analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4579042028453888.zip

Full analysis: https://app.any.run/tasks/960e38ca-c4df-4e45-b2fb-669e2cacac11
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 09:15:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C8D97A519275D0744D7B3C3213812652

SHA1:

DD767A02F6D96B7203F4905021692E7733A04B4D

SHA256:

924FEB832DC66E7903BA2B420EE63E10BB836A370C2DA1D33AC168560118E20F

SSDEEP:

12288:fg0XPa7ziL4HYA/v14aBboCc/71HjYOs4yY47:hy6CY0yj/7tjjF47

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • api-ms-win-core-string-l1-1-0.exe (PID: 1864)
      • 9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe (PID: 2192)

    • Changes the autorun value in the registry

      • api-ms-win-core-string-l1-1-0.exe (PID: 1864)

    • EMOTET was detected

      • api-ms-win-core-string-l1-1-0.exe (PID: 1864)

    • Connects to CnC server

      • api-ms-win-core-string-l1-1-0.exe (PID: 1864)

  • SUSPICIOUS

    • Connects to server without host name

      • api-ms-win-core-string-l1-1-0.exe (PID: 1864)

    • Starts itself from another location

      • 9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe (PID: 2192)

    • Executable content was dropped or overwritten

      • 9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe (PID: 2192)

    • Reads Internet Cache Settings

      • api-ms-win-core-string-l1-1-0.exe (PID: 1864)

  • INFO

    • Manual execution by user

      • 9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (99.9)

EXIF

ZIP

ZipFileName: 9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a
ZipUncompressedSize: 731136
ZipCompressedSize: 431794
ZipCRC: 0xfe6da151
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs 9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe #EMOTET api-ms-win-core-string-l1-1-0.exe

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\4579042028453888.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2192"C:\Users\admin\Desktop\9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe" C:\Users\admin\Desktop\9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1864"C:\Users\admin\AppData\Local\AuthFWSnapin\api-ms-win-core-string-l1-1-0.exe"C:\Users\admin\AppData\Local\AuthFWSnapin\api-ms-win-core-string-l1-1-0.exe
9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AdvancedTaskManager MFC Application
Version:
1, 0, 0, 1
Total events
509
Read events
483
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2496.18191\9065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a
MD5:
SHA256:
21929065ee76509738d4f5146f40909b0a72e66ea50b315bc155974e3157ee0bae8a.exeC:\Users\admin\AppData\Local\AuthFWSnapin\api-ms-win-core-string-l1-1-0.exeexecutable
MD5:BD2117462C23520BDC909E1E3BA9A9F6
SHA256:9065EE76509738D4F5146F40909B0A72E66EA50B315BC155974E3157EE0BAE8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1864
api-ms-win-core-string-l1-1-0.exe
POST
200
186.189.249.2:80
http://186.189.249.2/M5jOxbtr4/JG1wa0SEmUtoVyMk/
AR
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1864
api-ms-win-core-string-l1-1-0.exe
186.189.249.2:80
AR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1864
api-ms-win-core-string-l1-1-0.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4579042028453888.zip