analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://aural6.net/yobZPsMLA

Full analysis: https://app.any.run/tasks/78d41333-4e01-4ae0-963f-483839a6d3d7
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: December 06, 2018, 07:32:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
emotet
feodo
Indicators:
MD5:

0054E46D4295BAA41F712B3C3C53A052

SHA1:

47D5DF051CFD3E425DC9FD7BC79F59AFD567CC38

SHA256:

4822F7EE86A43F98024DD2BD4806F0D88AD95521618A2EEEDE006CD01726E423

SSDEEP:

3:N1KfpMqKn:CCqK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3068)
      • iexplore.exe (PID: 4024)
    • Application was dropped or rewritten from another process

      • yobZPsMLA[1].exe (PID: 2656)
      • archivesymbol.exe (PID: 3352)
      • yobZPsMLA[1].exe (PID: 2256)
      • archivesymbol.exe (PID: 3940)
    • EMOTET was detected

      • archivesymbol.exe (PID: 3940)
    • Connects to CnC server

      • archivesymbol.exe (PID: 3940)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 4024)
      • iexplore.exe (PID: 3428)
      • yobZPsMLA[1].exe (PID: 2256)
    • Cleans NTFS data-stream (Zone Identifier)

      • yobZPsMLA[1].exe (PID: 2256)
    • Starts itself from another location

      • yobZPsMLA[1].exe (PID: 2256)
    • Connects to unusual port

      • archivesymbol.exe (PID: 3940)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2672)
      • iexplore.exe (PID: 3428)
    • Changes internet zones settings

      • iexplore.exe (PID: 2672)
      • iexplore.exe (PID: 3428)
    • Reads internet explorer settings

      • iexplore.exe (PID: 4024)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3068)
      • iexplore.exe (PID: 4024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe iexplore.exe iexplore.exe yobzpsmla[1].exe no specs yobzpsmla[1].exe archivesymbol.exe no specs #EMOTET archivesymbol.exe

Process information

PID
CMD
Path
Indicators
Parent process
2672"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3068"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2672 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3428"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4024"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3428 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2656"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\yobZPsMLA[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\yobZPsMLA[1].exeiexplore.exe
User:
admin
Company:
Nexon Corp.
Integrity Level:
MEDIUM
Description:
Softpub Forwarder DLL
Exit code:
0
Version:
6.1.7600.1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\d2ypij90\yobzpsmla[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2256"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\yobZPsMLA[1].exe"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\yobZPsMLA[1].exe
yobZPsMLA[1].exe
User:
admin
Company:
Nexon Corp.
Integrity Level:
MEDIUM
Description:
Softpub Forwarder DLL
Exit code:
0
Version:
6.1.7600.1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\d2ypij90\yobzpsmla[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3352"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exeyobZPsMLA[1].exe
User:
admin
Company:
Nexon Corp.
Integrity Level:
MEDIUM
Description:
Softpub Forwarder DLL
Exit code:
0
Version:
6.1.7600.1
Modules
Images
c:\users\admin\appdata\local\archivesymbol\archivesymbol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3940"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe
archivesymbol.exe
User:
admin
Company:
Nexon Corp.
Integrity Level:
MEDIUM
Description:
Softpub Forwarder DLL
Version:
6.1.7600.1
Modules
Images
c:\users\admin\appdata\local\archivesymbol\archivesymbol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 091
Read events
960
Write events
130
Delete events
1

Modification events

(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{23119D97-F929-11E8-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070C00040006000700200034003603
Executable files
3
Suspicious files
1
Text files
32
Unknown types
0

Dropped files

PID
Process
Filename
Type
2672iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2672iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2672iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF437CB425F2DD4B5E.TMP
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2672iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD12EC3ADCD6BF71C.TMP
MD5:
SHA256:
2672iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{23119D97-F929-11E8-BAD8-5254004A04AF}.dat
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:6B99654702072F33EAC4D4E709E387A0
SHA256:28BFEF0B1885A556ABDC0D1568A9A5FBDE20AA3FA6EEE9A8868D707878EDAC3D
2672iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{23119D98-F929-11E8-BAD8-5254004A04AF}.datbinary
MD5:A1D16F3CB6146665522F0FED8051AB7F
SHA256:8B38891156886B616B1B2348FB2B49D8B6843816FA8DDAF7CF243AAC8DCBABEA
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ErrorPageTemplate[1]text
MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
SHA256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3068
iexplore.exe
GET
301
204.93.167.27:80
http://aural6.net/yobZPsMLA
US
html
236 b
malicious
4024
iexplore.exe
GET
200
204.93.167.27:80
http://aural6.net/yobZPsMLA/
US
executable
120 Kb
malicious
4024
iexplore.exe
GET
301
204.93.167.27:80
http://aural6.net/yobZPsMLA
US
html
236 b
malicious
3068
iexplore.exe
GET
200
204.93.167.27:80
http://aural6.net/yobZPsMLA/
US
executable
120 Kb
malicious
4024
iexplore.exe
GET
200
204.93.167.27:80
http://aural6.net/yobZPsMLA/
US
executable
120 Kb
malicious
3940
archivesymbol.exe
GET
200.6.168.130:990
http://200.6.168.130:990/
CO
suspicious
3940
archivesymbol.exe
GET
200.236.117.151:8080
http://200.236.117.151:8080/
MX
malicious
3940
archivesymbol.exe
GET
100.33.158.222:80
http://100.33.158.222/
US
malicious
3940
archivesymbol.exe
GET
187.160.2.73:443
http://187.160.2.73:443/
MX
malicious
3940
archivesymbol.exe
GET
99.225.98.242:443
http://99.225.98.242:443/
CA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3428
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2672
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3940
archivesymbol.exe
187.160.2.73:443
Television Internacional, S.A. de C.V.
MX
malicious
3940
archivesymbol.exe
80.149.179.98:7080
Deutsche Telekom AG
DE
malicious
3068
iexplore.exe
204.93.167.27:80
aural6.net
Server Central Network
US
suspicious
4024
iexplore.exe
204.93.167.27:80
aural6.net
Server Central Network
US
suspicious
3940
archivesymbol.exe
200.6.168.130:990
EPM Telecomunicaciones S.A. E.S.P.
CO
suspicious
3940
archivesymbol.exe
99.225.98.242:443
Rogers Cable Communications Inc.
CA
malicious
3940
archivesymbol.exe
200.236.117.151:8080
Axtel, S.A.B. de C.V.
MX
malicious
3940
archivesymbol.exe
201.203.100.160:990
Instituto Costarricense de Electricidad y Telecom.
CR
suspicious

DNS requests

Domain
IP
Reputation
aural6.net
  • 204.93.167.27
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
aurai6.net
unknown

Threats

PID
Process
Class
Message
3068
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3068
iexplore.exe
A Network Trojan was detected
ET TROJAN VBScript Redirect Style Exe File Download
3068
iexplore.exe
Misc activity
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
3068
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4024
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4024
iexplore.exe
Misc activity
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
4024
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4024
iexplore.exe
Misc activity
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
4024
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3940
archivesymbol.exe
A Network Trojan was detected
SC SPYWARE Trojan-Banker.Win32.Emotet
3 ETPRO signatures available at the full report
No debug info