General Info

File name

395.bin (1).zip

Full analysis
https://app.any.run/tasks/cb23e3c4-51dd-46ff-9975-528a4d89b4b2
Verdict
Malicious activity
Threats:

Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.

Analysis date
4/15/2019, 15:30:14
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

emotet

banker

trojan

feodo

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

85ac67bde682e0b0d2b3e8592c7a2cfd

SHA1

5b7ef786dac9a09e48e01d556ca8053d865c7026

SHA256

6c7dc997337bea0bf1fc1731b0cbd35ec7f7e05fd75144e09803cfac535d22b9

SSDEEP

1536:Gj2Z2M6pHmw2uRXDk6hM4nAqFhVn37aYv8zxJof1+rnd988t9jZD:GrM6JmwraAM4Pb8cwndqq/D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • 395.exe (PID: 2956)
  • 395.exe (PID: 2924)
  • soundser.exe (PID: 2596)
  • soundser.exe (PID: 2684)
Emotet process was detected
  • soundser.exe (PID: 2596)
EMOTET was detected
  • soundser.exe (PID: 2684)
Connects to CnC server
  • soundser.exe (PID: 2684)
Application launched itself
  • 395.exe (PID: 2924)
  • soundser.exe (PID: 2596)
Starts itself from another location
  • 395.exe (PID: 2956)
Executable content was dropped or overwritten
  • 395.exe (PID: 2956)
Connects to server without host name
  • soundser.exe (PID: 2684)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:04:15 15:19:13
ZipCRC:
0x9fa955af
ZipCompressedSize:
80767
ZipUncompressedSize:
138552
ZipFileName:
395.bin

Screenshots

Processes

Total processes
37
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe no specs 395.exe no specs 395.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2664
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\395.bin (1).zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2924
CMD
"C:\Users\admin\Desktop\395.exe"
Path
C:\Users\admin\Desktop\395.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
360. cn
Description
360 FirstAid
Version
1, 0, 0, 1007
Modules
Image
c:\users\admin\desktop\395.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2956
CMD
--72c83dad
Path
C:\Users\admin\Desktop\395.exe
Indicators
Parent process
395.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
360. cn
Description
360 FirstAid
Version
1, 0, 0, 1007
Modules
Image
c:\users\admin\desktop\395.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\s
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll

PID
2596
CMD
"C:\Users\admin\AppData\Local\soundser\soundser.exe"
Path
C:\Users\admin\AppData\Local\soundser\soundser.exe
Indicators
Parent process
395.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
360. cn
Description
360 FirstAid
Version
1, 0, 0, 1007
Modules
Image
c:\users\admin\appdata\local\soundser\soundser.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2684
CMD
--3ab57678
Path
C:\Users\admin\AppData\Local\soundser\soundser.exe
Indicators
Parent process
soundser.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
360. cn
Description
360 FirstAid
Version
1, 0, 0, 1007
Modules
Image
c:\users\admin\appdata\local\soundser\soundser.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
496
Read events
473
Write events
23
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2664
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\395.bin (1).zip
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2664
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
EnableFileTracing
0
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
EnableConsoleTracing
0
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
FileTracingMask
4294901760
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
ConsoleTracingMask
4294901760
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
MaxFileSize
1048576
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
FileDirectory
%windir%\tracing
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASMANCS
EnableFileTracing
0
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASMANCS
EnableConsoleTracing
0
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASMANCS
FileTracingMask
4294901760
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASMANCS
ConsoleTracingMask
4294901760
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASMANCS
MaxFileSize
1048576
2684
soundser.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASMANCS
FileDirectory
%windir%\tracing
2684
soundser.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2684
soundser.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956
395.exe
C:\Users\admin\AppData\Local\soundser\soundser.exe
executable
MD5: fd17ee6d2138e342b839b812a60a7fd8
SHA256: 65051ab33765a76aedb7cc10cdba57870ee98dd3137ad7830c9f68f99071cbb6
2664
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb2664.3951\395.bin
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
50
TCP/UDP connections
50
DNS requests
0
Threats
217

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2684 soundser.exe POST 404 187.188.166.192:80 http://187.188.166.192/bml/ MX
text
xml
malicious
2684 soundser.exe POST 404 88.215.2.29:80 http://88.215.2.29/report/ GB
text
xml
malicious
2684 soundser.exe POST –– 187.137.162.145:443 http://187.137.162.145:443/schema/site/ MX
text
––
––
malicious
2684 soundser.exe POST –– 65.49.60.163:443 http://65.49.60.163:443/enabled/pnp/ringin/merge/ US
text
––
––
malicious
2684 soundser.exe POST 404 45.33.35.103:8080 http://45.33.35.103:8080/psec/rtm/ringin/ US
text
xml
malicious
2684 soundser.exe POST 404 43.229.62.186:8080 http://43.229.62.186:8080/cookies/ AU
text
xml
malicious
2684 soundser.exe POST 404 165.227.213.173:8080 http://165.227.213.173:8080/loadan/ US
text
xml
malicious
2684 soundser.exe POST 404 210.2.86.72:8080 http://210.2.86.72:8080/forced/ VN
text
xml
malicious
2684 soundser.exe POST 404 192.155.90.90:7080 http://192.155.90.90:7080/splash/ US
text
xml
malicious
2684 soundser.exe POST 404 88.97.26.73:50000 http://88.97.26.73:50000/balloon/ GB
text
xml
malicious
2684 soundser.exe POST –– 190.117.206.153:443 http://190.117.206.153:443/loadan/ PE
text
––
––
malicious
2684 soundser.exe POST 404 185.86.148.222:8080 http://185.86.148.222:8080/forced/ SE
text
xml
malicious
2684 soundser.exe POST 404 187.189.210.143:80 http://187.189.210.143/splash/ MX
text
xml
malicious
2684 soundser.exe POST 404 67.241.81.253:8443 http://67.241.81.253:8443/balloon/ US
text
xml
malicious
2684 soundser.exe POST 404 200.114.142.40:8080 http://200.114.142.40:8080/loadan/ AR
text
xml
malicious
2684 soundser.exe POST 404 107.159.94.183:8080 http://107.159.94.183:8080/forced/ CA
text
xml
malicious
2684 soundser.exe POST –– 138.68.139.199:443 http://138.68.139.199:443/balloon/ GB
text
––
––
malicious
2684 soundser.exe POST 404 219.94.254.93:8080 http://219.94.254.93:8080/loadan/ JP
text
xml
malicious
2684 soundser.exe POST 404 77.44.16.54:465 http://77.44.16.54:465/forced/ GB
text
xml
malicious
2684 soundser.exe POST 404 200.90.201.77:80 http://200.90.201.77/splash/ CL
text
xml
malicious
2684 soundser.exe POST 404 71.11.157.249:80 http://71.11.157.249/health/ US
text
xml
malicious
2684 soundser.exe POST 404 192.163.199.254:8080 http://192.163.199.254:8080/loadan/ US
text
xml
malicious
2684 soundser.exe POST 404 144.76.117.247:8080 http://144.76.117.247:8080/forced/ DE
text
xml
malicious
2684 soundser.exe POST 404 69.163.33.82:8080 http://69.163.33.82:8080/splash/ US
text
xml
malicious
2684 soundser.exe POST 404 109.73.52.242:8080 http://109.73.52.242:8080/health/ DE
text
xml
malicious
2684 soundser.exe POST 404 5.9.128.163:8080 http://5.9.128.163:8080/pdf/ DE
text
xml
malicious
2684 soundser.exe POST 404 189.225.119.52:990 http://189.225.119.52:990/forced/ MX
text
xml
malicious
2684 soundser.exe POST 404 62.75.143.100:7080 http://62.75.143.100:7080/splash/ FR
text
xml
malicious
2684 soundser.exe POST 404 109.104.79.48:8080 http://109.104.79.48:8080/health/ GB
text
xml
malicious
2684 soundser.exe POST 404 181.29.186.65:80 http://181.29.186.65/pdf/ AR
text
xml
malicious
2684 soundser.exe POST –– 200.28.131.215:443 http://200.28.131.215:443/forced/ CL
text
––
––
malicious
2684 soundser.exe POST 404 89.211.193.18:80 http://89.211.193.18/health/ QA
text
