analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

395.bin (1).zip

Full analysis: https://app.any.run/tasks/cb23e3c4-51dd-46ff-9975-528a4d89b4b2
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: April 15, 2019, 13:30:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
feodo
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

85AC67BDE682E0B0D2B3E8592C7A2CFD

SHA1:

5B7EF786DAC9A09E48E01D556CA8053D865C7026

SHA256:

6C7DC997337BEA0BF1FC1731B0CBD35EC7F7E05FD75144E09803CFAC535D22B9

SSDEEP:

1536:Gj2Z2M6pHmw2uRXDk6hM4nAqFhVn37aYv8zxJof1+rnd988t9jZD:GrM6JmwraAM4Pb8cwndqq/D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 395.exe (PID: 2924)
      • 395.exe (PID: 2956)
      • soundser.exe (PID: 2596)
      • soundser.exe (PID: 2684)
    • Emotet process was detected

      • soundser.exe (PID: 2596)
    • EMOTET was detected

      • soundser.exe (PID: 2684)
    • Connects to CnC server

      • soundser.exe (PID: 2684)
  • SUSPICIOUS

    • Application launched itself

      • 395.exe (PID: 2924)
      • soundser.exe (PID: 2596)
    • Starts itself from another location

      • 395.exe (PID: 2956)
    • Executable content was dropped or overwritten

      • 395.exe (PID: 2956)
    • Connects to server without host name

      • soundser.exe (PID: 2684)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 395.bin
ZipUncompressedSize: 138552
ZipCompressedSize: 80767
ZipCRC: 0x9fa955af
ZipModifyDate: 2019:04:15 15:19:13
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs 395.exe no specs 395.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
2664"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\395.bin (1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2924"C:\Users\admin\Desktop\395.exe" C:\Users\admin\Desktop\395.exeexplorer.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
2956--72c83dadC:\Users\admin\Desktop\395.exe
395.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
2596"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
395.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
2684--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Version:
1, 0, 0, 1007
Total events
496
Read events
473
Write events
23
Delete events
0

Modification events

(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2664) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\395.bin (1).zip
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2684) soundser.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\soundser_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2664WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2664.3951\395.bin
MD5:
SHA256:
2956395.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:FD17EE6D2138E342B839B812A60A7FD8
SHA256:65051AB33765A76AEDB7CC10CDBA57870EE98DD3137AD7830C9F68F99071CBB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
50
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2684
soundser.exe
POST
65.49.60.163:443
http://65.49.60.163:443/enabled/pnp/ringin/merge/
US
malicious
2684
soundser.exe
POST
190.117.206.153:443
http://190.117.206.153:443/loadan/
PE
malicious
2684
soundser.exe
POST
187.137.162.145:443
http://187.137.162.145:443/schema/site/
MX
malicious
2684
soundser.exe
POST
138.68.139.199:443
http://138.68.139.199:443/balloon/
GB
malicious
2684
soundser.exe
POST
404
185.86.148.222:8080
http://185.86.148.222:8080/forced/
SE
xml
345 b
malicious
2684
soundser.exe
POST
404
88.215.2.29:80
http://88.215.2.29/report/
GB
xml
345 b
malicious
2684
soundser.exe
POST
404
88.97.26.73:50000
http://88.97.26.73:50000/balloon/
GB
xml
345 b
malicious
2684
soundser.exe
POST
404
45.33.35.103:8080
http://45.33.35.103:8080/psec/rtm/ringin/
US
xml
345 b
malicious
2684
soundser.exe
POST
404
187.189.210.143:80
http://187.189.210.143/splash/
MX
xml
345 b
malicious
2684
soundser.exe
POST
404
43.229.62.186:8080
http://43.229.62.186:8080/cookies/
AU
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2684
soundser.exe
187.188.166.192:80
TOTAL PLAY TELECOMUNICACIONES SA DE CV
MX
malicious
187.189.210.143:80
TOTAL PLAY TELECOMUNICACIONES SA DE CV
MX
malicious
2684
soundser.exe
187.137.162.145:443
Uninet S.A. de C.V.
MX
malicious
2684
soundser.exe
190.117.206.153:443
America Movil Peru S.A.C.
PE
malicious
200.114.142.40:8080
CABLEVISION S.A.
AR
malicious
2684
soundser.exe
138.68.139.199:443
Digital Ocean, Inc.
GB
malicious
2684
soundser.exe
45.33.35.103:8080
Linode, LLC
US
malicious
77.44.16.54:465
Daisy Communications Ltd
GB
malicious
2684
soundser.exe
165.227.213.173:8080
Digital Ocean, Inc.
US
malicious
2684
soundser.exe
192.155.90.90:7080
Linode, LLC
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2684
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 8
2684
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2684
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 23
2684
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2684
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2684
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2684
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 20
2684
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2684
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2684
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 18
141 ETPRO signatures available at the full report
No debug info