File name: | SampleFromRosen.7z |
Full analysis: | https://app.any.run/tasks/d82d1e18-b8cf-4bea-90c5-61253b43c7f6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 10, 2019, 17:28:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | 3E258E0BAABC15A0BDCA6CAA21D39881 |
SHA1: | 2EAE303572A8611D5C40034035A95720E8ADF5F5 |
SHA256: | 8C028C5279B41AE5AF45FDAA40FF99D5C7152072228C795D9034A8D28E164EDB |
SSDEEP: | 12288:noAYPcFmqJhff3IxsGU6u6ySVixjQLBcyY850dZNw3h+jyYgNX3BMzF0QNOzF0:nB1p3xRUQjQNl2kh+OFBgvNj |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2724 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SampleFromRosen.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2572 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.33352\15F1DBD4.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.33352\15F1DBD4.exe | — | WinRAR.exe |
User: admin Company: Fatal Enterprice Integrity Level: MEDIUM Description: QllZad Exit code: 0 Version: 91.333.22.1 | ||||
2996 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.33352\15F1DBD4.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.33352\15F1DBD4.exe | 15F1DBD4.exe | |
User: admin Company: Fatal Enterprice Integrity Level: MEDIUM Description: QllZad Exit code: 0 Version: 91.333.22.1 | ||||
884 | "C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe | 15F1DBD4.exe | |
User: admin Company: Fatal Enterprice Integrity Level: MEDIUM Description: QllZad Exit code: 0 Version: 91.333.22.1 | ||||
2664 | "C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe | searchatsd.exe | |
User: admin Company: Fatal Enterprice Integrity Level: MEDIUM Description: QllZad Exit code: 0 Version: 91.333.22.1 | ||||
2628 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\23389072.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\23389072.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporatio Integrity Level: MEDIUM Description: Ru Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255 | ||||
2984 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\23389072.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\23389072.exe | 23389072.exe | |
User: admin Company: Microsoft Corporatio Integrity Level: MEDIUM Description: Ru Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255 | ||||
3648 | "C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe | 23389072.exe | |
User: admin Company: Microsoft Corporatio Integrity Level: MEDIUM Description: Ru Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255 | ||||
1504 | "C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe | searchatsd.exe | |
User: admin Company: Microsoft Corporatio Integrity Level: MEDIUM Description: Ru Version: 6.1.7600.16385 (win7_rtm.090713-1255 | ||||
3148 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.40955\doting.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.40955\doting.exe | WinRAR.exe | |
User: admin Company: Rally Software Development Against Integrity Level: MEDIUM Description: Veryran Version: 10.0.27.87 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2560 | doting.exe | C:\Users\admin\AppData\Local\Temp\Cab9027.tmp | — | |
MD5:— | SHA256:— | |||
2560 | doting.exe | C:\Users\admin\AppData\Local\Temp\Tar9028.tmp | — | |
MD5:— | SHA256:— | |||
2560 | doting.exe | C:\Users\admin\AppData\Local\Temp\Cab9048.tmp | — | |
MD5:— | SHA256:— | |||
2560 | doting.exe | C:\Users\admin\AppData\Local\Temp\Tar9049.tmp | — | |
MD5:— | SHA256:— | |||
2560 | doting.exe | C:\Users\admin\AppData\Local\Temp\Cab90C7.tmp | — | |
MD5:— | SHA256:— | |||
2560 | doting.exe | C:\Users\admin\AppData\Local\Temp\Tar90C8.tmp | — | |
MD5:— | SHA256:— | |||
2724 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\D5D2.tmp | executable | |
MD5:486CA687F5429FCD16C28D2ADA29ECBD | SHA256:F238C41168E5413F60E929BCF7EFB8BCCBF4FBB640758C938C43AE43D94369D6 | |||
