analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

835.bin.zip

Full analysis: https://app.any.run/tasks/aa9d81b8-79ca-4d56-b842-d1ad1748f78d
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 19, 2019, 06:28:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FAA1252C0ECC7047CADBC287EF0D368C

SHA1:

0B0E7FF2C1C5E18D2DF00C01D4A78B1251ABEEF2

SHA256:

72FB37626945EDA84D519AC4615F15BA696A74CE78CF64FAE3BF778AE79CE02C

SSDEEP:

6144:mb2kPJESlwO0KZ6kUL2Sp6dPchY0Hq8ChlVZKwBmDHQ0bMScr7HUBqWynGfXYyg:makeBKTTS7KzZKwUTQ0grAB+nGfXi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 835.bin.exe (PID: 3600)
      • 835.bin.exe (PID: 2492)
      • 835.bin.exe (PID: 2412)
      • 835.bin.exe (PID: 3196)
      • easywindow.exe (PID: 2076)
      • easywindow.exe (PID: 3596)
      • easywindow.exe (PID: 3704)
      • easywindow.exe (PID: 2396)
    • Emotet process was detected

      • 835.bin.exe (PID: 3196)
    • EMOTET was detected

      • easywindow.exe (PID: 2396)
    • Connects to CnC server

      • easywindow.exe (PID: 2396)
    • Changes the autorun value in the registry

      • easywindow.exe (PID: 2396)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2768)
      • 835.bin.exe (PID: 3196)
    • Starts itself from another location

      • 835.bin.exe (PID: 3196)
    • Application launched itself

      • easywindow.exe (PID: 3704)
  • INFO

    • Manual execution by user

      • 835.bin.exe (PID: 3600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:09:18 21:59:25
ZipCRC: 0x971249c5
ZipCompressedSize: 282695
ZipUncompressedSize: 524288
ZipFileName: 835.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe 835.bin.exe no specs 835.bin.exe no specs 835.bin.exe no specs #EMOTET 835.bin.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
2768"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\835.bin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3600"C:\Users\admin\Desktop\835.bin.exe" C:\Users\admin\Desktop\835.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2412"C:\Users\admin\Desktop\835.bin.exe" C:\Users\admin\Desktop\835.bin.exe835.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2492--dfbd7db1C:\Users\admin\Desktop\835.bin.exe835.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3196--dfbd7db1C:\Users\admin\Desktop\835.bin.exe
835.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2076"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe835.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3596"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3704--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2396--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Integrity Level:
MEDIUM
Total events
518
Read events
481
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2492835.bin.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:CA80A1F78A67900EC2728A4B146382EB
SHA256:29E78CC78069C44A26CE961104169753CEFD6724AD69DDCE2F863EFF2BB43F3A
2076easywindow.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:AB054C46FE037560B6AFCE9E8D22C2AE
SHA256:70511F11672BC1F2A11A871C6C718DAFB719C90C69C433F33B75513D189A5BD3
3600835.bin.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:B602F2186F63AF1F2BD9F794451CF4E5
SHA256:8B7A9BF83D90D1A8596C48D0BD0E0CF46B7B066E3F4F69EDE3E22B601BF384B2
3704easywindow.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:0C486B606A36EC3F16BFC48B501E483D
SHA256:EFFFCAF692A19CA9D3ACEB0877F5AF983C84BC53A7FA9AB9573238E0F473C9DA
3196835.bin.exeC:\Users\admin\AppData\Local\easywindow\easywindow.exeexecutable
MD5:BF2A3BBE79924E52BE9E18824C1E1550
SHA256:23BB7590D1F79E552182BF686882D05F31035B76BE173B24308EA374BDEAF58D
2768WinRAR.exeC:\Users\admin\Desktop\835.binexecutable
MD5:BF2A3BBE79924E52BE9E18824C1E1550
SHA256:23BB7590D1F79E552182BF686882D05F31035B76BE173B24308EA374BDEAF58D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2396
easywindow.exe
POST
200
114.79.134.129:443
http://114.79.134.129:443/guids/prep/ringin/merge/
IN
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2396
easywindow.exe
114.79.134.129:443
D-Vois Broadband Pvt Ltd
IN
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2396
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2396
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2396
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2 ETPRO signatures available at the full report
No debug info