analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/70adbe86-5041-4299-8212-002dc25fb863
Verdict: Malicious activity
Analysis date: January 14, 2022, 19:37:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

2F69C604A7D9102B0BDF673CE58E20EA

SHA1:

BC79030F00A40501F0E3D82F4E81479B563DF5D8

SHA256:

50E311F83FEAC945BCDD0D0469E3D609B649363AE212B0A5762EE3C4AE698101

SSDEEP:

3072:GvnJPm6+sUzK8dM23PLdBXEEHvFkgWoSqEZPM6sTUffSSOuzju0v+LBRITqcpmmj:enJPmjNfLnU6CgWYCrsuSujbqkk/0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2220)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2220)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 2220)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2248)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2220)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2220)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2248)
      • iexplore.exe (PID: 268)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 268)
      • iexplore.exe (PID: 2248)
    • Reads the computer name

      • iexplore.exe (PID: 268)
      • iexplore.exe (PID: 2248)
    • Changes internet zones settings

      • iexplore.exe (PID: 268)
    • Application launched itself

      • iexplore.exe (PID: 268)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 268)
      • iexplore.exe (PID: 2248)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2248)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 268)
    • Creates files in the user directory

      • iexplore.exe (PID: 2248)
      • iexplore.exe (PID: 268)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2220)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 268)
    • Changes settings of System certificates

      • iexplore.exe (PID: 268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2220"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
268"C:\Program Files\Internet Explorer\iexplore.exe" https://nt.embluemail.com/p/cl?data=https%3a%2f%2fxwzcd.codesandbox.io/.egrger.feregergre.273617261682e626f6f746840637466732e636f6dC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2248"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:268 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
17 448
Read events
16 714
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
18
Text files
55
Unknown types
12

Dropped files

PID
Process
Filename
Type
2220OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR2B03.tmp.cvr
MD5:
SHA256:
2220OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2220OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:34433B1CA265D84ABC96065A2556A1CC
SHA256:057CB84CA65C759642B2E00C3CF72482EFEF9B9E6403A3259460F11C5E04EDB4
2220OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:B2BB58C004FECE1F4F5234D4628296AE
SHA256:F305AB9C8ABA841899045C774AB5589993FB13E312B838ADFA9E7CDD4FA6722A
268iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC68ACF50745357D4EA92B214D9E7132
SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154
268iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:947618AE4440F11D241FF0AD7D6CEF2B
SHA256:3A94B0F018A32974A007AF12400F375F4990A0C81DA898E5430AEE6A3CFD202D
2248iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:9B980225C891790166A8A8535BB4E178
SHA256:EEFABCF46B58056A1447B6A084046FAFDBE7D8F512415EFF473544202FE1E047
2220OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\853B0DB4.datimage
MD5:B7E4346217C212F0F713AF691E5143DB
SHA256:CCFD225150CDED413E191D39E03A257599F6F7102E7753CBCECA4F5FC8FC9126
268iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:5EDDD3FA622B236FFE7C38130F8A85D9
SHA256:0D5BD111022E86ABF80547FBC5D9DB0C52FD4ABF1BD283624AAFC25D1735F74B
2220OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_CE76DF7286695848B2372862E7288261.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
61
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
iexplore.exe
GET
200
13.225.84.142:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAHCQIkCXpSK3L31QZgvrds%3D
US
der
471 b
whitelisted
2248
iexplore.exe
GET
200
143.204.101.123:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
268
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2248
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2248
iexplore.exe
GET
200
13.225.84.145:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
2248
iexplore.exe
GET
200
13.225.84.49:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2248
iexplore.exe
GET
200
104.89.32.83:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2248
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fd23221722787825
US
compressed
59.9 Kb
whitelisted
2248
iexplore.exe
GET
200
92.123.224.98:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgT5kZaBU6nRhhhCaFxWx0LJEQ%3D%3D
unknown
der
503 b
shared
2248
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2248
iexplore.exe
143.204.101.123:80
o.ss2.us
US
malicious
268
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2220
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2248
iexplore.exe
13.225.84.145:80
ocsp.rootg2.amazontrust.com
US
whitelisted
54.232.222.45:443
nt.embluemail.com
Amazon.com, Inc.
BR
unknown
2248
iexplore.exe
54.232.222.45:443
nt.embluemail.com
Amazon.com, Inc.
BR
unknown
268
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2248
iexplore.exe
13.225.84.49:80
ocsp.rootg2.amazontrust.com
US
whitelisted
268
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2248
iexplore.exe
104.16.95.65:443
static.cloudflareinsights.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nt.embluemail.com
  • 54.232.222.45
  • 54.233.198.115
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
o.ss2.us
  • 143.204.101.123
  • 143.204.101.195
  • 143.204.101.99
  • 143.204.101.177
whitelisted
ocsp.rootg2.amazontrust.com
  • 13.225.84.145
  • 13.225.84.13
  • 13.225.84.175
  • 13.225.84.49
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.225.84.49
  • 13.225.84.13
  • 13.225.84.175
  • 13.225.84.145
  • 143.204.101.42
  • 143.204.101.74
  • 143.204.101.124
  • 143.204.101.190
shared
ocsp.sca1b.amazontrust.com
  • 13.225.84.142
  • 13.225.84.88
  • 13.225.84.104
  • 13.225.84.107
whitelisted

Threats

No threats detected
No debug info