Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
MALICIOUS | SUSPICIOUS | INFO |
---|---|---|
No malicious indicators. |
PowerShell script executed
|
Creates files in the user directory
|
Click at the process to see the details.
Image |
---|
c:\windows\system32\rpcrt4.dll |
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\program files\microsoft office\office14\wwlib.dll |
c:\windows\system32\ole32.dll |
c:\program files\microsoft office\office14\gfx.dll |
c:\windows\system32\wtsapi32.dll |
c:\windows\system32\msi.dll |
c:\windows\system32\apphelp.dll |
c:\program files\common files\microsoft shared\office14\cultures\office.odf |
c:\program files\microsoft office\office14\1033\wwintl.dll |
c:\program files\common files\microsoft shared\office14\msores.dll |
c:\windows\system32\uxtheme.dll |
c:\windows\system32\mscoree.dll |
c:\windows\system32\version.dll |
c:\windows\system32\sxs.dll |
c:\progra~1\micros~1\office14\genko.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\iertutil.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\sspicli.dll |
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll |
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll |
c:\windows\system32\fontsub.dll |
c:\program files\common files\microsoft shared\office14\usp10.dll |
c:\windows\system32\wbem\wbemdisp.dll |
c:\windows\system32\wbemcomn.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\wbem\wbemprox.dll |
c:\windows\system32\wbem\wmiutils.dll |
c:\windows\system32\wbem\wbemsvc.dll |
c:\windows\system32\wbem\fastprox.dll |
c:\windows\system32\ntdsapi.dll |
c:\windows\system32\explorerframe.dll |
c:\windows\system32\duser.dll |
c:\windows\system32\dui70.dll |
c:\program files\microsoft office\office14\winword.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\msimg32.dll |
c:\program files\microsoft office\office14\oart.dll |
c:\program files\common files\microsoft shared\office14\mso.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\program files\common files\microsoft shared\office14\1033\msointl.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\dwmapi.dll |
c:\program files\common files\microsoft shared\office14\msptls.dll |
c:\program files\common files\microsoft shared\office14\riched20.dll |
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll |
c:\windows\system32\winspool.drv |
c:\windows\system32\shell32.dll |
c:\windows\system32\powrprof.dll |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\propsys.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\system32\rpcrtremote.dll |
c:\windows\system32\msxml6.dll |
c:\windows\system32\profapi.dll |
c:\windows\system32\msasn1.dll |
c:\program files\microsoft office\office14\gkword.dll |
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll |
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll |
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll |
c:\windows\system32\fm20.dll |
c:\windows\system32\comdlg32.dll |
c:\windows\system32\linkinfo.dll |
c:\windows\system32\ntshrui.dll |
c:\windows\system32\srvcli.dll |
c:\windows\system32\cscapi.dll |
c:\windows\system32\slc.dll |
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll |
c:\windows\system32\fm20enu.dll |
c:\windows\system32\windowscodecs.dll |
Image |
---|
c:\windows\system32\windowspowershell\v1.0\powershell.exe |
c:\windows\system32\kernel32.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\mscoree.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\userenv.dll |
c:\windows\system32\profapi.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\propsys.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\shdocvw.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\system32\version.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll |
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll |
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll |
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll |
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll |
c:\windows\system32\shfolder.dll |
c:\windows\system32\sspicli.dll |
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll |
c:\windows\system32\rasman.dll |
c:\windows\system32\mswsock.dll |
c:\windows\system32\wshtcpip.dll |
c:\windows\system32\winhttp.dll |
c:\windows\system32\iphlpapi.dll |
c:\windows\system32\winnsi.dll |
c:\windows\system32\dhcpcsvc.dll |
c:\windows\system32\dnsapi.dll |
c:\windows\system32\rasadhlp.dll |
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll |
c:\windows\system32\gpapi.dll |
c:\windows\system32\qagentrt.dll |
c:\windows\system32\rtutils.dll |
c:\windows\system32\rasapi32.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll |
c:\windows\system32\secur32.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll |
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\cscapi.dll |
c:\windows\system32\linkinfo.dll |
c:\windows\system32\apphelp.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\atl.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\kernelbase.dll |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\ntshrui.dll |
c:\windows\system32\srvcli.dll |
c:\windows\system32\slc.dll |
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll |
c:\windows\system32\psapi.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\wship6.dll |
c:\windows\system32\webio.dll |
c:\windows\system32\dhcpcsvc6.dll |
c:\windows\system32\fwpuclnt.dll |
c:\windows\system32\security.dll |
c:\windows\system32\credssp.dll |
c:\windows\system32\schannel.dll |
c:\windows\system32\ncrypt.dll |
c:\windows\system32\bcrypt.dll |
c:\windows\system32\bcryptprimitives.dll |
c:\windows\system32\p2pcollab.dll |
c:\windows\system32\fveui.dll |
c:\windows\system32\netutils.dll |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2004 | powershell.exe | GET | 404 | 103.253.115.37:80 | http://sewaprinter.gratis/wp-content/dvCCsVERU/ | ID |
xml
|
|
suspicious |
2004 | powershell.exe | GET | 404 | 107.180.46.212:80 | http://www.firepulsesports.com/wp-content/uploads/s6j4-58vm9xx6-85934/ | US |
xml
|
|
suspicious |
2004 | powershell.exe | GET | 404 | 69.164.215.150:80 | http://educators.plus/t4qezfj/rkSgkF/ | US |
xml
|
|
suspicious |
PID | Process | IP | ASN | CN | Reputation |
---|---|---|---|---|---|
2004 | powershell.exe | 103.253.115.37:80 | Media Antar Nusa PT. | ID | suspicious |
2004 | powershell.exe | 107.180.46.212:80 | GoDaddy.com, LLC | US | suspicious |
2004 | powershell.exe | 217.11.48.124:443 | manitu GmbH | DE | unknown |
2004 | powershell.exe | 134.119.45.67:443 | Host Europe GmbH | DE | suspicious |
2004 | powershell.exe | 69.164.215.150:80 | Linode, LLC | US | suspicious |
No debug info.