analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://net96.it/IRS.gov/Tax-Account-Transcript/

Full analysis: https://app.any.run/tasks/8b23d47a-2b80-4ec4-b361-8130950a19ec
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 06, 2018, 16:49:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
emotet
feodo
Indicators:
MD5:

7B7CA265738AD656DBD14F7A5EF6E91F

SHA1:

8D0085A4546C33ADA998CB1E2F26675788BD75F9

SHA256:

EC45E9CDF0A9EE2C9B7C8B6123A6A31F213E1CADD12267F989338C60382D4DBA

SSDEEP:

3:N1KQ0cTLEG2IK/dQlGA3:CQJoGhKlE3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2392)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2392)

    • Application was dropped or rewritten from another process

      • 946.exe (PID: 3604)
      • 946.exe (PID: 2700)
      • archivesymbol.exe (PID: 3984)
      • archivesymbol.exe (PID: 3284)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2780)

    • Executes PowerShell scripts

      • cmd.exe (PID: 556)

    • EMOTET was detected

      • archivesymbol.exe (PID: 3984)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2780)

    • Changes the autorun value in the registry

      • archivesymbol.exe (PID: 3984)

    • Connects to CnC server

      • archivesymbol.exe (PID: 3984)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • chrome.exe (PID: 3872)
      • WINWORD.EXE (PID: 2392)

    • Application launched itself

      • WINWORD.EXE (PID: 2392)
      • cmd.exe (PID: 3672)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 556)
      • cmd.exe (PID: 3672)

    • Creates files in the user directory

      • powershell.exe (PID: 2780)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2780)
      • 946.exe (PID: 2700)

    • Starts itself from another location

      • 946.exe (PID: 2700)

    • Connects to unusual port

      • archivesymbol.exe (PID: 3984)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3400)
      • chrome.exe (PID: 3872)

    • Creates files in the user directory

      • iexplore.exe (PID: 3400)
      • iexplore.exe (PID: 2828)
      • WINWORD.EXE (PID: 2392)

    • Changes internet zones settings

      • iexplore.exe (PID: 2828)

    • Application launched itself

      • iexplore.exe (PID: 2828)
      • chrome.exe (PID: 3872)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3872)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2392)
      • WINWORD.EXE (PID: 2556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
24
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe 946.exe no specs 946.exe chrome.exe no specs archivesymbol.exe no specs #EMOTET archivesymbol.exe chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Program Files\Internet Explorer\iexplore.exe" http://net96.it/IRS.gov/Tax-Account-Transcript/C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3400"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2828 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3872"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
2632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f4900b0,0x6f4900c0,0x6f4900ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
4032"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3868 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,14933916972027242924,3007798729026208280,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=EE57084966E820F0D10732BAC778EA0C --mojo-platform-channel-handle=960 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
2236"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,14933916972027242924,3007798729026208280,131072 --enable-features=PasswordImport --service-pipe-token=AF1B3AFEE89020D8BFD61DFE08A56588 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=AF1B3AFEE89020D8BFD61DFE08A56588 --renderer-client-id=5 --mojo-platform-channel-handle=1916 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
2792"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,14933916972027242924,3007798729026208280,131072 --enable-features=PasswordImport --service-pipe-token=FC41DC4478BC5F65582F18E932BC276B --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=FC41DC4478BC5F65582F18E932BC276B --renderer-client-id=3 --mojo-platform-channel-handle=1536 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3288"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,14933916972027242924,3007798729026208280,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=4837F2E7E1970AFBD2AE6A8ACF0C9716 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4837F2E7E1970AFBD2AE6A8ACF0C9716 --renderer-client-id=6 --mojo-platform-channel-handle=3452 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3288"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,14933916972027242924,3007798729026208280,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=BF1A725999EA6AD59A0E7276162BDA50 --mojo-platform-channel-handle=3992 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
3 560
Read events
3 040
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
50
Text files
69
Unknown types
5

Dropped files

PID
Process
Filename
Type
2828iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2828iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2828iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2980E62391335805.TMP
MD5:
SHA256:
3872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ed76c18e-8bdd-43c8-a43a-af6c535d5019.tmp
MD5:
SHA256:
3872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
3872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
3872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
3872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
2828iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF879B4893EF19D59.TMP
MD5:
SHA256:
2828iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{00A675F9-F977-11E8-BAD8-5254004A04AF}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2780
powershell.exe
GET
301
91.186.0.8:80
http://bethrow.co.uk/lMPE
GB
html
234 b
malicious
3872
chrome.exe
GET
200
40.91.205.36:80
http://net96.it/IRS.gov/Tax-Account-Transcript/
NL
document
143 Kb
suspicious
2780
powershell.exe
GET
200
91.186.0.8:80
http://bethrow.co.uk/lMPE/
GB
executable
120 Kb
malicious
2828
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3400
iexplore.exe
GET
200
40.91.205.36:80
http://net96.it/IRS.gov/Tax-Account-Transcript/
NL
document
143 Kb
suspicious
3984
archivesymbol.exe
GET
200
189.223.176.239:7080
http://189.223.176.239:7080/
MX
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2828
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3872
chrome.exe
172.217.168.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3400
iexplore.exe
40.91.205.36:80
net96.it
Microsoft Corporation
NL
suspicious
3872
chrome.exe
172.217.168.13:443
accounts.google.com
Google Inc.
US
whitelisted
3872
chrome.exe
40.91.205.36:80
net96.it
Microsoft Corporation
NL
suspicious
3872
chrome.exe
172.217.17.68:443
www.google.com
Google Inc.
US
whitelisted
2780
powershell.exe
91.186.0.8:80
bethrow.co.uk
Simply Transit Ltd
GB
malicious
3984
archivesymbol.exe
189.223.176.239:7080
Uninet S.A. de C.V.
MX
malicious
3872
chrome.exe
172.217.168.46:443
clients1.google.com
Google Inc.
US
whitelisted
3872
chrome.exe
172.217.168.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
net96.it
  • 40.91.205.36
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
clientservices.googleapis.com
  • 172.217.168.35
whitelisted
www.gstatic.com
  • 172.217.168.35
whitelisted
www.google.de
  • 172.217.168.35
whitelisted
safebrowsing.googleapis.com
  • 172.217.168.10
whitelisted
accounts.google.com
  • 172.217.168.13
shared
ssl.gstatic.com
  • 172.217.168.3
whitelisted
www.google.com
  • 172.217.17.68
whitelisted
bethrow.co.uk
  • 91.186.0.8
malicious

Threats

PID
Process
Class
Message
3400
iexplore.exe
Attempted User Privilege Gain
SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt
3400
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
3400
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
3872
chrome.exe
Attempted User Privilege Gain
SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt
3872
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
3872
chrome.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
2780
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2780
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2780
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2780
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://net96.it/IRS.gov/Tax-Account-Transcript/