emotet | d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b

General

Target

d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b
Sample

191216-8xx41bl79n
SHA256

d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b

Score

N/A

Malware Config

Extracted

Family

emotet

C2

66.209.97.122:8080

174.77.190.137:8080

104.137.176.186:80

165.227.156.155:443

167.99.105.223:7080

67.225.179.64:8080

176.31.200.130:8080

5.196.74.210:8080

82.155.161.203:80

101.187.247.29:80

120.150.246.241:80

73.11.153.178:8080

91.205.215.66:443

70.46.247.81:80

24.93.212.32:80

139.130.241.252:443

70.175.171.251:80

217.160.182.191:8080

104.236.246.93:8080

98.24.231.64:80

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 316	1064	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe	27
PID 836 wrote to memory of 292	836	sensortexas.exe	29

Emotet Sync 1 IoCs

trojan banker

description	ioc	pid	Process
Event created	Global\E9DFADBCD	316	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
316	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe
292	sensortexas.exe

Drops file in system dir 2 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\AppData\Local\Temp\d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe => C:\Windows\SysWOW64\sensortexas.exe	316	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	292	sensortexas.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
316	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
292	sensortexas.exe

emotet family
family emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1064	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe
316	d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe
836	sensortexas.exe
292	sensortexas.exe

C:\Users\Admin\AppData\Local\Temp\d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe
"C:\Users\Admin\AppData\Local\Temp\d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\d926bffb7d4d8e2cac599c5ad0acdd3ec04001481f26a507f7bd15287aa85f1b.exe
--c4007a16
1⤵
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:316

C:\Windows\SysWOW64\sensortexas.exe
"C:\Windows\SysWOW64\sensortexas.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SysWOW64\sensortexas.exe
--aa44eb55
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-4-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/292-5-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/316-1-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download
memory/316-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/836-3-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/1064-0-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing