File name: | componserial.exe |
Full analysis: | https://app.any.run/tasks/d9346a4e-d546-433c-860e-3222e526ccad |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 16, 2019, 06:44:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 08DF0B25D63B09828C53503652D7B755 |
SHA1: | E9212BEAEE24C5D3F32673F0B96CF5DABE650B71 |
SHA256: | DF981A7AA93C033B47A51B6C505B4D8F00EC523EB05116E174914469E3BFDEE5 |
SSDEEP: | 3072:076kQQHAiOKVqrseSK7w/OGbhUoKLds5EC1vqYG9YE6WEv6r+VOi9O2ozu:07IVs27GhVK2WC1vqd9Yoaki9r |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:11:15 21:40:45+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 98304 |
InitializedDataSize: | 147456 |
UninitializedDataSize: | - |
EntryPoint: | 0xb985 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Nov-2019 20:40:45 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 15-Nov-2019 20:40:45 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00017CB0 | 0x00018000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.59017 |
.rdata | 0x00019000 | 0x00001A41 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.80052 |
.data | 0x0001B000 | 0x0001CF8C | 0x0001C000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.43832 |
.idata | 0x00038000 | 0x000011E2 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.87162 |
.rsrc | 0x0003A000 | 0x0000052C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.732398 |
.reloc | 0x0003B000 | 0x0000169F | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.72754 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
101 | 3.45893 | 578 | UNKNOWN | English - United Kingdom | RT_DIALOG |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
OPENGL32.dll |
USER32.dll |
WINMM.dll |
comdlg32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1956 | "C:\Users\admin\AppData\Local\Temp\componserial.exe" | C:\Users\admin\AppData\Local\Temp\componserial.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4076 | --d418e0a6 | C:\Users\admin\AppData\Local\Temp\componserial.exe | componserial.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3776 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | componserial.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
912 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1268 | "C:\ProgramData\vpVKtEIt9ktAZs.exe" | C:\ProgramData\vpVKtEIt9ktAZs.exe | — | serialfunc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1292 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" /scomma "C:\Users\admin\AppData\Local\Temp\EFFA.tmp" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2416 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\EFEA.tmp" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | serialfunc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1948 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\F01B.tmp" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2588 | --38bef67a | C:\ProgramData\vpVKtEIt9ktAZs.exe | vpVKtEIt9ktAZs.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
896 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | vpVKtEIt9ktAZs.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1948 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
1948 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp | — | |
MD5:— | SHA256:— | |||
1948 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | — | |
MD5:— | SHA256:— | |||
2416 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | pst | |
MD5:2A7C80E137009B6A43DA7D8472DC1414 | SHA256:70071A4E4896876E4E112717CE1526B568B06C20180BC7EA24959EE3DA9454E6 | |||
912 | serialfunc.exe | C:\ProgramData\vpVKtEIt9ktAZs.exe | executable | |
MD5:3DAFAFDC064A347DA04F6A03101EBE8F | SHA256:E75848EDDB7B004E232947F437A3C209621FAE22C12C2D97ED1BFD6E19D1DCF1 | |||
1292 | serialfunc.exe | C:\Users\admin\AppData\Local\Temp\EFFA.tmp | text | |
MD5:F69701367FB5A10C30EAECBEA75C1204 | SHA256:2223283CB5B354DF12E4E69107B50F771057142A4D46CE60A55BBE2211F87FFB | |||
2416 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | pst | |
MD5:4003182A8771F9C657F36C9B53919EEC | SHA256:A9444565D26B26B8CB533846B7CCB3F616D2E1CAFF1CE0CB348046C238543B07 | |||
4076 | componserial.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:08DF0B25D63B09828C53503652D7B755 | SHA256:DF981A7AA93C033B47A51B6C505B4D8F00EC523EB05116E174914469E3BFDEE5 | |||
1948 | serialfunc.exe | C:\Users\admin\AppData\Local\Temp\F01B.tmp | binary | |
MD5:913940E959B3101EFD43B1EDE527F17C | SHA256:B79746A5C6BE28A286BAC68D395590DB6607E4039A14E84B2F102FBD5E2FA7B8 | |||
2588 | vpVKtEIt9ktAZs.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:3DAFAFDC064A347DA04F6A03101EBE8F | SHA256:E75848EDDB7B004E232947F437A3C209621FAE22C12C2D97ED1BFD6E19D1DCF1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
912 | serialfunc.exe | GET | — | 139.162.183.41:443 | http://139.162.183.41:443/whoami.php | DE | — | — | malicious |
912 | serialfunc.exe | GET | — | 87.106.253.248:8080 | http://87.106.253.248:8080/news.php | DE | — | — | malicious |
912 | serialfunc.exe | GET | — | 87.106.253.248:8080 | http://87.106.253.248:8080/whoami.php | DE | — | — | malicious |
912 | serialfunc.exe | POST | 200 | 65.23.154.17:8080 | http://65.23.154.17:8080/tlb/scripts/ | US | binary | 2.29 Mb | malicious |
912 | serialfunc.exe | POST | 200 | 65.23.154.17:8080 | http://65.23.154.17:8080/devices/forced/ | US | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
912 | serialfunc.exe | 87.106.253.248:8080 | — | 1&1 Internet SE | DE | malicious |
912 | serialfunc.exe | 65.23.154.17:8080 | — | IO Capital Princess, LLC | US | malicious |
912 | serialfunc.exe | 139.162.183.41:443 | — | Linode, LLC | DE | malicious |
PID | Process | Class | Message |
---|---|---|---|
912 | serialfunc.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
912 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
912 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |