analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 343885dc9dc2d0da2785ef74b3405ad7bb00d029 |
| Full analysis: | https://app.any.run/tasks/69f06dd9-a583-4c24-92c0-1c7361081827 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | December 06, 2019, 14:57:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | B0057815D7CD82023A035CFEB2A13374 |
| SHA1: | 343885DC9DC2D0DA2785EF74B3405AD7BB00D029 |
| SHA256: | A77F09E26BE4003986FBC5D69A6C630AF3D5080FC16C1A8BD64FC453AA1D098F |
| SSDEEP: | 6144:YgcJHu4Hh06nTntKQ4FJ1zPrpOlWoFOqtWJINPI7jori36yoKswaD3:yVn8XDrkWo4g9IA2 |
MALICIOUS
Changes the autorun value in the registry
- serialfunc.exe (PID: 1648)
Emotet process was detected
- 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe (PID: 3012)
EMOTET was detected
- serialfunc.exe (PID: 1648)
Connects to CnC server
- serialfunc.exe (PID: 1648)
SUSPICIOUS
Application launched itself
- 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe (PID: 1556)
Starts itself from another location
- 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe (PID: 3012)
Connects to server without host name
- serialfunc.exe (PID: 1648)
Executable content was dropped or overwritten
- 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe (PID: 3012)
INFO
Dropped object may contain Bitcoin addresses
- 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe (PID: 3012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:12:06 13:30:55+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 274432 |
| InitializedDataSize: | 196608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2c819 |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 06-Dec-2019 12:30:55 |
| Detected languages: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000E0 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 4 |
| Time date stamp: | 06-Dec-2019 12:30:55 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x000420F6 | 0x00043000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4516 |
.rdata | 0x00044000 | 0x00024A04 | 0x00025000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.9829 |
.data | 0x00069000 | 0x00005E5C | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.1767 |
.rsrc | 0x0006F000 | 0x00007238 | 0x00008000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.9361 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.65542 | 86 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.39742 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 6.31898 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 4.81844 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.84494 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.58552 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 3.02695 | 308 | Latin 1 / Western European | English - United States | RT_CURSOR |
8 | 2.74274 | 180 | Latin 1 / Western European | English - United States | RT_CURSOR |
9 | 2.40212 | 128 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.34004 | 308 | Latin 1 / Western European | English - United States | RT_CURSOR |
Imports
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
OLEACC.dll (delay-loaded) |
OLEAUT32.dll |
OPENGL32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
WINSPOOL.DRV |
Total processes
37
Monitored processes
4
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1556 | "C:\Users\admin\Desktop\343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe" | C:\Users\admin\Desktop\343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 3012 | --2e67262e | C:\Users\admin\Desktop\343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe | 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 2332 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 1648 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM | ||||
Total events
73
Read events
58
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3012 | 343885dc9dc2d0da2785ef74b3405ad7bb00d029.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:B0057815D7CD82023A035CFEB2A13374 | SHA256:A77F09E26BE4003986FBC5D69A6C630AF3D5080FC16C1A8BD64FC453AA1D098F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1648 | serialfunc.exe | POST | 200 | 107.2.2.28:80 | http://107.2.2.28/XGGMo1dHI | US | binary | 132 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1648 | serialfunc.exe | 107.2.2.28:80 | — | Comcast Cable Communications, LLC | US | malicious |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
1648 | serialfunc.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 2 |
1648 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
1648 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
1648 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1 ETPRO signatures available at the full report