URL: | https://datagambar.club/xerox/LGCpC-HRwOhoIX07uuiu_ckgabWPvp-cHu/ |
Full analysis: | https://app.any.run/tasks/3150c7b5-d2ea-4fc5-b6b5-db4bded4fc36 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 15, 2019, 08:13:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 5062C6438C722EBDFF4737C3A75332A9 |
SHA1: | DEC79BD1E7D965DCD9C384B4CF0C04AB585EB893 |
SHA256: | 55D1B22EB1DF50887DC7AB49EFC103F0A6802294755E40071C5451A908C410D1 |
SSDEEP: | 3:N8ciTP3a7imxiVjvGTP:2cgfa7imA+TP |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3068 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2584 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3068 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2492 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\LGCpC-HRwOhoIX07uuiu_ckgabWPvp-cHu[1].js" | C:\Windows\System32\WScript.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3324 | "C:\Users\admin\AppData\Local\Temp\73w9whbmo.exe" | C:\Users\admin\AppData\Local\Temp\73w9whbmo.exe | — | WScript.exe | |||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
3840 | --87c727d9 | C:\Users\admin\AppData\Local\Temp\73w9whbmo.exe | 73w9whbmo.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
2128 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 73w9whbmo.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
2424 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe | |||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Version: 1, 0, 0, 1007 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3068 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2584 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@datagambar[1].txt | — | |
MD5:— | SHA256:— | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF14887AC75EEEDB9E.TMP | — | |
MD5:— | SHA256:— | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF3F00FB2C2735F32E.TMP | — | |
MD5:— | SHA256:— | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{57030477-5F56-11E9-B63D-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
2584 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8TJASDYX\0180262166_Apr_14_2019[1].js | text | |
MD5:3D584A5B6CEC11D3ED873AB96021EF3E | SHA256:D0819ED578BEB38C8875532613FF761B6B4816F653EE41042F853FB87CDB592D | |||
2584 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@datagambar[2].txt | text | |
MD5:C5812EB0C4B94A2151B285E970CB134E | SHA256:64A6A95E218F20E1173DC99396DB8240F88182D1D34185838510E72DBAA50493 | |||
2584 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:C7290175BAD4928D1625739BB369FB7E | SHA256:1B6859D2D2BCCCF7CF5884C76B72CE7723BB6BEBD0C12941C70DAD542E5F7BD4 | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{57030478-5F56-11E9-B63D-5254004A04AF}.dat | binary | |
MD5:ADF1906C8F68CFD5029C1E540CD9F5F7 | SHA256:488772AFB63751AFB765B7D11B9AA144144B3A8F5BA2FE24F93F83FA73063C72 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2492 | WScript.exe | GET | 200 | 77.92.88.1:80 | http://bathontv.co.uk/wp-admin/7_2Y/ | GB | executable | 130 Kb | suspicious |
3068 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3068 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2492 | WScript.exe | 77.92.88.1:80 | bathontv.co.uk | UK-2 Limited | GB | suspicious |
2492 | WScript.exe | 77.92.74.1:80 | 1roof.ltd.uk | UK-2 Limited | GB | malicious |
2584 | iexplore.exe | 104.27.147.159:443 | datagambar.club | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
datagambar.club |
| suspicious |
1roof.ltd.uk |
| malicious |
bathontv.co.uk |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2492 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2492 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2492 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2492 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |