emotet | e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6

General

Target

e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6
Sample

191115-16j6rcp43j
SHA256

e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6

Score

N/A

Malware Config

Extracted

Family

emotet

C2

65.23.154.17:8080

144.76.56.36:8080

78.47.106.72:8080

178.79.161.166:443

192.241.220.155:8080

37.157.194.134:443

165.227.156.155:443

178.210.51.222:8080

5.196.74.210:8080

186.4.172.5:8080

45.33.49.124:443

91.205.215.66:8080

78.24.219.147:8080

46.105.131.87:80

149.202.153.252:8080

85.104.59.244:20

186.4.172.5:443

103.39.131.88:80

83.136.245.190:8080

169.239.182.217:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1108	e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe
1016	anglehant.exe

Drops file in system dir 2 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\AppData\Local\Temp\e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe => C:\Windows\SysWOW64\anglehant.exe	1108	e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	1016	anglehant.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1108	e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1016	anglehant.exe

emotet family
family emotet

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1108	1512	e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe	27
PID 1168 wrote to memory of 1016	1168	anglehant.exe	29

Emotet Sync 1 IoCs

trojan banker

description	ioc	pid	Process
Event created	Global\E582FAEE3	1108	e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe

C:\Users\Admin\AppData\Local\Temp\e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe
"C:\Users\Admin\AppData\Local\Temp\e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\e30fb527116a3b5c573ec4efbe2e5badae414b3fda6650b15538376dd461c8e6.exe
--57d75965
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
- Emotet Sync
PID:1108

C:\Windows\SysWOW64\anglehant.exe
"C:\Windows\SysWOW64\anglehant.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\anglehant.exe
--e265b308
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-5-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/1016-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1108-2-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/1108-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1168-4-0x00000000003D0000-0x00000000003E5000-memory.dmp

Filesize
84KB

Download
memory/1512-0-0x0000000000280000-0x0000000000295000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing