File name: | 835.bin.zip |
Full analysis: | https://app.any.run/tasks/aa9d81b8-79ca-4d56-b842-d1ad1748f78d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 06:28:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FAA1252C0ECC7047CADBC287EF0D368C |
SHA1: | 0B0E7FF2C1C5E18D2DF00C01D4A78B1251ABEEF2 |
SHA256: | 72FB37626945EDA84D519AC4615F15BA696A74CE78CF64FAE3BF778AE79CE02C |
SSDEEP: | 6144:mb2kPJESlwO0KZ6kUL2Sp6dPchY0Hq8ChlVZKwBmDHQ0bMScr7HUBqWynGfXYyg:makeBKTTS7KzZKwUTQ0grAB+nGfXi |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 21:59:25 |
ZipCRC: | 0x971249c5 |
ZipCompressedSize: | 282695 |
ZipUncompressedSize: | 524288 |
ZipFileName: | 835.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2768 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\835.bin.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3600 | "C:\Users\admin\Desktop\835.bin.exe" | C:\Users\admin\Desktop\835.bin.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2412 | "C:\Users\admin\Desktop\835.bin.exe" | C:\Users\admin\Desktop\835.bin.exe | — | 835.bin.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2492 | --dfbd7db1 | C:\Users\admin\Desktop\835.bin.exe | — | 835.bin.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3196 | --dfbd7db1 | C:\Users\admin\Desktop\835.bin.exe | 835.bin.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2076 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 835.bin.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3596 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3704 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2396 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2492 | 835.bin.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:CA80A1F78A67900EC2728A4B146382EB | SHA256:29E78CC78069C44A26CE961104169753CEFD6724AD69DDCE2F863EFF2BB43F3A | |||
2076 | easywindow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:AB054C46FE037560B6AFCE9E8D22C2AE | SHA256:70511F11672BC1F2A11A871C6C718DAFB719C90C69C433F33B75513D189A5BD3 | |||
3600 | 835.bin.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:B602F2186F63AF1F2BD9F794451CF4E5 | SHA256:8B7A9BF83D90D1A8596C48D0BD0E0CF46B7B066E3F4F69EDE3E22B601BF384B2 | |||
3704 | easywindow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:0C486B606A36EC3F16BFC48B501E483D | SHA256:EFFFCAF692A19CA9D3ACEB0877F5AF983C84BC53A7FA9AB9573238E0F473C9DA | |||
3196 | 835.bin.exe | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | executable | |
MD5:BF2A3BBE79924E52BE9E18824C1E1550 | SHA256:23BB7590D1F79E552182BF686882D05F31035B76BE173B24308EA374BDEAF58D | |||
2768 | WinRAR.exe | C:\Users\admin\Desktop\835.bin | executable | |
MD5:BF2A3BBE79924E52BE9E18824C1E1550 | SHA256:23BB7590D1F79E552182BF686882D05F31035B76BE173B24308EA374BDEAF58D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2396 | easywindow.exe | POST | 200 | 114.79.134.129:443 | http://114.79.134.129:443/guids/prep/ringin/merge/ | IN | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2396 | easywindow.exe | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
PID | Process | Class | Message |
---|---|---|---|
2396 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2396 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2396 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |