MalScore

100/100

MalFamily

Emotet

30hCP55

Is DLL Packer Anti Debug Anti VM Signed XOR

File details Download PDF Report
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File size:	316.00 KB (323584 bytes)
Compile time:	2020-07-29 09:56:48
MD5:	ac3f689147fb565631a6567834c783b9
SHA1:	7b8bf9cd986bc987b0d23fe07baa7ff520d70cae
SHA256:	ee3745c938112b7b49e840787f7e3bf4031c51e1e685c7ad073af64de818f49d
Import hash:	de2f3a78b61d2f88459d7cd2233b67d5
Sections 4	.text .rdata .data .rsrc
Directories 2	import resource
Anti Virtual Machine 1	VMCheck.dll
First submission:	2021-01-09 10:09:06
Last submission:	2021-01-09 10:09:06
Filename detected:	- 30hCP55 (1)

URL file hosting
hXXp://biglaughs.org/smallpotatoes/30hCP55/

Antivirus Report
Report Date	Detection Ratio	Permalink	Update
No report available

PE Sections 1 suspicious
Name	VAddress	VSize	Size	MD5	SHA1
.text	0x1000	0x324b9	208896	ad12a87ce5af84985a5937c16cb42f9a	bd7e135725cc7b48c46f66492108e1b358f2c4b2
.rdata	0x34000	0xae78	45056	52af319145e03403c30fb1dbb0604a3a	2670f207f8f8659a8356926015f10d8b39b09bc5
.data	0x3f000	0x6e48	12288	c23078137e8924b2fd85544807968052	bac9f9c0b99954eea0ffbab81124343d51971ad0
.rsrc	0x46000	0xc908	53248	dcffa1beb32fe852ea9ef5fb6cd194a3	75b81fca38f96ced689b3559b6eb56a728558171

Meta Info
No Meta found in this file

XOR
No XOR informations found in this file.

Signature
This file isn't digitally signed

Packer(s)
Microsoft Visual C++ v6.0
Microsoft Visual C++ 5.0
Microsoft Visual C++

File found
FIle type: Library
USER32.dll
ADVAPI32.dll
SHLWAPI.dll
SHELL32.dll
KERNEL32.dll
OLEAUT32.dll
oledlg.dll
comdlg32.dll
comctl32.dll
OLEPRO32.DLL
ole32.dll
GDI32.dll

IP Found
No IP detected

URL(s)
file://

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven02b_64	Seven02b_64	VirtualBox	2021-01-09 09:54:44	2021-01-09 09:57:46	182

10 Behaviors detected by system signatures

Created network traffic indicative of malicious activity Severity: High Confidence: High

signature: ET CNC Feodo Tracker Reported CnC Server group 1
signature: ET CNC Feodo Tracker Reported CnC Server group 3
signature: ET TROJAN Win32/Emotet CnC Activity (POST) M8
signature: ET CNC Feodo Tracker Reported CnC Server group 4
signature: ET CNC Feodo Tracker Reported CnC Server group 7
signature: ET CNC Feodo Tracker Reported CnC Server group 6
signature: ET CNC Feodo Tracker Reported CnC Server group 9
signature: ET CNC Feodo Tracker Reported CnC Server group 8
signature: ET CNC Feodo Tracker Reported CnC Server group 18
signature: ET CNC Feodo Tracker Reported CnC Server group 11
signature: ET CNC Feodo Tracker Reported CnC Server group 10
signature: ET CNC Feodo Tracker Reported CnC Server group 2
signature: ET CNC Feodo Tracker Reported CnC Server group 12
signature: ET CNC Feodo Tracker Reported CnC Server group 15
signature: ET CNC Feodo Tracker Reported CnC Server group 14
signature: ET CNC Feodo Tracker Reported CnC Server group 16
signature: ET CNC Feodo Tracker Reported CnC Server group 20
signature: ET CNC Feodo Tracker Reported CnC Server group 21
signature: ET CNC Feodo Tracker Reported CnC Server group 22
signature: ET CNC Feodo Tracker Reported CnC Server group 24

Unconventionial language used in binary resources: Russian Severity: Medium Confidence: Very High

Performs some HTTP requests Severity: Medium Confidence: Low

url: http://179.60.229.168:443/rdmiUTQ5aCADZ9n/yuEpd6rAy8lFu2EFtO/
url: http://185.94.252.13:443/EoumacLwm3iJCDyaJs/
url: http://189.218.165.63/tMk5CVrFF7Vatmw/uOAR0iy8/MurTsTm/puEyfuZQNAKhtT0y/6lcUwFdu/9uUvKJ9khDPs/
url: http://2.47.112.152/9UnuEj/yDFmpFXiQvZVMl/CZxxLL5qSp/ek38JmKJ3iLIFU9Z/Nonp4Kcs/
url: http://185.94.252.27:443/NrBtou/KeHrYxqUAGg0G/ico6XRVKMT52Uk/
url: http://191.99.160.58/0NFgCgNscsJT4/EEYR55nXJFKmiuPm/
url: http://181.31.211.181/VWOckRDuDMvLBk7u/
url: http://202.62.39.111/SMgohJYp/
url: http://177.75.143.112:443/Srbbgd3hhKk/CcqOM/
url: http://190.17.195.202/MKAAsWPxNUj/dhM2i/bnsvUaomnnbmFZVGOH/isDC0YbQlotvdVcX5KX/
url: http://181.167.96.215/JL8PZh/35lUjIOyVu3/5gnCayEA0SaJA5YSzCy/
url: http://143.0.87.101/pWb8/
url: http://46.214.11.172/DSpU2apaw3mWI/5Mvold5yP9LfGO/pinWaB3naX/GgZu7FgiBjja40V7C1/hBp6un2KV62F6/qkC4a/
url: http://114.109.179.60/ygnrGKQylS73WQ4J/
url: http://185.94.252.12/hhm6KW26WhMjoWhvSdH/YG4Aa/
url: http://177.72.13.80/Ls0ka8LpRIq93c/y5s1P7vuWvf/MDLZ4GW1M6IGI/kXXhXgZ53vczE/aJ7352xkC1dmL/

HTTP traffic contains suspicious features which may be indicative of malware related traffic Severity: Medium Confidence: Low

ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://179.60.229.168:443/rdmiUTQ5aCADZ9n/yuEpd6rAy8lFu2EFtO/
suspicious_request: http://185.94.252.13:443/EoumacLwm3iJCDyaJs/
suspicious_request: http://189.218.165.63/tMk5CVrFF7Vatmw/uOAR0iy8/MurTsTm/puEyfuZQNAKhtT0y/6lcUwFdu/9uUvKJ9khDPs/
suspicious_request: http://2.47.112.152/9UnuEj/yDFmpFXiQvZVMl/CZxxLL5qSp/ek38JmKJ3iLIFU9Z/Nonp4Kcs/
suspicious_request: http://185.94.252.27:443/NrBtou/KeHrYxqUAGg0G/ico6XRVKMT52Uk/
suspicious_request: http://191.99.160.58/0NFgCgNscsJT4/EEYR55nXJFKmiuPm/
suspicious_request: http://181.31.211.181/VWOckRDuDMvLBk7u/
suspicious_request: http://202.62.39.111/SMgohJYp/
suspicious_request: http://177.75.143.112:443/Srbbgd3hhKk/CcqOM/
suspicious_request: http://190.17.195.202/MKAAsWPxNUj/dhM2i/bnsvUaomnnbmFZVGOH/isDC0YbQlotvdVcX5KX/
suspicious_request: http://181.167.96.215/JL8PZh/35lUjIOyVu3/5gnCayEA0SaJA5YSzCy/
suspicious_request: http://143.0.87.101/pWb8/
suspicious_request: http://46.214.11.172/DSpU2apaw3mWI/5Mvold5yP9LfGO/pinWaB3naX/GgZu7FgiBjja40V7C1/hBp6un2KV62F6/qkC4a/
suspicious_request: http://114.109.179.60/ygnrGKQylS73WQ4J/
suspicious_request: http://185.94.252.12/hhm6KW26WhMjoWhvSdH/YG4Aa/
suspicious_request: http://177.72.13.80/Ls0ka8LpRIq93c/y5s1P7vuWvf/MDLZ4GW1M6IGI/kXXhXgZ53vczE/aJ7352xkC1dmL/

Repeatedly searches for a not-found process, may want to run with startbrowser=1 option Severity: Medium Confidence: Very High

Expresses interest in specific running processes Severity: Medium Confidence: Very High

process: 30hCP55.exe

Dynamic (imported) function loading detected Severity: Medium Confidence: Very High

DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: comctl32.dll/HIMAGELIST_QueryInterface
DynamicLoader: comctl32.dll/DrawShadowText
DynamicLoader: comctl32.dll/DrawSizeBox
DynamicLoader: comctl32.dll/DrawScrollBar
DynamicLoader: comctl32.dll/SizeBoxHwnd
DynamicLoader: comctl32.dll/ScrollBar_MouseMove
DynamicLoader: comctl32.dll/ScrollBar_Menu
DynamicLoader: comctl32.dll/HandleScrollCmd
DynamicLoader: comctl32.dll/DetachScrollBars
DynamicLoader: comctl32.dll/AttachScrollBars
DynamicLoader: comctl32.dll/CCSetScrollInfo
DynamicLoader: comctl32.dll/CCGetScrollInfo
DynamicLoader: comctl32.dll/CCEnableScrollBar
DynamicLoader: comctl32.dll/QuerySystemGestureStatus
DynamicLoader: uxtheme.dll/
DynamicLoader: uxtheme.dll/DrawThemeBackground
DynamicLoader: kernel32.dll/VirtualAllocExNuma
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: CRYPTSP.dll/CryptDecrypt

Mimics the system's user agent string for its own requests Severity: Medium Confidence: Very High

Creates RWX memory Severity: Medium Confidence: Medium

SetUnhandledExceptionFilter detected (possible anti-debug) Severity: Low Confidence: Very High

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven02b_64	Seven02b_64	VirtualBox	2021-01-09 09:54:44	2021-01-09 09:57:46	182

5 Summary items with data

Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Seven01\AppData\Local\Temp\30hCP55.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
C:\Windows\System32\*
C:\Users\Seven01\AppData\Local\Temp\30hCP55.exe
C:\

Read Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\30hCP55.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\30hCP55.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Sans Serif
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

kernel32.dll.IsProcessorFeaturePresent
ole32.dll.CoGetApartmentType
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetMalloc
comctl32.dll.InitCommonControlsEx
dwmapi.dll.DwmIsCompositionEnabled
comctl32.dll.HIMAGELIST_QueryInterface
comctl32.dll.DrawShadowText
comctl32.dll.DrawSizeBox
comctl32.dll.DrawScrollBar
comctl32.dll.SizeBoxHwnd
comctl32.dll.ScrollBar_MouseMove
comctl32.dll.ScrollBar_Menu
comctl32.dll.HandleScrollCmd
comctl32.dll.DetachScrollBars
comctl32.dll.AttachScrollBars
comctl32.dll.CCSetScrollInfo
comctl32.dll.CCGetScrollInfo
comctl32.dll.CCEnableScrollBar
comctl32.dll.QuerySystemGestureStatus
uxtheme.dll.#49
uxtheme.dll.DrawThemeBackground
kernel32.dll.VirtualAllocExNuma
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
cryptsp.dll.CryptDecrypt

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven02b_64	Seven02b_64	VirtualBox	2021-01-09 09:54:44	2021-01-09 09:57:46	182

16 HTTP Request(s) detected

http://179.60.229.168:443/rdmiUTQ5aCADZ9n/yuEpd6rAy8lFu2EFtO/

Hostname: 179.60.229.168:443
IP Address:
Port: 443
Count: 1

POST /rdmiUTQ5aCADZ9n/yuEpd6rAy8lFu2EFtO/ HTTP/1.1
Referer: http://179.60.229.168/rdmiUTQ5aCADZ9n/yuEpd6rAy8lFu2EFtO/
Content-Type: multipart/form-data; boundary=---------------------------548745437633411
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 179.60.229.168:443
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://185.94.252.13:443/EoumacLwm3iJCDyaJs/

Hostname: 185.94.252.13:443
IP Address:
Port: 443
Count: 1

POST /EoumacLwm3iJCDyaJs/ HTTP/1.1
Referer: http://185.94.252.13/EoumacLwm3iJCDyaJs/
Content-Type: multipart/form-data; boundary=---------------------------992049732983508
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 185.94.252.13:443
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://189.218.165.63/tMk5CVrFF7Vatmw/uOAR0iy8/MurTsTm/puEyfuZQNAKhtT0y/6lcUwFdu/9uUvKJ9khDPs/

Hostname: 189.218.165.63
IP Address:
Port: 80
Count: 1

POST /tMk5CVrFF7Vatmw/uOAR0iy8/MurTsTm/puEyfuZQNAKhtT0y/6lcUwFdu/9uUvKJ9khDPs/ HTTP/1.1
Referer: http://189.218.165.63/tMk5CVrFF7Vatmw/uOAR0iy8/MurTsTm/puEyfuZQNAKhtT0y/6lcUwFdu/9uUvKJ9khDPs/
Content-Type: multipart/form-data; boundary=---------------------------889098536458669
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 189.218.165.63
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://2.47.112.152/9UnuEj/yDFmpFXiQvZVMl/CZxxLL5qSp/ek38JmKJ3iLIFU9Z/Nonp4Kcs/

Hostname: 2.47.112.152
IP Address:
Port: 80
Count: 1

POST /9UnuEj/yDFmpFXiQvZVMl/CZxxLL5qSp/ek38JmKJ3iLIFU9Z/Nonp4Kcs/ HTTP/1.1
Referer: http://2.47.112.152/9UnuEj/yDFmpFXiQvZVMl/CZxxLL5qSp/ek38JmKJ3iLIFU9Z/Nonp4Kcs/
Content-Type: multipart/form-data; boundary=---------------------------878717869230533
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 2.47.112.152
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://185.94.252.27:443/NrBtou/KeHrYxqUAGg0G/ico6XRVKMT52Uk/

Hostname: 185.94.252.27:443
IP Address:
Port: 443
Count: 1

POST /NrBtou/KeHrYxqUAGg0G/ico6XRVKMT52Uk/ HTTP/1.1
Referer: http://185.94.252.27/NrBtou/KeHrYxqUAGg0G/ico6XRVKMT52Uk/
Content-Type: multipart/form-data; boundary=---------------------------655044638251237
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 185.94.252.27:443
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://191.99.160.58/0NFgCgNscsJT4/EEYR55nXJFKmiuPm/

Hostname: 191.99.160.58
IP Address:
Port: 80
Count: 1

POST /0NFgCgNscsJT4/EEYR55nXJFKmiuPm/ HTTP/1.1
Referer: http://191.99.160.58/0NFgCgNscsJT4/EEYR55nXJFKmiuPm/
Content-Type: multipart/form-data; boundary=---------------------------912622654205276
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 191.99.160.58
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://181.31.211.181/VWOckRDuDMvLBk7u/

Hostname: 181.31.211.181
IP Address:
Port: 80
Count: 1

POST /VWOckRDuDMvLBk7u/ HTTP/1.1
Referer: http://181.31.211.181/VWOckRDuDMvLBk7u/
Content-Type: multipart/form-data; boundary=---------------------------928497389577206
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 181.31.211.181
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://202.62.39.111/SMgohJYp/

Hostname: 202.62.39.111
IP Address:
Port: 80
Count: 1

POST /SMgohJYp/ HTTP/1.1
Referer: http://202.62.39.111/SMgohJYp/
Content-Type: multipart/form-data; boundary=---------------------------570879630754261
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 202.62.39.111
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://177.75.143.112:443/Srbbgd3hhKk/CcqOM/

Hostname: 177.75.143.112:443
IP Address:
Port: 443
Count: 1

POST /Srbbgd3hhKk/CcqOM/ HTTP/1.1
Referer: http://177.75.143.112/Srbbgd3hhKk/CcqOM/
Content-Type: multipart/form-data; boundary=---------------------------752927675376301
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 177.75.143.112:443
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://190.17.195.202/MKAAsWPxNUj/dhM2i/bnsvUaomnnbmFZVGOH/isDC0YbQlotvdVcX5KX/

Hostname: 190.17.195.202
IP Address:
Port: 80
Count: 1

POST /MKAAsWPxNUj/dhM2i/bnsvUaomnnbmFZVGOH/isDC0YbQlotvdVcX5KX/ HTTP/1.1
Referer: http://190.17.195.202/MKAAsWPxNUj/dhM2i/bnsvUaomnnbmFZVGOH/isDC0YbQlotvdVcX5KX/
Content-Type: multipart/form-data; boundary=---------------------------246112132043945
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 190.17.195.202
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache

http://181.167.96.215/JL8PZh/35lUjIOyVu3/5gnCayEA0SaJA5YSzCy/

Hostname: 181.167.96.215
IP Address:
Port: 80
Count: 1

POST /JL8PZh/35lUjIOyVu3/5gnCayEA0SaJA5YSzCy/ HTTP/1.1
Referer: http://181.167.96.215/JL8PZh/35lUjIOyVu3/5gnCayEA0SaJA5YSzCy/
Content-Type: multipart/form-data; boundary=---------------------------028216674765742
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 181.167.96.215
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache

http://143.0.87.101/pWb8/

Hostname: 143.0.87.101
IP Address:
Port: 80
Count: 1

POST /pWb8/ HTTP/1.1
Referer: http://143.0.87.101/pWb8/
Content-Type: multipart/form-data; boundary=---------------------------147143983000082
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 143.0.87.101
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache

http://46.214.11.172/DSpU2apaw3mWI/5Mvold5yP9LfGO/pinWaB3naX/GgZu7FgiBjja40V7C1/hBp6un2KV62F6/qkC4a/

Hostname: 46.214.11.172
IP Address:
Port: 80
Count: 1

POST /DSpU2apaw3mWI/5Mvold5yP9LfGO/pinWaB3naX/GgZu7FgiBjja40V7C1/hBp6un2KV62F6/qkC4a/ HTTP/1.1
Referer: http://46.214.11.172/DSpU2apaw3mWI/5Mvold5yP9LfGO/pinWaB3naX/GgZu7FgiBjja40V7C1/hBp6un2KV62F6/qkC4a/
Content-Type: multipart/form-data; boundary=---------------------------332382954295684
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 46.214.11.172
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache

http://114.109.179.60/ygnrGKQylS73WQ4J/

Hostname: 114.109.179.60
IP Address:
Port: 80
Count: 1

POST /ygnrGKQylS73WQ4J/ HTTP/1.1
Referer: http://114.109.179.60/ygnrGKQylS73WQ4J/
Content-Type: multipart/form-data; boundary=---------------------------398680144939564
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 114.109.179.60
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache

http://185.94.252.12/hhm6KW26WhMjoWhvSdH/YG4Aa/

Hostname: 185.94.252.12
IP Address:
Port: 80
Count: 1

POST /hhm6KW26WhMjoWhvSdH/YG4Aa/ HTTP/1.1
Referer: http://185.94.252.12/hhm6KW26WhMjoWhvSdH/YG4Aa/
Content-Type: multipart/form-data; boundary=---------------------------050516639408979
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 185.94.252.12
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache

http://177.72.13.80/Ls0ka8LpRIq93c/y5s1P7vuWvf/MDLZ4GW1M6IGI/kXXhXgZ53vczE/aJ7352xkC1dmL/

Hostname: 177.72.13.80
IP Address:
Port: 80
Count: 1

POST /Ls0ka8LpRIq93c/y5s1P7vuWvf/MDLZ4GW1M6IGI/kXXhXgZ53vczE/aJ7352xkC1dmL/ HTTP/1.1
Referer: http://177.72.13.80/Ls0ka8LpRIq93c/y5s1P7vuWvf/MDLZ4GW1M6IGI/kXXhXgZ53vczE/aJ7352xkC1dmL/
Content-Type: multipart/form-data; boundary=---------------------------027280889753019
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 177.72.13.80
Content-Length: 4484
Connection: Keep-Alive
Cache-Control: no-cache

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven02b_64	Seven02b_64	VirtualBox	2021-01-09 09:54:44	2021-01-09 09:57:46	182

35 Host(s) detected

IP Address	Hostname	Reverse DNS
89.32.150.160		ns01.hotnethosting.net.
87.106.46.107		s17342418.onlinehome-server.info.
83.169.21.32		lvps83-169-21-32.dedicated.hosteurope.de.
82.196.15.205		vigour2.genchev.info.
77.90.136.129		mail.twintaekwondo.de.
72.47.248.48
68.183.170.114
61.92.159.208		061092159208.ctinets.com.
51.255.165.160		160.ip-51-255-165.eu.
46.214.11.172		46-214-11-172.next-gen.ro.
217.199.160.224		825367.vps-10.com.
217.13.106.14
212.71.237.140		web2.leevee.it.
202.62.39.111
2.47.112.152		net-2-47-112-152.cust.vodafonedsl.it.
191.99.160.58
190.6.193.152		190-6-193-152.reverse.cablecolor.hn.
190.17.195.202		202-195-17-190.fibertel.com.ar.
189.218.165.63		cablelink-189-218-165-63.hosts.intercable.net.
186.250.52.226		186.250.52.226.redfoxtelecom.com.br.
185.94.252.27		customer.megaservers.de.
185.94.252.13		customer.megaservers.de.
185.94.252.12		customer.megaservers.de.
181.31.211.181		181-211-31-181.fibertel.com.ar.
181.167.96.215		215-96-167-181.fibertel.com.ar.
181.129.96.162		static-181-129-96-162.une.net.co.
179.60.229.168		red60.229.167-velonet.com.ar.
177.75.143.112		177.75.143.112.mhnet.com.br.
177.72.13.80		user-80-aru-pop-13.lmnetwork.com.br.
143.0.87.101		143-0-87-101.redesiminternet.com.br.
137.74.106.111		ip111.ip-137-74-106.eu.
12.162.84.2
114.109.179.60		cm-114-109-179-60.revip13.asianet.co.th.
104.131.41.185
104.131.103.37

Host(s) by Country

Hosts	Country 17
6	Germany
5	United States
4	Brazil
4	Argentina
3	United Kingdom
2	France
1	Mexico
1	Colombia
1	Thailand
1	Honduras
1	Cambodia
1	Hong Kong
1	Netherlands
1	Romania
1	Hungary
1	Italy
1	Ecuador

#infosec #automation

TheSystem Itself @ 2021-01-09 10:09:07

Detected family: #Emotet

TheSystem Itself @ 2021-03-07 03:42:02