File name: | e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f |
Full analysis: | https://app.any.run/tasks/825d044a-af0a-479b-b5a4-4b0702b1d463 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 13:53:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | BADA3BF01142A56B6D2C33764C2405D1 |
SHA1: | E8A2D57EB827E4E9A22946CBE35CBFEB15AE191F |
SHA256: | E6630ADFC5882BE333236FD4DA6B8FB8C86866B4768B7914FA9102A3DE3BC3B0 |
SSDEEP: | 3072:cn0BfBf7SnC6Xn2lB4lyG5cJKOOAHVfK0lWcngIZMgjMwwAzQr8tUB4/DxYf:c0BfBf7SMwl/+JRVRAcgcMxZkij42 |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
SpecialBuild: | - |
---|---|
ProductVersion: | 1, 0, 0, 1 |
ProductName: | Monkey Head Media Stream |
PrivateBuild: | - |
OriginalFileName: | MHMS.exe |
LegalTrademarks: | - |
LegalCopyright: | Copyright © 2003 |
InternalName: | MHMS |
FileVersion: | 1, 0, 0, 1 |
FileDescription: | Monkey Head Media Stream |
CompanyName: | Monkey Head Software |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.1 |
FileVersionNumber: | 1.0.0.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x9a73 |
UninitializedDataSize: | - |
InitializedDataSize: | 524288 |
CodeSize: | 98304 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2019:10:07 13:08:01+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Oct-2019 11:08:01 |
Detected languages: |
|
Comments: | - |
CompanyName: | Monkey Head Software |
FileDescription: | Monkey Head Media Stream |
FileVersion: | 1, 0, 0, 1 |
InternalName: | MHMS |
LegalCopyright: | Copyright © 2003 |
LegalTrademarks: | - |
OriginalFilename: | MHMS.exe |
PrivateBuild: | - |
ProductName: | Monkey Head Media Stream |
ProductVersion: | 1, 0, 0, 1 |
SpecialBuild: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 07-Oct-2019 11:08:01 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00017070 | 0x00018000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.51103 |
.rdata | 0x00019000 | 0x00019F6F | 0x0001A000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.21197 |
.data | 0x00033000 | 0x00003450 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.52612 |
.rsrc | 0x00037000 | 0x00063CAA | 0x00064000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.30221 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.65542 | 86 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.33996 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 2.33996 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 2.01095 | 748 | Latin 1 / Western European | English - United States | RT_CURSOR |
5 | 1.81531 | 748 | Latin 1 / Western European | English - United States | RT_CURSOR |
26 | 3.10106 | 112 | UNKNOWN | English - United States | RT_STRING |
102 | 2.37086 | 34 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
103 | 2.02322 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
104 | 2.11924 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_CURSOR |
105 | 2.21924 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_CURSOR |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
WS2_32.dll |
comdlg32.dll |
Title | Ordinal | Address |
---|---|---|
Run | 1 | 0x00006C49 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3076 | "C:\Users\admin\Desktop\e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f.exe" | C:\Users\admin\Desktop\e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f.exe | — | explorer.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3764 | --12f3b5c6 | C:\Users\admin\Desktop\e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f.exe | e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3720 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2380 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2380) msptermsizes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msptermsizes_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3764 | e8a2d57eb827e4e9a22946cbe35cbfeb15ae191f.exe | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | executable | |
MD5:BADA3BF01142A56B6D2C33764C2405D1 | SHA256:E6630ADFC5882BE333236FD4DA6B8FB8C86866B4768B7914FA9102A3DE3BC3B0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2380 | msptermsizes.exe | POST | — | 139.5.237.27:443 | http://139.5.237.27:443/ringin/ | IN | — | — | malicious |
2380 | msptermsizes.exe | POST | — | 119.159.150.176:443 | http://119.159.150.176:443/raster/usbccid/ringin/ | PK | — | — | malicious |
2380 | msptermsizes.exe | POST | — | 190.1.37.125:443 | http://190.1.37.125:443/ringin/ | AR | — | — | malicious |
2380 | msptermsizes.exe | POST | 404 | 216.98.148.181:8080 | http://216.98.148.181:8080/scripts/ | US | xml | 345 b | malicious |
2380 | msptermsizes.exe | POST | 404 | 68.183.190.199:8080 | http://68.183.190.199:8080/stubs/enabled/ | US | xml | 345 b | malicious |
2380 | msptermsizes.exe | POST | — | 201.183.247.58:443 | http://201.183.247.58:443/window/ | EC | — | — | malicious |
2380 | msptermsizes.exe | POST | 404 | 109.169.86.13:8080 | http://109.169.86.13:8080/acquire/ | GB | xml | 345 b | malicious |
2380 | msptermsizes.exe | POST | — | 201.163.74.202:443 | http://201.163.74.202:443/publish/ | MX | — | — | malicious |
2380 | msptermsizes.exe | POST | 404 | 5.196.35.138:7080 | http://5.196.35.138:7080/publish/ | FR | xml | 345 b | malicious |
2380 | msptermsizes.exe | POST | 404 | 91.83.93.105:8080 | http://91.83.93.105:8080/splash/raster/ | HU | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2380 | msptermsizes.exe | 216.98.148.181:8080 | — | CariNet, Inc. | US | malicious |
2380 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
2380 | msptermsizes.exe | 68.183.190.199:8080 | — | DSL Extreme | US | malicious |
— | — | 119.159.150.176:443 | — | Pakistan Telecom Company Limited | PK | malicious |
2380 | msptermsizes.exe | 5.196.35.138:7080 | — | OVH SAS | FR | malicious |
2380 | msptermsizes.exe | 81.213.215.216:50000 | — | Turk Telekom | TR | malicious |
2380 | msptermsizes.exe | 139.5.237.27:443 | — | Syscon Infoway Pvt. Ltd. | IN | malicious |
2380 | msptermsizes.exe | 186.83.133.253:8080 | — | Telmex Colombia S.A. | CO | malicious |
— | — | 142.93.82.57:8080 | — | — | CA | malicious |
2380 | msptermsizes.exe | 62.75.160.178:8080 | — | Host Europe GmbH | FR | malicious |
PID | Process | Class | Message |
---|---|---|---|
2380 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2380 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2380 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2380 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 21 |
2380 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2380 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 3 |
2380 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2380 | msptermsizes.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2380 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2380 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |