Sample: e700c5cb85f516536085ba8d48508ff0
P3pper Reports - http://www.peppermalware.com. P3pper Twitter - https://twitter.com/P3pperP0tts.
This report has been generated automatically by a set of malware analysis tools.
This work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license visit http://creativecommons.org/licenses/by/4.0/.
Classification: #BANKER #EMOTET (based on p3pperp0tts rules)
Analysis date: 2021-01-17 12:27:02 (p3pperp0tts platform's analysis date) Exe timestamp: 2020-09-17 10:03:35 (timestamp of the original sample)
Unpacked mods max timestamp: 2020-09-10 18:12:35 (higher timestamp of all the unpacked modules) VirusTotal analysis date: 2020-10-12 12:13:06 (date of last time that the sample was analyzed at vt)
Index
• Sample
• AV detections
• Virustotal
• Yara matches
• Threads tree
• Most Interesting behavior
• Most Interesting strings
• Hosts
• Dns queries
• Network traffic
• Full strings list
• Threads behaviour
• Network by processes
• Unpacked or injected modules
• Extra Information Recovered
• Configs Recovered
Sample
•md5: e700c5cb85f516536085ba8d48508ff0AV detections
• Microsoft: Trojan:Win32/Emotet.ARJ!MTB • Kaspersky: HEUR:Trojan.Win32.Agent.pef • Symantec: Packed.Generic.554 • Malwarebytes: Trojan.MalPack.TREVirustotal
• https://virustotal.com/es/file/2d48a6af7203b5ace1253fa489f0890496f9043e33eef34c68cc7e927c429512/analysisYara matches
The following yara rules have matched injected or unpacked modules's code or data areas.
• UNKALIAS:#BANKER #EMOTET • UNKALIAS:#BANKER #EMOTET
Threads tree
The following tree represents sample's threads. T<index> is an alias for sample's threads (numeration is done in the order of threads creation). P<index> is an alias for processes owning sample's threads.
Most interesting behavior
The following list it's a collection of the most interesting events captured. This list is ordered by the score assigned to the event. In the section "Threads behavioural information" it's possible to find all the actions performed by each sample's thread ordered chronologically.
Most interesting strings
The following list it's a collection of the most interesting strings found in the sample's modules (unpacked modules too) code or data.
• !This program cannot be run in DOS mode. • Nj(tm=\\3k8u=
Hosts
• 118.243.83.70:80 • 190.85.46.52:7080 • 192.168.239.131:49160 • 192.168.239.131:49161 • 192.168.239.131:49163 • 192.168.239.131:49164 • 192.168.239.131:49165 • 192.168.239.131:49166 • 192.168.239.1:5353 • 2.20.44.114:80 • 224.0.0.251:5353 • 5.189.168.53:8080Dns queries
• isatap.localdomain ---> no answers • 255.239.168.192.in-addr.arpa ---> no answers • 2.239.168.192.in-addr.arpa ---> no answers • 1.239.168.192.in-addr.arpa ---> no answers • 254.239.168.192.in-addr.arpa ---> no answers • 70.83.243.118.in-addr.arpa ---> no answers • 53.168.189.5.in-addr.arpa ---> no answers • 111.41.241.162.in-addr.arpa ---> no answersNetwork traffic
This section contains the readable content of the captured network traffic classified by established connections.
• tcp 192.168.239.131:49160 ---> 118.243.83.70:80
Content-Type: application/octet-stream[...]Content-Disposition: form-data; name="ptlasxxunbaadtgputz";
filename="kircgec"[...]---T9gjfyeFj[...]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image /webp,*/*;q=0.8[...]---T9gjfyeFj--[...]Accept-Encoding: gzip, deflate[...]Referer:
118.243.83.70/KY7H9/6oRh7oiWWPK12Iow/jCrOuySi4ET2wb/Rkr6k/1mTO2qhiQczpNmZO/DrdExHVlfJ/[...]Content-Type: multipart/form-data; boundary=---T9gjfyeFj[...]Host: 118.243.83.70[...]Cache-Control:
no-cache[...]Upgrade-Insecure-Requests: 1[...]POST
/KY7H9/6oRh7oiWWPK12Iow/jCrOuySi4ET2wb/Rkr6k/1mTO2qhiQczpNmZO/DrdExHVlfJ/ HTTP/1.1[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]Content-Length: 4564
• tcp 192.168.239.131:49161 ---> 5.189.168.53:8080
Content-Type: application/octet-stream[...]POST /236xhTXAl/kI6xFzKZfTvk9/2Kmiz2Rmp/wf5HH/kzJYw1iHob1KjMk/IW09WZdUJU/ HTTP/1.1[...]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]Content-Type: multipart/form-data; boundary=---KCOjqB8CbqDmh[...]Accept-Encoding: gzip,deflate[...]---KCOjqB8CbqDmh--[...]Content-Length: 4564[...]Content-Disposition: form-data;
