File name: | _______139.zip.zip |
Full analysis: | https://app.any.run/tasks/f1b3a36c-29a5-4eba-a059-e83a77db8e97 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 30, 2020, 14:08:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 90FFEF827E4F16FD77605755956F6B8E |
SHA1: | 73C14AE34FFB758A40F0D0F5DEEED36EBCEE07B9 |
SHA256: | 9D0E809B6887201F3E2B950772A36230B8EF79166B73A32E3CBC9557A5BA42EC |
SSDEEP: | 98304:Fy3bm+CRVuXXbmJiKmH5UU9X068FU/r9a/o/Ww6JAwVTFRpePlXl/YaDX6tvLIxl:FT9wKJiKm5UU506ap/o/J6JzBRpyz/b/ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | _______139.zip |
---|---|
ZipUncompressedSize: | 5500966 |
ZipCompressedSize: | 5500966 |
ZipCRC: | 0xf72396d0 |
ZipModifyDate: | 2020:05:30 13:06:20 |
ZipCompression: | None |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1476 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_______139.zip.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
788 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb1476.5481\_______139.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2340 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\-·¦++»+e+-_139\7.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2720 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\-·¦++»+e+-_139\7.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\13.js | — | |
MD5:— | SHA256:— | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\14.xls | document | |
MD5:D9A7FB184F4A5144578BA478EA4FF2F9 | SHA256:EC9F6A70899278D8EECD7C501971B8381B9EF9AFFAE659521F1E5009BE15ABC7 | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\10.xls | compressed | |
MD5:855E1E1367C0A8D9F2FD46918EB5B3C9 | SHA256:D2C589B77D45E0D1F94527FD68C1A7B8AA3CC9D95884CE0FF2206E5C5F3F6BA1 | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\7.js | text | |
MD5:38707AD3B1CB749110106D584F284709 | SHA256:8087DD31C6BE7C64EDB284C328AF2339F639B07F52504CDD92E64E9E65828D9F | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\15.doc | document | |
MD5:8A7503E761E88E0A2BD46D9EB0A86671 | SHA256:061149355C02F541F47F9EDAF94167D58FA3FBAD72296FED3CA924DCBB6C7299 | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\1.xlsm | document | |
MD5:12C9DBBC09DDE8F14C088BC565DD842E | SHA256:B44998299000B6B294573F273F73DA4F12A27F1A0ADC36931EBE547CE80A7E11 | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\12.doc | document | |
MD5:2639CD53CBC6872A924B25D84144D5F1 | SHA256:955352B5116D7DE50DC75377889A495446554779FB768260BE4B23C59A5A967E | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\4.xlsm | document | |
MD5:7906950D3DD3BFF86D65B514418B2910 | SHA256:671015570338F52663157DA906EB6F24E1F5298146F07D25B914AF9795984AD4 | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\9.xls | document | |
MD5:BE398CDAA2004EE2A60F37E77C5B24A0 | SHA256:8317150244235D7A6CDF2ECA124A369F9310899E372DA624D225967F2091A786 | |||
788 | WinRAR.exe | C:\Users\admin\Desktop\-·¦++»+e+-_139\16.doc | document | |
MD5:B92021CA10AED3046FC3BE5AC1C2A094 | SHA256:C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2340 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2340 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2340 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2340 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2340 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2720 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2720 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2340 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2720 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
2720 | WScript.exe | POST | — | 192.169.69.25:7000 | http://348.duckdns.org:7000/Vre | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2720 | WScript.exe | 192.169.69.25:7000 | 348.duckdns.org | Wowrack.com | US | malicious |
2340 | WScript.exe | 192.169.69.25:7000 | 348.duckdns.org | Wowrack.com | US | malicious |
Domain | IP | Reputation |
---|---|---|
348.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |