File name: | certhelp.zip |
Full analysis: | https://app.any.run/tasks/441bd09a-309c-46ec-aae4-27164b4d4485 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 05, 2022, 19:21:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1D5CAD2096C09AEA5C4CB11036B3B17C |
SHA1: | 64828AE50EEC356DF33AB12D7CB0870B748AAAFE |
SHA256: | D4BBF164725162EAF80A3D7871B4ED7ADF4A9FEE8022EE957D642F52547FA5B3 |
SSDEEP: | 1536:dOH0JfMbJ3te1uKydb2bVOFswRk7Ukkzde8Gq01Zt4fvvRF:SQ+kzydqbgFtXnRstQ |
.zip | | | ZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\certhelp.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
560 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.10776\certhelp.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.10776\certhelp.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3388 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.10776\certhelp.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.10776\certhelp.exe | — | certhelp.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3120 | "C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe | certhelp.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2008 | "C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe | secmsi.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.10776\certhelp.exe | executable | |
MD5:B4B768B594A7A999743B203B80CF2D14 | SHA256:E0D69A6E9B4ABFB79954DD73EAC0AEC0D4F3B3FC5A9DD5AF9202B621949748CA | |||
3388 | certhelp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe | executable | |
MD5:B4B768B594A7A999743B203B80CF2D14 | SHA256:E0D69A6E9B4ABFB79954DD73EAC0AEC0D4F3B3FC5A9DD5AF9202B621949748CA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2008 | secmsi.exe | POST | — | 37.187.57.57:443 | http://37.187.57.57:443/ | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2008 | secmsi.exe | 37.187.57.57:443 | — | OVH SAS | FR | malicious |
PID | Process | Class | Message |
---|---|---|---|
2008 | secmsi.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Checkin (POST) |
2008 | secmsi.exe | A Network Trojan was detected | ET TROJAN W32/Emotet.v4 Checkin |
2008 | secmsi.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2008 | secmsi.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
2008 | secmsi.exe | Potentially Bad Traffic | AV POLICY HTTP traffic on port 443 to IP host (POST) |