File name: | 395.bin (1).zip |
Full analysis: | https://app.any.run/tasks/cb23e3c4-51dd-46ff-9975-528a4d89b4b2 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 15, 2019, 13:30:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 85AC67BDE682E0B0D2B3E8592C7A2CFD |
SHA1: | 5B7EF786DAC9A09E48E01D556CA8053D865C7026 |
SHA256: | 6C7DC997337BEA0BF1FC1731B0CBD35EC7F7E05FD75144E09803CFAC535D22B9 |
SSDEEP: | 1536:Gj2Z2M6pHmw2uRXDk6hM4nAqFhVn37aYv8zxJof1+rnd988t9jZD:GrM6JmwraAM4Pb8cwndqq/D |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 395.bin |
---|---|
ZipUncompressedSize: | 138552 |
ZipCompressedSize: | 80767 |
ZipCRC: | 0x9fa955af |
ZipModifyDate: | 2019:04:15 15:19:13 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2664 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\395.bin (1).zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2924 | "C:\Users\admin\Desktop\395.exe" | C:\Users\admin\Desktop\395.exe | — | explorer.exe |
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 | ||||
2956 | --72c83dad | C:\Users\admin\Desktop\395.exe | 395.exe | |
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 | ||||
2596 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 395.exe | |
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 | ||||
2684 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Version: 1, 0, 0, 1007 |
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\395.bin (1).zip | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2664) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2684) soundser.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2664 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2664.3951\395.bin | — | |
MD5:— | SHA256:— | |||
2956 | 395.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:FD17EE6D2138E342B839B812A60A7FD8 | SHA256:65051AB33765A76AEDB7CC10CDBA57870EE98DD3137AD7830C9F68F99071CBB6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2684 | soundser.exe | POST | — | 65.49.60.163:443 | http://65.49.60.163:443/enabled/pnp/ringin/merge/ | US | — | — | malicious |
2684 | soundser.exe | POST | — | 190.117.206.153:443 | http://190.117.206.153:443/loadan/ | PE | — | — | malicious |
2684 | soundser.exe | POST | — | 187.137.162.145:443 | http://187.137.162.145:443/schema/site/ | MX | — | — | malicious |
2684 | soundser.exe | POST | — | 138.68.139.199:443 | http://138.68.139.199:443/balloon/ | GB | — | — | malicious |
2684 | soundser.exe | POST | 404 | 185.86.148.222:8080 | http://185.86.148.222:8080/forced/ | SE | xml | 345 b | malicious |
2684 | soundser.exe | POST | 404 | 88.215.2.29:80 | http://88.215.2.29/report/ | GB | xml | 345 b | malicious |
2684 | soundser.exe | POST | 404 | 88.97.26.73:50000 | http://88.97.26.73:50000/balloon/ | GB | xml | 345 b | malicious |
2684 | soundser.exe | POST | 404 | 45.33.35.103:8080 | http://45.33.35.103:8080/psec/rtm/ringin/ | US | xml | 345 b | malicious |
2684 | soundser.exe | POST | 404 | 187.189.210.143:80 | http://187.189.210.143/splash/ | MX | xml | 345 b | malicious |
2684 | soundser.exe | POST | 404 | 43.229.62.186:8080 | http://43.229.62.186:8080/cookies/ | AU | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2684 | soundser.exe | 187.188.166.192:80 | — | TOTAL PLAY TELECOMUNICACIONES SA DE CV | MX | malicious |
— | — | 187.189.210.143:80 | — | TOTAL PLAY TELECOMUNICACIONES SA DE CV | MX | malicious |
2684 | soundser.exe | 187.137.162.145:443 | — | Uninet S.A. de C.V. | MX | malicious |
2684 | soundser.exe | 190.117.206.153:443 | — | America Movil Peru S.A.C. | PE | malicious |
— | — | 200.114.142.40:8080 | — | CABLEVISION S.A. | AR | malicious |
2684 | soundser.exe | 138.68.139.199:443 | — | Digital Ocean, Inc. | GB | malicious |
2684 | soundser.exe | 45.33.35.103:8080 | — | Linode, LLC | US | malicious |
— | — | 77.44.16.54:465 | — | Daisy Communications Ltd | GB | malicious |
2684 | soundser.exe | 165.227.213.173:8080 | — | Digital Ocean, Inc. | US | malicious |
2684 | soundser.exe | 192.155.90.90:7080 | — | Linode, LLC | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2684 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 8 |
2684 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2684 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 23 |
2684 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2684 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2684 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2684 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 20 |
2684 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2684 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2684 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 18 |