emotet | a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e

General

Target

a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e
Sample

191112-q679f2ss1e
SHA256

a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e

Score

N/A

Malware Config

Extracted

Family

emotet

C2

181.197.108.171:443

191.100.24.201:50000

211.110.229.161:443

193.34.144.138:8080

74.208.173.91:8080

46.105.131.68:8080

152.169.32.143:8080

189.252.102.40:8080

154.120.227.206:8080

178.249.187.150:7080

103.205.177.229:80

157.7.164.178:8081

138.197.140.163:8080

95.216.212.157:8080

216.75.37.196:8080

216.70.88.55:8080

189.218.243.150:443

124.150.175.129:8080

198.57.217.170:8080

212.112.113.235:80

rsa_pubkey.plain

Signatures

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1096	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe
112	volbag.exe

Drops file in system dir 2 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe => C:\Windows\SysWOW64\volbag.exe	1096	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	112	volbag.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1096	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
112	volbag.exe

emotet family
family emotet

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1096	1348	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe	27
PID 756 wrote to memory of 112	756	volbag.exe	29

Emotet Sync 1 IoCs

trojan banker

description	ioc	pid	Process
Event created	Global\E582FAEE3	1096	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe

C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe
"C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe
--6c24e410
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
- Emotet Sync
PID:1096

C:\Windows\SysWOW64\volbag.exe
"C:\Windows\SysWOW64\volbag.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\volbag.exe
--56edb0c7
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing