analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

source (1).eml

Full analysis: https://app.any.run/tasks/6de2e354-f7c6-4a30-b5f2-1c9e9bb3029b
Verdict: Malicious activity
Analysis date: October 09, 2019, 17:43:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

D20A37736333F4EC9EDAB1E5A3278BF2

SHA1:

9524E54C131E5972A2A92A43FEA68C685361DEE1

SHA256:

94B0E8CF400F70CEA2E6A9128C6F7A047F2FE5A638222F3F5CB6491A29D086F7

SSDEEP:

6144:8KKzRg0nF0VmKJ1xoV8O2GOMhhuQ5U38EzvDnU:8KKd94Xoj2GDhciUbLDnU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2964)
      • notepad++.exe (PID: 2600)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2964)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3872)
      • notepad++.exe (PID: 2600)

    • Dropped object may contain Bitcoin addresses

      • OUTLOOK.EXE (PID: 2964)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe explorer.exe no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\source (1).eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3872"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2600"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Documents\message_zdm.html"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
4008"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Version:
4.1
Total events
1 854
Read events
1 378
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
37
Unknown types
1

Dropped files

PID
Process
Filename
Type
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4CC5.tmp.cvr
MD5:
SHA256:
2964OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
MD5:
SHA256:
2964OUTLOOK.EXEC:\Users\admin\Documents\message_zdm.html\:Zone.Identifier:$DATA
MD5:
SHA256:
2964OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:237FC440C1707B97C6C073DD294068A9
SHA256:9CE13E37E5578EBAD93F626F6FF32EF1B55F42ACF04C079F8BA89517FE5B2A26
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\KEZCMJZA\message_zdm.htmlhtml
MD5:F96A0F3C1171E6DEE8F7C5121A4BBB13
SHA256:1CC3253C9BFF0173A3C65A5F67ACF2223DBF60F0850C3FAB347EE7A3ABF453CE
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\logo_sm[1].gifimage
MD5:0DD4AE5F0C7964A2A9B216A2EB17229C
SHA256:BBEE3DAFF4A93FE4D252945F7104AA168D295AF73EC5A683A5CD39B08DE49AB5
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_753BD8624B21C84E8B798A2EF1073FFA.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_99803064C9C2FE4B998DF104B23F4198.datxml
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
2964OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txttext
MD5:7BE05584BB59C8F8B66AC7F3367AEFE5
SHA256:7579A7DF61F75F9014655B96A7E12DDF09B7E56D1E23DF796026F8533D559025
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{26667E60-34E3-4B13-9492-91740B25BBB4}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
GET
2.21.242.245:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMpeSsuddjFyk25ZqSQ83ahjg%3D%3D
NL
whitelisted
GET
200
2.21.242.187:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.21.242.187:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted
2964
OUTLOOK.EXE
206.213.253.12:443
voltage-pp-0000.aetna.com
Aetna
US
unknown
4008
gup.exe
2.57.89.199:443
notepad-plus-plus.org
suspicious
2964
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2.21.242.245:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
voltage-pp-0000.aetna.com
  • 206.213.253.12
  • 206.213.211.12
malicious
notepad-plus-plus.org
  • 2.57.89.199
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.21.242.187
  • 2.21.242.197
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.21.242.245
  • 2.21.242.204
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
source (1).eml