xml
malicious
2684 soundser.exe POST 404 189.205.185.71:465 http://189.205.185.71:465/pdf/ MX
text
xml
malicious
2684 soundser.exe POST 404 181.29.101.13:80 http://181.29.101.13/tlb/ AR
text
xml
malicious
2684 soundser.exe POST 404 176.58.93.123:8080 http://176.58.93.123:8080/tpt/ NL
text
xml
malicious
2684 soundser.exe POST 404 82.226.163.9:80 http://82.226.163.9/health/ FR
text
xml
malicious
2684 soundser.exe POST –– 196.6.112.70:443 http://196.6.112.70:443/pdf/ ZA
text
––
––
malicious
2684 soundser.exe POST 404 92.48.118.27:8080 http://92.48.118.27:8080/tlb/ GB
text
xml
malicious
2684 soundser.exe POST 404 72.47.248.48:8080 http://72.47.248.48:8080/tpt/ US
text
xml
malicious
2684 soundser.exe POST 404 200.107.105.16:465 http://200.107.105.16:465/health/ AR
text
xml
malicious
2684 soundser.exe POST 404 23.254.203.51:8080 http://23.254.203.51:8080/free/ US
text
xml
malicious
2684 soundser.exe POST 404 154.120.228.126:8080 http://154.120.228.126:8080/tlb/ ZW
text
xml
malicious
2684 soundser.exe POST 404 213.172.88.13:80 http://213.172.88.13/tpt/ AZ
text
xml
malicious
2684 soundser.exe POST 404 51.255.50.164:8080 http://51.255.50.164:8080/health/ FR
text
xml
malicious
2684 soundser.exe POST 404 197.248.67.226:8080 http://197.248.67.226:8080/tlb/ KE
text
xml
malicious
2684 soundser.exe POST 404 139.59.19.157:80 http://139.59.19.157/tpt/ IN
text
xml
malicious
2684 soundser.exe POST –– 66.209.69.165:443 http://66.209.69.165:443/codec/ US
text
––
––
malicious
2684 soundser.exe POST 404 91.205.215.57:7080 http://91.205.215.57:7080/free/ NL
text
xml
malicious
2684 soundser.exe POST 404 99.243.127.236:80 http://99.243.127.236/arizona/ CA
text
xml
malicious
2684 soundser.exe POST 404 136.49.87.106:80 http://136.49.87.106/pnp/ US
text
xml
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2684 soundser.exe 187.188.166.192:80 TOTAL PLAY TELECOMUNICACIONES SA DE CV MX malicious
2684 soundser.exe 88.215.2.29:80 Gamma Telecom Holdings Ltd GB malicious
2684 soundser.exe 187.137.162.145:443 Uninet S.A. de C.V. MX malicious
2684 soundser.exe 65.49.60.163:443 Linode, LLC US malicious
2684 soundser.exe 45.33.35.103:8080 Linode, LLC US malicious
2684 soundser.exe 43.229.62.186:8080 Mammoth Media Pty Ltd AU malicious
2684 soundser.exe 165.227.213.173:8080 Digital Ocean, Inc. US malicious
2684 soundser.exe 210.2.86.72:8080 Quang Trung Software City Development Company VN malicious
2684 soundser.exe 192.155.90.90:7080 Linode, LLC US malicious
2684 soundser.exe 88.97.26.73:50000 Zen Internet Ltd GB malicious
2684 soundser.exe 190.117.206.153:443 America Movil Peru S.A.C. PE malicious
2684 soundser.exe 185.86.148.222:8080 Makonix SIA SE malicious
–– –– 187.189.210.143:80 TOTAL PLAY TELECOMUNICACIONES SA DE CV MX malicious
–– –– 67.241.81.253:8443 Time Warner Cable Internet LLC US malicious
–– –– 200.114.142.40:8080 CABLEVISION S.A. AR malicious
2684 soundser.exe 107.159.94.183:8080 EBOX CA malicious
2684 soundser.exe 138.68.139.199:443 Digital Ocean, Inc. GB malicious
2684 soundser.exe 219.94.254.93:8080 SAKURA Internet Inc. JP malicious
–– –– 77.44.16.54:465 Daisy Communications Ltd GB malicious
2684 soundser.exe 200.90.201.77:80 TELEFÓNICA CHILE S.A. CL malicious
2684 soundser.exe 71.11.157.249:80 Charter Communications US malicious
