Emotet Drops Trickbot (25-Jun-18) | Network
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2007 | ms_office
Classification: Exploit, Dropper, Downloader

3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1 (SHA256)

022543.doc

Word Document

Created at 2018-06-25 14:51:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Connection Overview

Contacted Hosts (6)
»
Hostname IP Address Location Protocols Reputation Status WHOIS Data
- 197.245.46.11 Pretoria (South Africa) HTTP, TCP
Has Blacklisted URL
Not Queried
- 216.46.44.93 Princeville (Canada) HTTP, TCP
Has Blacklisted URL
Not Queried
comprealm.net 184.168.46.18 Scottsdale (United States) DNS
Unknown
Show WHOIS
www.icb.cl 190.196.2.210 Santiago (Chile) HTTP, DNS, TCP
Unknown
Show WHOIS
- 94.70.244.227 Athens (Greece) HTTP, TCP
Unknown
Not Queried
- 190.213.248.219 Piarco (Trinidad and Tobago) TCP
Unknown
Not Queried
Contacted URLs (5)
»
URL Categories Names HTTP Status Code Reputation Status
216.46.44.93 - - -
Blacklisted
197.245.46.11 - - -
Blacklisted
www.icb.cl/ZxavoDe/ - - HTTP_STATUS_OK (200)
Unknown
94.70.244.227 - - -
Unknown
http://94.70.244.227:80/whoami.php - - -
Unknown

Connections

DNS (2)
»
Operation Additional Information Success Count Logfile
Resolve Name host = comprealm.net, address_out = 184.168.46.18 True 1
Fn
Resolve Name host = www.icb.cl, address_out = 190.196.2.210 True 1
Fn
HTTP Sessions (8)
»
Information Value
Total Data Sent 1.69 KB
Total Data Received 1.23 MB
Contacted Host Count 5
Contacted Hosts www.icb.cl, 197.245.46.11, 216.46.44.93, 94.70.244.227, 190.213.248.219
HTTP Session #1
»
Information Value
Server Name www.icb.cl
Server Port 80
Data Sent 0.07 KB
Data Received 104.34 KB
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = www.icb.cl, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /ZxavoDe/ True 1
Fn
Send HTTP Request headers = host: www.icb.cl, connection: Keep-Alive, url = www.icb.cl/ZxavoDe/ True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 4616 True 1
Fn
Data
Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Read Response size = 65536, size_out = 7260 True 1
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Read Response size = 65536, size_out = 7260 True 1
Fn
Data
Read Response size = 65536, size_out = 5808 True 1
Fn
Data
Read Response size = 65536, size_out = 1452 True 3
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 64736, size_out = 2904 True 1
Fn
Data
Read Response size = 61832, size_out = 23608 True 1
Fn
Data
Read Response size = 38224, size_out = 2920 True 1
Fn
Data
Read Response size = 35304, size_out = 2920 True 1
Fn
Data
Read Response size = 32384, size_out = 2920 True 1
Fn
Data
Read Response size = 29464, size_out = 1452 True 1
Fn
Data
Read Response size = 28012, size_out = 1468 True 1
Fn
Data
Read Response size = 26544, size_out = 1452 True 1
Fn
Data
Read Response size = 25092, size_out = 1468 True 1
Fn
Data
Read Response size = 23624, size_out = 7292 True 1
Fn
Data
Read Response size = 16332, size_out = 1468 True 1
Fn
Data
Read Response size = 14864, size_out = 7292 True 1
Fn
Data
Read Response size = 7572, size_out = 5840 True 1
Fn
Data
Read Response size = 1732, size_out = 1468 True 1
Fn
Data
Read Response size = 264, size_out = 264 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 197.245.46.11
Server Port 80
Data Sent 0.33 KB
Data Received 0.00 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 197.245.46.11, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 197.245.46.11 False 1
Fn
Close Session - True 2
Fn
HTTP Session #3
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 216.46.44.93
Server Port 80
Data Sent 0.32 KB
Data Received 877.56 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 898612, size_out = 898612 True 1
Fn
Data
Close Session - True 2
Fn
HTTP Session #4
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 94.70.244.227
Server Port 80
Data Sent 0.00 KB
Data Received 0.00 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = 94.70.244.227, server_port = 80 False 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD False 1
Fn
HTTP Session #5
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 190.213.248.219
Server Port 80
Data Sent 0.00 KB
Data Received 0.00 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
HTTP Session #6
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 216.46.44.93
Server Port 80
Data Sent 0.32 KB
Data Received 273.82 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 280388, size_out = 280388 True 1
Fn
Data
HTTP Session #7
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 94.70.244.227
Server Port 80
Data Sent 0.33 KB
Data Received 0.00 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 94.70.244.227, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 94.70.244.227 False 1
Fn
HTTP Session #8
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 216.46.44.93
Server Port 80
Data Sent 0.32 KB
Data Received 0.15 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image