name="aaylssbzlmvqtt"; filename="qrlvvi"[...]Cache-Control: no-cache[...]Upgrade-Insecure-Requests: 1[...]Referer: 5.189.168.53/236xhTXAl/kI6xFzKZfTvk9/2Kmiz2Rmp/wf5HH/kzJYw1iHob1KjMk/IW09WZdUJU/[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]---KCOjqB8CbqDmh[...]Host: 5.189.168.53:8080
• tcp 192.168.239.131:49163 ---> 190.85.46.52:7080
Content-Disposition: form-data; name="dddxllcvipheib"; filename="cifsybgsnvftb"[...]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]Content-Type: application/octet-stream[...]Content-Type: multipart/form-data; boundary=---mHoEuhYlD4rHsdu[...]Accept-Encoding: gzip, deflate[...]---mHoEuhYlD4rHsdu--[...]Host: 190.85.46.52:7080[...]---mHoEuhYlD4rHsdu[...]Cache-Control: no-cache[...]Upgrade-Insecure-Requests: 1[...]Referer: 190.85.46.52/OOgQ7RHNiz1/z9nxW8d9QFuQQ/uhHPSstWMQgDOfjC3Is/yfWpNT29rfk3HZnywv/[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0[...]Connection:
Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]POST
/OOgQ7RHNiz1/z9nxW8d9QFuQQ/uhHPSstWMQgDOfjC3Is/yfWpNT29rfk3HZnywv/ HTTP/1.1[...]Content-Length: 4564
• tcp 190.85.46.52:7080 ---> 192.168.239.131:49163
Content-Type: text/html; charset=UTF-8[...]Date: Sun, 17 Jan 2021 10:38:27 GMT[...]Server: nginx[...]Vary: Accept-Encoding[...]HTTP/1.1 200 OK[...]Content-Length: 2100[...]Connection: Keep-Alive
• tcp 192.168.239.131:49164 ---> 2.20.44.114:80
GET /pki/crl/products/WinPCA.crl HTTP/1.1[...]If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT[...]Cache-Control: max-age = 900[...]User-Agent: Microsoft-CryptoAPI/6.1[...]Host: crl.microsoft.com[...]If-None-Match:
"0cb60772f2dd11:0"[...]Connection: Keep-Alive
x-ms-blob-type: BlockBlob[...]Date: Sun, 17 Jan 2021 10:42:38 GMT[...]Content-Length: 530[...]Content-Type: application/pkix-crl[...]HTTP/1.1 200 OK[...]x-ms-version:
2009-09-19[...]430418080000Z[...]151202080000Z[...]HTTP/1.1 200 OK[...]Content-MD5: Xiddt2GqWiOsZRr49sSgAA==[...]x-ms-lease-status: unlocked[...]x-ms-request-id:
9d0ff0ea-801e-00a3-53d8-858b11000000[...]Last-Modified: Tue, 08 May 2018 21:14:18 GMT[...]Microsoft
Corporation1+0)[...]Connection: Keep-Alive[...]Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0[...]ETag: 0x8D5B528A905E7D5[...]"Microsoft Windows Verification PCA
• tcp 192.168.239.131:49165 ---> 190.85.46.52:7080
Content-Type: application/octet-stream[...]Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]Content-Disposition: form-data; name="znyvvzzvfzdgu"; filename="pxzjudb"[...]---BKC2gk1phpX990RYdzgk--[...]Content-Type: multipart/form-data; boundary=---BKC2gk1phpX990RYdzgk[...]POST /cWiWwLbvic73YJJH/ HTTP/1.1[...]Host: 190.85.46.52:7080[...]Content-Length:
4612[...]---BKC2gk1phpX990RYdzgk[...]Upgrade-Insecure-Requests: 1[...]Connection: Keep-Alive[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101
Firefox/75.0[...]Accept-Encoding: gzip, deflate[...]Referer: 190.85.46.52/cWiWwLbvic73YJJH/[...]Accept-Language: en-us,en;q=0.5[...]Cache-Control: no-cache
• tcp 190.85.46.52:7080 ---> 192.168.239.131:49165
Content-Type: text/html; charset=UTF-8[...]Server: nginx[...]Vary: Accept-Encoding[...]Content-Length: 2324[...]Date: Sun, 17 Jan 2021 10:51:54 GMT[...]Connection: Keep-Alive[...]HTTP/1.1 200 OK
• tcp 192.168.239.131:49166 ---> 190.85.46.52:7080
Content-Type: application/octet-stream[...]Content-Type: multipart/form-data; boundary=---AJ29E2YEcsM6r[...]Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]POST /Cl9A0nWPh/R9Zz4k/ HTTP/1.1[...]Accept-Encoding: gzip, deflate[...]Host: 190.85.46.52:7080[...]Content-Length:
4612[...]---AJ29E2YEcsM6r[...]---AJ29E2YEcsM6r--[...]Referer:
190.85.46.52/Cl9A0nWPh/R9Zz4k/[...]Upgrade-Insecure-Requests: 1[...]Content-Disposition: form-data;
name="vtizvdpvidair"; filename="ndcuuhhgufxhn"[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]Cache-Control: no-cache
• tcp 190.85.46.52:7080 ---> 192.168.239.131:49166
Content-Type: text/html; charset=UTF-8[...]Server: nginx[...]Vary: Accept-Encoding[...]Content-Length: 3636[...]HTTP/1.1 200 OK[...]Connection: Keep-Alive[...]Date: Sun, 17 Jan 2021 11:05:30 GMT
• udp 192.168.239.1:5353 ---> 224.0.0.251:5353
Full strings list
The following list it's a collection of all the strings found in the sample's modules (unpacked modules too) code or data.
