analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

raw.eml

Full analysis: https://app.any.run/tasks/46ff397c-f5ab-4fb1-989f-ba42add9a0ac
Verdict: Malicious activity
Analysis date: October 05, 2022, 05:31:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

B5698B3AD272AC233DD40076B85F7BA4

SHA1:

95E345ECA43926EB26B7DE04B5188B2660010DC8

SHA256:

58892500A1D6E7058F4565698C764655C5CBCA4E142AE2BF5AB7D8C83E89B1F9

SSDEEP:

384:T71oqjZvztRFGRMMynZnp/6YzaFEcR0CP+bQtDURKjaGqaPX6l6a0Iel3BUofgrx:T71oynZn1zkR0AHARw0z+hl3G0/TWqA5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 3) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3220"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\raw.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
3276"C:\Program Files\Internet Explorer\iexplore.exe" http://secure-web.cisco.com/1fBP5C6g9ZIcAwXLRzgzOjJuESRjFjDvcNxwJf61VJdPe57cttKKaCV5VIlT_m8tT6Tz46NfQU9qoEunl3KGeKBrfeIx9_qASETUncy7jR3mrsW6-BDL9GM2YKbeHhH-Ov4ViuEwQjZE9LD8c-y4ww8t76cuya7MiTLHX-I-aMKs5yn8P19lgKinmh-dQRMIwid-82DiMwwTtyLDMS5y4558ZMZdS8Ubapyela9j2bKnjazPcgyGeUmX7VZxHnuQv5g-0FH3G6jjyxoQpKvpoVmNAppJVDKuKvmr7tJXgGZF1Ux2wZyMFNZrSNEa383e53hGLdaSHU5o3W5ITfS4zNGpsjusZOVN47_9o_DTkTGQmhLzyTcXC_aew4euMbUlL9l0gWR555gq1BkxnOc80AeA8u3ky-ge-peTPj65K1s9p2r_HYoi_RJJZh47SbWcaAza-km0U44CQrdZgIzcgmqeXVqbzdgFCSK-jzpgF-qDFIHiOZQQSOYzVUjS3jqDH/http%3A%2F%2Fhoffentt.com%2FC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3744"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3276 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
42 268
Read events
41 530
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
87
Unknown types
23