2684 soundser.exe 192.163.199.254:8080 Unified Layer US malicious
2684 soundser.exe 144.76.117.247:8080 Hetzner Online GmbH DE malicious
2684 soundser.exe 69.163.33.82:8080 DirectSpace Networks, LLC. US malicious
2684 soundser.exe 109.73.52.242:8080 Accelerated IT Services GmbH DE malicious
2684 soundser.exe 5.9.128.163:8080 Hetzner Online GmbH DE malicious
2684 soundser.exe 189.225.119.52:990 Uninet S.A. de C.V. MX malicious
2684 soundser.exe 62.75.143.100:7080 Host Europe GmbH FR malicious
2684 soundser.exe 109.104.79.48:8080 Host Europe GmbH GB malicious
–– –– 181.29.186.65:80 CABLEVISION S.A. AR malicious
2684 soundser.exe 200.28.131.215:443 TELEFÓNICA CHILE S.A. CL malicious
2684 soundser.exe 89.211.193.18:80 Ooredoo Q.S.C. QA malicious
2684 soundser.exe 189.205.185.71:465 Axtel, S.A.B. de C.V. MX malicious
2684 soundser.exe 181.29.101.13:80 CABLEVISION S.A. AR malicious
2684 soundser.exe 176.58.93.123:8080 Host Virtual, Inc NL malicious
2684 soundser.exe 82.226.163.9:80 Free SAS FR malicious
–– –– 196.6.112.70:443 Cybersmart ZA malicious
2684 soundser.exe 92.48.118.27:8080 Simply Transit Ltd GB malicious
2684 soundser.exe 72.47.248.48:8080 Media Temple, Inc. US malicious
2684 soundser.exe 200.107.105.16:465 LOS AMORES S.A. AR malicious
–– –– 23.254.203.51:8080 Hostwinds LLC. US malicious
2684 soundser.exe 154.120.228.126:8080 Liquid Telecommunications Ltd ZW malicious
–– –– 213.172.88.13:80 AzEuroTel J.V. AZ malicious
2684 soundser.exe 51.255.50.164:8080 OVH SAS FR malicious
2684 soundser.exe 197.248.67.226:8080 Safaricom KE malicious
2684 soundser.exe 139.59.19.157:80 Digital Ocean, Inc. IN malicious
–– –– 66.209.69.165:443 SWITCH, LTD US malicious
2684 soundser.exe 91.205.215.57:7080 MaxiTEL Telecom B.V. NL malicious
2684 soundser.exe 99.243.127.236:80 Rogers Cable Communications Inc. CA malicious
2684 soundser.exe 136.49.87.106:80 Google Fiber Inc. US malicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 8
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 23
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 20
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 18
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 3
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 13
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 11
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 9
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 14
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 1
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 22
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 21
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 19
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 10
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 6
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 5
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 4
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 17
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe Potentially Bad Traffic ET POLICY HTTP traffic on port 443 (POST)
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 24
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2684 soundser.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet

141 ETPRO signatures available at the full report

Debug output strings

No debug info.