• !This program cannot be run in DOS mode. • Nj(tm=\\3k8u=
Threads behaviour
In this section it's possible to find information about sample's threads, such as the actions performed by each sample's thread ordered chronologically.
Network by processes
The analysis environment tries to capture and collect network actions performed by sample's threads.
Unpacked or injected modules
In this section it's possible to find information about sample's modules, such as the rich signatures and strings
• Module 1 (probably unpacked / injected by the sample)
• Module 1 rich signatures
• 44616e530000000000000000000000000d52df00010000007d79e500210000007d79de00
• Module 1 strings
• Module 1 most interesting strings
• !This program cannot be run in DOS mode. • Nj(tm=\\3k8u=
• Module 1 other strings
• No strings found
• =%<+yQE}\\b3f
• Module 2 (probably unpacked / injected by the sample)
• Module 2 rich signatures
• 44616e530000000000000000000000000d52df00010000007d79e500210000007d79de00
• Module 2 strings
• Module 2 most interesting strings
• !This program cannot be run in DOS mode.
• Module 2 other strings
• No strings found • No strings found
Extra Information Recovered
Configs Recovered
In this section there are malware configs recovered by platform plugins
• CnC
240.226.228.188:64394 151.248.131.195:17632 193.229.103.214:0 70.83.243.118:80 53.168.189.5:8080 111.41.241.162:7080 52.46.85.190:7080 155.205.216.95:8080 109.78.116.50:8080 245.143.38.54:8080 110.248.160.113:80 221.16.176.115:80 76.215.17.223:80 82.218.188.202:80 154.190.96.172:8080 63.12.59.139:8080 104.133.95.181:80 91.173.208.74:8080 43.170.166.202:80 163.236.142.185:443 63.203.57.198:8080 68.148.86.185:443 26.58.247.88:8051.104.121.67:20 113.227.71.167:8080 44.235.247.117:80 220.100.187.37:7080 170.14.127.75:8080 37.120.177.45:8080 236.6.133.79:8080 120.167.33.178:8080 12.118.5.179:80 81.148.161.113:80 160.182.241.14:80 115.62.26.180:443 132.12.194.190:80 200.66.189.187:8080 250.70.79.5:8080 215.129.46.37:8080 26.139.126.126:443 210.16.18.76:80 216.175.114.78:80 157.220.153.202:80 183.220.241.192:8080 57.66.133.103:443 145.247.147.220:80 123.10.202.116:8080 94.217.210.192:8080
152.229.32.46:8080 252.9.205.37:7080 116.48.101.190:80 128.29.185.41:8080 68.131.105.46:8080 51.239.193.113:443 17.77.92.119:80 60.42.144.162:8080 215.61.59.139:443 128.89.212.41:80 1.229.137.181:80 142.226.208.185:8080 182.220.93.103:80 191.221.163.192:8080 61.51.80.103:8080 173.68.48.103:80 2.45.201.138:8080 23.216.57.86:80 183.44.91.36:80 17.73.229.103:8080 189.240.227.182:443 46.75.75.91:80 95.220.210.37:80 234.83.253.182:7080 110.187.106.128:80 3.215.27.58:8080
101.138.245.157:7080 20.15.190.190:80 246.195.79.115:80 80.78.74.77:443 70.56.201.195:8080 178.216.153.203:7080 137.9.4.8:8080 204.244.144.2:80 32.82.156.113:80 254.34.51.120:80 81.62.200.80:20 238.241.120.200:80 103.93.83.91:443 178.164.7.157:8081 240.154.122.181:80 72.101.95.143:8080 155.11.78.115:80 19.201.38.51:7080 64.114.125.60:443 118.9.243.49:80 206.209.150.189:80 244.78.105.172:8080
