File name: | payload.ps1 |
Full analysis: | https://app.any.run/tasks/dc81b704-391b-4c1d-b52c-05c47f5a58c1 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 21, 2019, 09:35:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 62E12B90C0773FB083D9BAEC859C132F |
SHA1: | 366B61953FD5526984B851018DD72D727AD3C043 |
SHA256: | 4861F4AFAB5B660354736AB49A3806712220E4BF7A3976C0CE57FBFB3C4D3365 |
SSDEEP: | 12:EoA/j0AONCjRZCOZ8lal8LAT41EDF3mueLk1WYgDOX18ck3IhN7vIRudUr2hEV3c:Ej0Avjes1mL76DF3D51FgDOlv8IhNbNZ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
916 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\payload.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2028 | "C:\Users\admin\144.exe" | C:\Users\admin\144.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
3956 | --e7f7df2f | C:\Users\admin\144.exe | 144.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
2872 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 144.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
1352 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Version: 8,6,0,1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
916 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y0CICLH6TZL3L9IPJCGP.temp | — | |
MD5:— | SHA256:— | |||
916 | powershell.exe | C:\Users\admin\144.exe | — | |
MD5:— | SHA256:— | |||
916 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9c56.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
916 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
3956 | 144.exe | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | executable | |
MD5:F5D211150A1C3A245A55FC93FFC1CEEB | SHA256:6F0960CEB6DAE294F8FFDFE58AD3E6892B3FE38CFABDFB389FA0A189A938DA6C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
916 | powershell.exe | GET | 200 | 104.27.186.223:80 | http://smelecpro.com/wordpress/NJ/ | US | html | 3.97 Kb | malicious |
916 | powershell.exe | GET | 200 | 69.162.123.230:80 | http://am3web.com.br/e9j/ | US | executable | 361 Kb | suspicious |
1352 | wabmetagen.exe | POST | 200 | 185.94.252.3:443 | http://185.94.252.3:443/merge/results/ringin/merge/ | DE | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1352 | wabmetagen.exe | 185.94.252.3:443 | — | Andreas Fahl trading as Megaservers.de | DE | malicious |
916 | powershell.exe | 104.27.186.223:80 | smelecpro.com | Cloudflare Inc | US | shared |
916 | powershell.exe | 69.162.123.230:80 | am3web.com.br | Limestone Networks, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
smelecpro.com |
| malicious |
am3web.com.br |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
916 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
916 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
916 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1352 | wabmetagen.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 6 |
1352 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |