Windows
Analysis Report
exe009.exe
Overview
General Information
Sample name: | exe009.exe |
Analysis ID: | 1558347 |
MD5: | d7271c44ad9c66d0156738fe70f12120 |
SHA1: | d603bee9c71bfd6624645c181d91c7d948af4c21 |
SHA256: | 676b3029331da1aa727799097f0599bee2759ef668a97ef5bddcc56fc22c7096 |
Tags: | exeuser-Joker |
Infos: | |
Errors
|
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Emotet | While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. |
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["73.100.19.104:80", "103.3.63.137:8080", "188.166.220.180:7080", "192.175.111.217:7080", "91.83.93.103:443", "94.212.52.40:80", "190.191.171.72:80", "24.231.51.190:80", "113.161.148.81:80", "46.105.131.68:8080", "223.17.215.76:80", "45.239.204.100:80", "185.80.172.199:80", "91.75.75.46:80", "190.151.5.131:443", "60.125.114.64:443", "77.74.78.80:443", "175.103.38.146:80", "58.27.215.3:8080", "91.213.106.100:8080", "125.200.20.233:80", "195.201.56.70:8080", "198.20.228.9:8080", "190.194.12.132:80", "103.80.51.61:8080", "37.187.100.220:7080", "179.5.118.12:80", "143.95.101.72:8080", "46.32.229.152:8080", "185.208.226.142:8080", "74.208.173.91:8080", "185.142.236.163:443", "85.75.49.113:80", "157.7.164.178:8081", "190.85.46.52:7080", "203.56.191.129:8080", "192.210.217.94:8080", "192.163.221.191:8080", "119.92.77.17:80", "126.126.139.26:443", "103.229.73.17:8080", "79.133.6.236:8080", "37.46.129.215:8080", "113.193.239.51:443", "116.202.10.123:8080", "103.93.220.182:80", "139.59.61.215:443", "113.203.238.130:80", "118.243.83.70:80", "50.116.78.109:8080", "115.79.59.157:80", "203.153.216.178:7080", "2.58.16.86:8080", "172.105.78.244:8080", "178.33.167.120:8080", "139.59.12.63:8080", "78.186.65.230:80", "213.165.178.214:80", "115.79.195.246:80", "41.185.29.128:8080", "37.205.9.252:7080", "190.117.101.56:80", "180.148.4.130:8080", "172.96.190.154:8080", "47.154.85.229:80", "153.229.219.1:443", "36.91.44.183:80", "190.96.15.50:443", "54.38.143.245:8080", "5.79.70.250:8080", "202.29.237.113:8080", "190.192.39.136:80", "118.33.121.37:80", "190.164.135.81:80", "180.21.3.52:80", "75.127.14.170:8080", "42.200.96.63:80", "120.51.34.254:80", "121.117.147.153:443", "8.4.9.137:8080", "162.144.145.58:8080", "109.13.179.195:80", "109.206.139.119:80", "73.55.128.120:80", "192.241.220.183:8080", "116.91.240.96:80", "88.247.58.26:80"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Windows_Trojan_Emotet_5528b3b0 | unknown | unknown |
|
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | Network traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
E-Banking Fraud |
---|
Source: | File source: |
System Summary |
---|
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
126.126.139.26 | unknown | Japan | 17676 | GIGAINFRASoftbankBBCorpJP | true | |
192.210.217.94 | unknown | United States | 36352 | AS-COLOCROSSINGUS | true | |
85.75.49.113 | unknown | Greece | 6799 | OTENET-GRAthens-GreeceGR | true | |
223.17.215.76 | unknown | Hong Kong | 18116 | HGC-AS-APHGCGlobalCommunicationsLimitedHK | true | |
185.208.226.142 | unknown | Hungary | 43359 | TARHELYHU | true | |
75.127.14.170 | unknown | United States | 36352 | AS-COLOCROSSINGUS | true | |
172.96.190.154 | unknown | Canada | 59253 | LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG | true | |
109.206.139.119 | unknown | Russian Federation | 47914 | CDMSRU | true | |
203.153.216.178 | unknown | Indonesia | 45291 | SURF-IDPTSurfindoNetworkID | true | |
190.191.171.72 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
143.95.101.72 | unknown | United States | 62729 | ASMALLORANGE1US | true | |
103.229.73.17 | unknown | Indonesia | 55660 | MWN-AS-IDPTMasterWebNetworkID | true | |
162.144.145.58 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
178.33.167.120 | unknown | France | 16276 | OVHFR | true | |
45.239.204.100 | unknown | Brazil | 268405 | BMOBUENOCOMUNICACOES-MEBR | true | |
190.164.135.81 | unknown | Chile | 22047 | VTRBANDAANCHASACL | true | |
37.187.100.220 | unknown | France | 16276 | OVHFR | true | |
5.79.70.250 | unknown | Netherlands | 60781 | LEASEWEB-NL-AMS-01NetherlandsNL | true | |
190.85.46.52 | unknown | Colombia | 14080 | TelmexColombiaSACO | true | |
120.51.34.254 | unknown | Japan | 2519 | VECTANTARTERIANetworksCorporationJP | true | |
125.200.20.233 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
88.247.58.26 | unknown | Turkey | 9121 | TTNETTR | true | |
103.93.220.182 | unknown | Philippines | 17639 | CONVERGE-ASConvergeICTSolutionsIncPH | true | |
190.194.12.132 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
37.205.9.252 | unknown | Czech Republic | 24971 | MASTER-ASCzechRepublicwwwmasterczCZ | true | |
118.243.83.70 | unknown | Japan | 4685 | ASAHI-NETAsahiNetJP | true | |
103.80.51.61 | unknown | Thailand | 136023 | PTE-AS-APPTEGroupCoLtdTH | true | |
213.165.178.214 | unknown | Malta | 12709 | MELITACABLEMT | true | |
119.92.77.17 | unknown | Philippines | 9299 | IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH | true | |
46.105.131.68 | unknown | France | 16276 | OVHFR | true | |
47.154.85.229 | unknown | United States | 5650 | FRONTIER-FRTRUS | true | |
172.105.78.244 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
91.213.106.100 | unknown | Latvia | 49667 | IKFRIGA-ASLV | true | |
37.46.129.215 | unknown | Russian Federation | 29182 | THEFIRST-ASRU | true | |
121.117.147.153 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
192.163.221.191 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
190.117.101.56 | unknown | Peru | 12252 | AmericaMovilPeruSACPE | true | |
190.192.39.136 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
180.148.4.130 | unknown | Viet Nam | 45557 | VNTT-AS-VNVietnamTechnologyandTelecommunicationJSCVN | true | |
113.161.148.81 | unknown | Viet Nam | 45899 | VNPT-AS-VNVNPTCorpVN | true | |
190.96.15.50 | unknown | Chile | 14259 | GtdInternetSACL | true | |
157.7.164.178 | unknown | Japan | 7506 | INTERQGMOInternetIncJP | true | |
116.202.10.123 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
115.79.59.157 | unknown | Viet Nam | 7552 | VIETEL-AS-APViettelGroupVN | true | |
153.229.219.1 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
192.241.220.183 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
203.56.191.129 | unknown | Australia | 38220 | AMAZE-SYD-AS-APwwwamazecomauAU | true | |
113.203.238.130 | unknown | Pakistan | 9387 | AUGERE-PKAUGERE-PakistanPK | true | |
78.186.65.230 | unknown | Turkey | 9121 | TTNETTR | true | |
46.32.229.152 | unknown | United Kingdom | 20738 | GD-EMEA-DC-LD5GB | true | |
54.38.143.245 | unknown | France | 16276 | OVHFR | true | |
180.21.3.52 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
77.74.78.80 | unknown | Russian Federation | 31261 | GARS-ASMoscowRussiaRU | true | |
60.125.114.64 | unknown | Japan | 17676 | GIGAINFRASoftbankBBCorpJP | true | |
8.4.9.137 | unknown | United States | 3356 | LEVEL3US | true | |
94.212.52.40 | unknown | Netherlands | 33915 | TNF-ASNL | true | |
79.133.6.236 | unknown | Finland | 3238 | ALCOMFI | true | |
202.29.237.113 | unknown | Thailand | 4621 | UNINET-AS-APUNINET-TH | true | |
58.27.215.3 | unknown | Pakistan | 38264 | WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK | true | |
185.80.172.199 | unknown | Azerbaijan | 39232 | UNINETAZ | true | |
74.208.173.91 | unknown | United States | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
41.185.29.128 | unknown | South Africa | 36943 | GridhostZA | true | |
116.91.240.96 | unknown | Japan | 2519 | VECTANTARTERIANetworksCorporationJP | true | |
139.59.61.215 | unknown | Singapore | 14061 | DIGITALOCEAN-ASNUS | true | |
91.75.75.46 | unknown | United Arab Emirates | 15802 | DU-AS1AE | true | |
175.103.38.146 | unknown | Indonesia | 38320 | MMS-AS-IDPTMaxindoMitraSolusiID | true | |
50.116.78.109 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
109.13.179.195 | unknown | France | 15557 | LDCOMNETFR | true | |
73.100.19.104 | unknown | United States | 7922 | COMCAST-7922US | true | |
103.3.63.137 | unknown | Singapore | 63949 | LINODE-APLinodeLLCUS | true | |
42.200.96.63 | unknown | Hong Kong | 4760 | HKTIMS-APHKTLimitedHK | true | |
24.231.51.190 | unknown | Bahamas | 15146 | CABLEBAHAMASBS | true | |
192.175.111.217 | unknown | Canada | 32613 | IWEB-ASCA | true | |
190.151.5.131 | unknown | Chile | 6471 | ENTELCHILESACL | true | |
2.58.16.86 | unknown | Latvia | 64421 | SERTEX-ASLV | true | |
113.193.239.51 | unknown | India | 45528 | TIKONAIN-ASTikonaInfinetLtdIN | true | |
188.166.220.180 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true | |
198.20.228.9 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
185.142.236.163 | unknown | Netherlands | 174 | COGENT-174US | true | |
139.59.12.63 | unknown | Singapore | 14061 | DIGITALOCEAN-ASNUS | true | |
115.79.195.246 | unknown | Viet Nam | 7552 | VIETEL-AS-APViettelGroupVN | true | |
118.33.121.37 | unknown | Korea Republic of | 4766 | KIXS-AS-KRKoreaTelecomKR | true | |
73.55.128.120 | unknown | United States | 7922 | COMCAST-7922US | true | |
179.5.118.12 | unknown | El Salvador | 14754 | TelguaGT | true | |
91.83.93.103 | unknown | Hungary | 12301 | INVITECHHU | true | |
195.201.56.70 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
36.91.44.183 | unknown | Indonesia | 17974 | TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1558347 |
Start date and time: | 2024-11-19 12:10:40 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | exe009.exe |
Detection: | MAL |
Classification: | mal88.troj.winEXE@0/0@0/87 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
- Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, time.windows.com
- VT rate limit hit for: exe009.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
126.126.139.26 | Get hash | malicious | Emotet | Browse | ||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
192.210.217.94 | Get hash | malicious | Emotet | Browse | ||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
85.75.49.113 | Get hash | malicious | Emotet | Browse | ||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
Get hash | malicious | Emotet | Browse | |||
223.17.215.76 | Get hash | malicious | Emotet | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-part-0017.t-0009.t-msedge.net | Get hash | malicious | Stealc | Browse |
| |
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Credential Flusher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Credential Flusher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
GIGAINFRASoftbankBBCorpJP | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
AS-COLOCROSSINGUS | Get hash | malicious | Cobalt Strike, HTMLPhisher, SmokeLoader | Browse |
| |
Get hash | malicious | Cobalt Strike, HTMLPhisher, Lokibot | Browse |
| ||
Get hash | malicious | Cobalt Strike, HTMLPhisher, Lokibot | Browse |
| ||
Get hash | malicious | HTMLPhisher, SmokeLoader | Browse |
| ||
Get hash | malicious | HTMLPhisher, Lokibot | Browse |
| ||
Get hash | malicious | HTMLPhisher, Lokibot | Browse |
| ||
Get hash | malicious | Cobalt Strike, Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Cobalt Strike, HTMLPhisher, Lokibot | Browse |
| ||
OTENET-GRAthens-GreeceGR | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
HGC-AS-APHGCGlobalCommunicationsLimitedHK | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Emotet | Browse |
| ||
Get hash | malicious | Emotet | Browse |
| ||
Get hash | malicious | Emotet | Browse |
|
File type: | |
Entropy (8bit): | 4.030411761944615 |
TrID: |
|
File name: | exe009.exe |
File size: | 169'984 bytes |
MD5: | d7271c44ad9c66d0156738fe70f12120 |
SHA1: | d603bee9c71bfd6624645c181d91c7d948af4c21 |
SHA256: | 676b3029331da1aa727799097f0599bee2759ef668a97ef5bddcc56fc22c7096 |
SHA512: | b680db582c728a1957c512cb92798d76545c9cb419c88a732a7f720407c228b920460b5a3cffc78b73bdcc1b8704dbf7ae44eade21d9e6f95607547ab868cd12 |
SSDEEP: | 1536:QqHcFCKEpFErcAft1uwv+npjlPmQWsw+UjBCb:v80ddxmrL8 |
TLSH: | 0FF3C19FB792A1F2CD191931D586D01B3937BE605B464AD3337B322EEDB06E84CB8245 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...".J.....R.p.....R.K.....Rich/...................PE..L......_............................P\............K........ |
Icon Hash: | 4d96332361e2311b |
Entrypoint: | 0x4b5c50 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x4b0000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5F84B300 [Mon Oct 12 19:48:16 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
call 00007F533574D570h |
mov eax, dword ptr [004BE16Ch] |
test eax, eax |
jne 00007F533574CD1Dh |
mov ecx, B7762A69h |
call 00007F533574AF9Dh |
mov edx, D1D79069h |
mov ecx, eax |
call 00007F533574AEF1h |
mov dword ptr [004BE16Ch], eax |
push 00000000h |
call eax |
retn 0010h |
push ecx |
mov dword ptr [esp], 00007E35h |
xor dword ptr [esp], 7C12DE9Ch |
add dword ptr [esp], 0000D3C1h |
xor dword ptr [esp], 75DA64F0h |
or dword ptr [esp], 3B09F17Ah |
shr dword ptr [esp], 0Ah |
add dword ptr [esp], FFFFC1BDh |
xor dword ptr [esp], 000EB579h |
mov eax, dword ptr [esp] |
pop ecx |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
push ecx |
mov dword ptr [esp], 00004F1Ch |
add dword ptr [esp], 0000DE99h |
add dword ptr [esp], FFFFD5F7h |
xor dword ptr [esp], 1E029AA1h |
add dword ptr [esp], 00004320h |
add dword ptr [esp], FFFF38EEh |
or dword ptr [esp], 59603C0Eh |
shr dword ptr [esp], 02h |
shl dword ptr [esp], 08h |
xor dword ptr [esp], D8CF47A0h |
mov eax, dword ptr [esp] |
pop ecx |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ecx |
mov dword ptr [esp], 00006F9Fh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x1d796 | .text |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x750 | .text |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4b1000 | 0xa600 | bed432d1b00b24e7c04efb884774fd76 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0x4bc000 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x4bd000 | 0xc00 | 68533284b0bc389fd4ccdde7a5c1b2f5 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0xf000 | 0x4bf000 | 0x800 | c99a74c555371a433d121f551d6c6398 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x4c0000 | 0x1d800 | 87c6fb5f0eb266ac306aacb07d751395 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x101ac | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.5124113475177305 | ||
RT_ICON | 0x10614 | 0xca8 | Device independent bitmap graphic, 32 x 64 x 24, image size 3200 | 0.28055555555555556 | ||
RT_ICON | 0x112bc | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.2296680497925311 | ||
RT_ICON | 0x13864 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | 0.18800188946622579 | ||
RT_ICON | 0x17a8c | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | 0.1529112754158965 | ||
RT_ICON | 0x1cf14 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | 0.0527919081982728 | ||
RT_GROUP_ICON | 0x2d73c | 0x5a | data | 0.7888888888888889 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 19, 2024 12:11:43.632678032 CET | 1.1.1.1 | 192.168.2.7 | 0x1269 | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Nov 19, 2024 12:11:43.632678032 CET | 1.1.1.1 | 192.168.2.7 | 0x1269 | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |