File name:	5aa2d3f6ef2bee0bd42a927bcbdd6028363daf52bbb88c64ffcc28f393d4eb07
Full analysis:	https://app.any.run/tasks/e405ead9-56f6-4633-9472-2f3951ee4e0b
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 16, 2024, 09:44:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	emotet stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	CBF568248AB09F4C6AA37857F9BA7555
SHA1:	75930EC9F92BAB6B983388D7409C00410BD138BF
SHA256:	5AA2D3F6EF2BEE0BD42A927BCBDD6028363DAF52BBB88C64FFCC28F393D4EB07
SSDEEP:	12288:5zizDJ+Ysxc8CMgP8jHcTtb800EFmF9eZ9S5L:5zRVuJ03re7S5

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:10:16 12:18:08+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	155136
InitializedDataSize:	296960
UninitializedDataSize:	-
EntryPoint:	0x105f6
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	TODO: <Company name>
FileDescription:	TODO: <File description>
FileVersion:	1.0.0.1
InternalName:	MonitorTest.exe
LegalCopyright:	TODO: (c) <Company name>. All rights reserved.
OriginalFileName:	MonitorTest.exe
ProductName:	TODO: <Product name>
ProductVersion:	1.0.0.1


(PID) Process:	(2708) xwtpw32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2708) xwtpw32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2708) xwtpw32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
5748	5aa2d3f6ef2bee0bd42a927bcbdd6028363daf52bbb88c64ffcc28f393d4eb07.exe	C:\Users\admin\AppData\Local\KBDAZE\xwtpw32.exe		executable
		MD5:CBF568248AB09F4C6AA37857F9BA7555	SHA256:5AA2D3F6EF2BEE0BD42A927BCBDD6028363DAF52BBB88C64FFCC28F393D4EB07

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7060	RUXIMICS.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7060	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2708	xwtpw32.exe	POST	—	103.3.63.137:8080	http://103.3.63.137:8080/DDWdhaEQ3YgWohff8/8zc5Au/QT6d1bnGLXle1GH7eB/XE5AFTsMM3oDL/	unknown	—	—	unknown
2708	xwtpw32.exe	POST	—	73.100.19.104:80	http://73.100.19.104/PF0nM62LXv1Tfl/	unknown	—	—	malicious
2708	xwtpw32.exe	POST	—	192.175.111.217:7080	http://192.175.111.217:7080/ZRkg/uE3VpR9PisagqhCv/uRa0dA8zThBWQy/	unknown	—	—	unknown
2708	xwtpw32.exe	POST	—	188.166.220.180:7080	http://188.166.220.180:7080/kD2cItbU/	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7060	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.130:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
7060	RUXIMICS.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
www.bing.com	2.23.209.130 2.23.209.150 2.23.209.193 2.23.209.149 2.23.209.161 2.23.209.176 2.23.209.133 2.23.209.140 2.23.209.158	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.9	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
self.events.data.microsoft.com	20.42.73.31	whitelisted

PID	Process	Class	Message
2708	xwtpw32.exe	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11
2708	xwtpw32.exe	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11
2708	xwtpw32.exe	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11
2708	xwtpw32.exe	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11
2708	xwtpw32.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
2708	xwtpw32.exe	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11
—	—	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11
2708	xwtpw32.exe	A Network Trojan was detected	ET MALWARE Win32/Emotet CnC Activity (POST) M11

General Info

5aa2d3f6ef2bee0bd42a927bcbdd6028363daf52bbb88c64ffcc28f393d4eb07

CBF568248AB09F4C6AA37857F9BA7555

75930EC9F92BAB6B983388D7409C00410BD138BF

5AA2D3F6EF2BEE0BD42A927BCBDD6028363DAF52BBB88C64FFCC28F393D4EB07

12288:5zizDJ+Ysxc8CMgP8jHcTtb800EFmF9eZ9S5L:5zRVuJ03re7S5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

EMOTET has been detected (YARA)

Connects to the CnC server

EMOTET has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

Connects to the server without a host name

Connects to unusual port

INFO

The process uses the downloaded file

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings