted |
1476 | opera.exe | 66.225.197.197:80 | crl4.digicert.com | CacheNetworks, Inc. | US | whitelisted |
1476 | opera.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1476 | opera.exe | 104.27.186.223:80 | smelecpro.com | Cloudflare Inc | US | shared |
2876 | wabmetagen.exe | 89.211.201.179:80 | — | Ooredoo Q.S.C. | QA | malicious |
1476 | opera.exe | 185.26.182.111:80 | sitecheck2.opera.com | Opera Software AS | — | whitelisted |
1476 | opera.exe | 104.27.187.223:80 | smelecpro.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
smelecpro.com |
| malicious |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1476 | opera.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1476 | opera.exe | Misc activity | ET INFO EXE - Served Attached HTTP |