2724 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\23389072.exe | executable | |
MD5:8F3A44ACFB4D558016906049FAFE6EB1 | SHA256:4F0E15EF963334FD112CCF2F24702E0EAA71A002DA81D5663E5C8EC59D18D6A5 | |||
2984 | 23389072.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe | executable | |
MD5:8F3A44ACFB4D558016906049FAFE6EB1 | SHA256:4F0E15EF963334FD112CCF2F24702E0EAA71A002DA81D5663E5C8EC59D18D6A5 | |||
2724 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.37197\15F1DBD4.exe | executable | |
MD5:1F70EEA3CC9B72C8133F7E84127F8B9C | SHA256:134E71B5450138180C1B36BFA3E78F2B1E483372A474BEFF325FF9EAFF8C32E5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1504 | searchatsd.exe | GET | — | 74.131.89.83:80 | http://74.131.89.83/ | US | — | — | malicious |
1504 | searchatsd.exe | GET | — | 115.64.32.202:80 | http://115.64.32.202/ | AU | — | — | malicious |
1504 | searchatsd.exe | GET | — | 100.35.105.159:443 | http://100.35.105.159:443/ | US | — | — | whitelisted |
1504 | searchatsd.exe | GET | — | 216.21.168.27:80 | http://216.21.168.27/ | US | — | — | whitelisted |
2664 | searchatsd.exe | GET | — | 72.224.73.157:8080 | http://72.224.73.157:8080/ | US | — | — | malicious |
1504 | searchatsd.exe | GET | — | 173.61.22.150:443 | http://173.61.22.150:443/ | US | — | — | whitelisted |
1504 | searchatsd.exe | GET | — | 69.70.217.174:80 | http://69.70.217.174/ | CA | — | — | malicious |
1504 | searchatsd.exe | GET | — | 117.232.118.18:443 | http://117.232.118.18:443/ | IN | — | — | malicious |
1504 | searchatsd.exe | GET | — | 109.69.52.112:8080 | http://109.69.52.112:8080/ | ES | — | — | malicious |
2560 | doting.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1504 | searchatsd.exe | 115.64.32.202:80 | — | TPG Telecom Limited | AU | malicious |
1504 | searchatsd.exe | 74.131.89.83:80 | — | Time Warner Cable Internet LLC | US | malicious |
2664 | searchatsd.exe | 72.224.73.157:8080 | — | Time Warner Cable Internet LLC | US | malicious |
2560 | doting.exe | 14.1.28.165:443 | fault.limpiezaapresion.com | US Dedicated | US | malicious |
1504 | searchatsd.exe | 216.21.168.27:80 | — | Google Fiber Inc. | US | whitelisted |
2560 | doting.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1504 | searchatsd.exe | 69.70.217.174:80 | — | Videotron Telecom Ltee | CA | malicious |
1504 | searchatsd.exe | 100.35.105.159:443 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1504 | searchatsd.exe | 95.5.225.35:50000 | — | Turk Telekom | TR | malicious |
1504 | searchatsd.exe | 173.61.22.150:443 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
fault.limpiezaapresion.com |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2664 | searchatsd.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2664 | searchatsd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2560 | doting.exe | A Network Trojan was detected | MALWARE [PTsecurity] JA3 GootKit Connection |
2560 | doting.exe | A Network Trojan was detected | MALWARE [PTsecurity] JA3 GootKit Connection |
1504 | searchatsd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
1504 | searchatsd.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
1504 | searchatsd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
1504 | searchatsd.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
1504 | searchatsd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
1504 | searchatsd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
Process | Message |
---|---|
doting.exe | MP3 file corrupted |
doting.exe | WMA 0 |
doting.exe | WMA 3 |
doting.exe | 2560:C:\Users\admin\AppData\Local\Temp\Rar$EXb2724.40955\doting.exe --vwxyz Ignition....
|
doting.exe | JS : RUN : doting.exe, ver : 27.12.18.1308
|
doting.exe | JS : WDE3:: GetAV processing...
|
doting.exe | JS : WDE3:: GetAV records: NOAV
|
doting.exe | OGG 0 |