emotet | c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd

General

Target

c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd
Sample

200122-jyzeg1enhs
SHA256

c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

81.214.253.80:443

98.15.140.226:80

180.33.71.88:80

178.33.167.120:8080

144.76.56.36:8080

176.58.93.123:80

51.38.134.203:8080

196.6.119.137:80

82.79.244.92:80

175.181.7.188:80

183.87.40.21:8080

201.183.251.100:80

91.73.169.210:80

188.251.213.180:443

110.142.161.90:80

177.144.130.105:443

106.248.79.174:80

70.45.30.28:80

187.72.47.161:443

185.244.167.25:443

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4920	4896	c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe	72
PID 320 wrote to memory of 1628	320	driverthrd.exe	79

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
4920	c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe
1628	driverthrd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4920	c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1628	driverthrd.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

Drops file in System32 directory 6 IoCs

description	ioc	Process
File renamed	C:\Users\Admin\AppData\Local\Temp\c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe => C:\Windows\SysWOW64\driverthrd.exe	c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	driverthrd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	driverthrd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	driverthrd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	driverthrd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	driverthrd.exe

C:\Users\Admin\AppData\Local\Temp\c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe
"C:\Users\Admin\AppData\Local\Temp\c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\c76d65d7c08ebf0b02b48a8a187e2a0e53b5de9e319f568fdd2c5563a0bb08cd.exe
  --1b40d365
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: RenamesItself
  - Drops file in System32 directory
  PID:4920

C:\Windows\SysWOW64\driverthrd.exe
"C:\Windows\SysWOW64\driverthrd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\driverthrd.exe
  --83736ca0
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-3-0x00000000009F0000-0x0000000000A07000-memory.dmp

Filesize
92KB

Download
memory/1628-4-0x0000000000DA0000-0x0000000000DB7000-memory.dmp

Filesize
92KB

Download
memory/1628-5-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4896-0-0x0000000000660000-0x0000000000677000-memory.dmp

Filesize
92KB

Download
memory/4920-1-0x0000000000920000-0x0000000000937000-memory.dmp

Filesize
92KB

Download
memory/4920-2-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing