analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

emotet.exe

Full analysis: https://app.any.run/tasks/c8e07399-3ae2-4eed-b072-c312ef9e81d0
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 00:11:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1BB7313AF8F390E115E22E32E9932A55

SHA1:

63B007744FA635DFF01B31CC1FD4BCD6D0B66BF5

SHA256:

CD13A9A774197BF84BD25A30F4CD51DBC4908138E2E008C81FC1FEEF881C6DA7

SSDEEP:

3072:XGCuBxwr5cw9TzBfW1fuDpzFEPx5QuW2/Gu+tD/3bxeY:FUSrewsWDgPx2Zdu+tD/3bx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET detected by memory dumps

      • FXSCOMEX.exe (PID: 3396)

    • Connects to the CnC server

      • FXSCOMEX.exe (PID: 3396)

    • EMOTET was detected

      • FXSCOMEX.exe (PID: 3396)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • emotet.exe (PID: 2640)

    • Starts itself from another location

      • emotet.exe (PID: 2640)

    • Reads the Internet Settings

      • FXSCOMEX.exe (PID: 3396)

    • Connects to the server without a host name

      • FXSCOMEX.exe (PID: 3396)

  • INFO

    • Reads the computer name

      • emotet.exe (PID: 2640)
      • FXSCOMEX.exe (PID: 3396)

    • Checks supported languages

      • emotet.exe (PID: 2640)
      • FXSCOMEX.exe (PID: 3396)

    • The process checks LSA protection

      • emotet.exe (PID: 2640)
      • FXSCOMEX.exe (PID: 3396)

    • Reads the machine GUID from the registry

      • emotet.exe (PID: 2640)
      • FXSCOMEX.exe (PID: 3396)

    • Manual execution by a user

      • taskmgr.exe (PID: 308)
      • WINWORD.EXE (PID: 3528)

    • Checks proxy server information

      • FXSCOMEX.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

ProductVersion: 1, 0, 0, 1
ProductName: SkinDialog_Demo Application
OriginalFileName: SkinDialog_Demo.EXE
LegalTrademarks: -
LegalCopyright: Copyright (C) 2003
InternalName: SkinDialog_Demo
FileVersion: 1, 0, 0, 1
FileDescription: SkinDialog_Demo MFC Application
CompanyName: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1d8c
UninitializedDataSize: -
InitializedDataSize: 245760
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2020:06:16 12:36:18+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Jun-2020 12:36:18
Detected languages:
  • English - United States
CompanyName: -
FileDescription: SkinDialog_Demo MFC Application
FileVersion: 1, 0, 0, 1
InternalName: SkinDialog_Demo
LegalCopyright: Copyright (C) 2003
LegalTrademarks: -
OriginalFilename: SkinDialog_Demo.EXE
ProductName: SkinDialog_Demo Application
ProductVersion: 1, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 16-Jun-2020 12:36:18
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00001042
0x00002000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.84838
.rdata
0x00003000
0x000005E0
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.68212
.data
0x00004000
0x0000020C
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.550976
.idata
0x00005000
0x000009DE
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.82616
.rsrc
0x00006000
0x00037240
0x00038000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.96083
.reloc
0x0003E000
0x000007E8
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
2.21175

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.35682
820
UNKNOWN
English - United States
RT_VERSION
2
2.55844
296
UNKNOWN
English - United States
RT_ICON
7
2.2268
82
UNKNOWN
English - United States
RT_STRING
100
3.44432
298
UNKNOWN
English - United States
RT_DIALOG
102
2.40823
66
UNKNOWN
English - United States
RT_DIALOG
128
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON
129
3.92478
180040
UNKNOWN
English - United States
RT_BITMAP
7107
7.99241
42820
UNKNOWN
English - United States
RT_RCDATA

Imports

GDI32.dll
KERNEL32.dll
MFC42.DLL
MSVCP60.dll
MSVCRT.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start emotet.exe #EMOTET fxscomex.exe taskmgr.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2640"C:\Users\admin\Desktop\emotet.exe" C:\Users\admin\Desktop\emotet.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SkinDialog_Demo MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\emotet.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3396"C:\Users\admin\AppData\Local\WlanMM\FXSCOMEX.exe"C:\Users\admin\AppData\Local\WlanMM\FXSCOMEX.exe
emotet.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SkinDialog_Demo MFC Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\wlanmm\fxscomex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
308"C:\Windows\system32\taskmgr.exe" C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3528"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\shippingchanges.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
5 852
Read events
5 496
Write events
74
Delete events
282

Modification events

(PID) Process:(3396) FXSCOMEX.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3396) FXSCOMEX.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3396) FXSCOMEX.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3396) FXSCOMEX.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003E010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3528) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3528) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3528) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3528) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3528) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3528) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
Executable files
2
Suspicious files
2
Text files
2
Unknown types
10

Dropped files

PID
Process
Filename
Type
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB041.tmp.cvr
MD5:
SHA256:
3528WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:4DFD11D49CE9E95ED0065C1F8E207AFA
SHA256:8ECE7B245C4F62A9D1DF0EDEB71B2C24A28A09842EF016CBDCA26F5584B97CD8
3528WINWORD.EXEC:\Users\admin\Desktop\~$ippingchanges.rtfpgc
MD5:64C51FBEEFE0B64B07F44AD839A1C8ED
SHA256:E872A85852BD197FF88707B8F6E553A656EB46529FAA1A35BCD9B3EC8B123BED
3528WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\shippingchanges.rtf.LNKlnk
MD5:BBFAE25559945909DD8B83A477D3E417
SHA256:E853F201F189F676E171AAF0C53FFB63CE42DE204EB3DB21D4BA18F25953CDEE
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FBEB3D2C-3D09-4DD1-9C65-999C8CFD59F2}.tmpdbf
MD5:59D6FAD0CD38F99F0221D4EA14FC0992
SHA256:7702EE6F0085BE9C3E9A08C0D21DA254BFA89D93369D9146D8D882B55A0B1BA4
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{98C2F586-9EDD-4817-82EE-1A6F72F58357}.tmpbinary
MD5:18B2E5893A79AE8D505B30947A744952
SHA256:92F22343C30A473268D49190AEE17B5EC67D903F5CD9ED84227960B4F1C0414E
3528WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:00CD3E8321E1BC1024749592334135ED
SHA256:5D65465C2C1AEEE3DF626156CC659707416054ADB63A75EE275E115EEF042DC7
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ABBB9E7B-81E7-4C09-8D50-6333EF04A8ED}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2640emotet.exeC:\Users\admin\AppData\Local\WlanMM\FXSCOMEX.exeexecutable
MD5:1BB7313AF8F390E115E22E32E9932A55
SHA256:CD13A9A774197BF84BD25A30F4CD51DBC4908138E2E008C81FC1FEEF881C6DA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3396
FXSCOMEX.exe
POST
41.203.62.170:80
http://41.203.62.170/eiIorLgwrEEGdd/
ZA
malicious
3396
FXSCOMEX.exe
POST
46.105.131.87:80
http://46.105.131.87/dOgmijNAuB/
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3396
FXSCOMEX.exe
41.203.62.170:80
ECN Telecommunications
ZA
malicious
3396
FXSCOMEX.exe
46.105.131.87:80
OVH SAS
FR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3396
FXSCOMEX.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
3396
FXSCOMEX.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin M3
3396
FXSCOMEX.exe
Unknown Classtype
ET MALWARE Win32/Emotet CnC Activity (POST) M8
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
emotet.exe