Dropped files

PID
Process
Filename
Type
3220OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4D77.tmp.cvr
MD5:
SHA256:
3220OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3220OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3094FD04.datimage
MD5:2925EB6713D84C3F6957EBE65DC5896F
SHA256:66B2B9A79AD723226AC33455FB97272D3F8C320502D9DBF08235EBCB8B984D86
3220OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:5E55DB9249DF58B0EB74A964D5487393
SHA256:A0EC80E2D6416975BE4F4272C7CA91E87FE81658D981B6CE0329513AE6A104E9
3220OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:F0572B1F9763BAC5D46C7FF7BD54CF1D
SHA256:0C85D7F8DB4C0C1727ED07EC6D064E4832CF88ADF4E57C5BDD64C586DEE1C7E8
3220OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_C0370B5AEC69174D814FFD0A18D73966.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\static_style[1].csstext
MD5:D26AE3C6566752C45D1C1307CE66ACD2
SHA256:1F87DF56DA3C02BDBF72A9C61CC6213B2789501F2567E413C9635109802E4F09
3220OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
3220OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_CCD0A0413EE52E41BC05226F00E4C8B9.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
3744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\all_js[1].jstext
MD5:7732DA1F0440259DE9BF74E223ACA869
SHA256:F4A09886E48D5ECF18FD5BCB5CCFE14CA7EA3BE913075465EA301D1AC1ECE6DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
113
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3744
iexplore.exe
GET
302
146.112.255.69:80
http://secure-web.cisco.com/1fBP5C6g9ZIcAwXLRzgzOjJuESRjFjDvcNxwJf61VJdPe57cttKKaCV5VIlT_m8tT6Tz46NfQU9qoEunl3KGeKBrfeIx9_qASETUncy7jR3mrsW6-BDL9GM2YKbeHhH-Ov4ViuEwQjZE9LD8c-y4ww8t76cuya7MiTLHX-I-aMKs5yn8P19lgKinmh-dQRMIwid-82DiMwwTtyLDMS5y4558ZMZdS8Ubapyela9j2bKnjazPcgyGeUmX7VZxHnuQv5g-0FH3G6jjyxoQpKvpoVmNAppJVDKuKvmr7tJXgGZF1Ux2wZyMFNZrSNEa383e53hGLdaSHU5o3W5ITfS4zNGpsjusZOVN47_9o_DTkTGQmhLzyTcXC_aew4euMbUlL9l0gWR555gq1BkxnOc80AeA8u3ky-ge-peTPj65K1s9p2r_HYoi_RJJZh47SbWcaAza-km0U44CQrdZgIzcgmqeXVqbzdgFCSK-jzpgF-qDFIHiOZQQSOYzVUjS3jqDH/http%3A%2F%2Fhoffentt.com%2F
unknown
whitelisted
3744
iexplore.exe
GET
200
34.96.116.138:80
http://hoffentt.com/
US
html
22.5 Kb
suspicious
3220
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3744
iexplore.exe
GET
200
142.250.185.115:80
http://www.imcreator.com/js/lightbox.js?v=1.5.8d
US
text
3.80 Kb
whitelisted
3744
iexplore.exe
GET
200
142.250.185.115:80
http://www.imcreator.com/js/spimeengine.js?v=1.5.8d
US
text
75.1 Kb
whitelisted
3744
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?944a970fe82fb8ef
US
compressed
4.70 Kb
whitelisted
3744
iexplore.exe
GET
200
142.250.185.115:80
http://www.imcreator.com/js/lib/touchswipe/jquery.mobile.custom.min.js
US
text
3.03 Kb
whitelisted
3744
iexplore.exe
GET
200
142.250.185.115:80
http://www.imcreator.com/all_js.js?v=1.5.8d
US
text
14.1 Kb
whitelisted
3744
iexplore.exe
GET
200
142.250.185.115:80
http://www.imcreator.com/static_style?v=1.5.8d&vbid=vbid-b5e6feb3-omsttuer&caller=live
US
text
5.25 Kb
whitelisted
3744
iexplore.exe
GET
200
142.250.185.115:80
http://www.imcreator.com/css/fonts.css?v=1.5.8d
US
text
1.62 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3220
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3744
iexplore.exe
34.96.116.138:80
hoffentt.com
GOOGLE
US
malicious
3744
iexplore.exe
142.250.185.115:80
www.imcreator.com
GOOGLE
US
malicious
3744
iexplore.exe
146.112.255.69:80
secure-web.cisco.com
OPENDNS
US
suspicious
3744
iexplore.exe
142.250.74.193:443
lh3.googleusercontent.com
GOOGLE
US
whitelisted
3744
iexplore.exe
142.250.186.148:443
imos006-dot-im--os.appspot.com
GOOGLE
US
suspicious
3744
iexplore.exe
172.217.16.206:443
www.youtube.com
GOOGLE
US
whitelisted
3744
iexplore.exe
69.16.175.10:443
code.jquery.com
STACKPATH-CDN
US
malicious
3744
iexplore.exe
172.217.16.202:443
fonts.googleapis.com
GOOGLE
US
whitelisted
3276
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
secure-web.cisco.com
  • 146.112.255.69
whitelisted
hoffentt.com
  • 34.96.116.138
suspicious
www.youtube.com
  • 172.217.16.206
  • 142.250.184.238
  • 216.58.212.174
  • 172.217.18.110
  • 142.250.74.206
  • 172.217.23.110
  • 216.58.212.142
  • 142.250.185.78
  • 142.250.185.110
  • 142.250.185.206
  • 142.250.185.238
  • 142.250.186.142
  • 142.250.186.46
  • 142.250.181.238
  • 142.250.186.110
  • 172.217.16.142
whitelisted
imos006-dot-im--os.appspot.com
  • 142.250.186.148
suspicious
www.imcreator.com
  • 142.250.185.115
whitelisted
code.jquery.com
  • 69.16.175.10
  • 69.16.175.42
whitelisted
lh3.googleusercontent.com
  • 142.250.74.193
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

No threats detected
No debug info