emotet | f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c

General

Target

f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c
Sample

200124-eaz1wxynm2
SHA256

f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

186.138.186.74:443

190.24.243.186:80

68.174.15.223:80

68.183.170.114:8080

45.79.95.107:443

192.241.143.52:8080

159.65.241.220:8080

142.93.114.137:8080

70.123.95.180:80

62.75.143.100:7080

91.242.136.103:80

109.169.86.13:8080

202.62.39.111:80

181.231.220.232:80

188.216.24.204:80

86.42.166.147:80

186.15.83.52:8080

178.79.163.131:8080

114.109.179.60:80

110.170.65.146:80

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1144	1980	f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe	27
PID 1416 wrote to memory of 752	1416	wmistrviolet.exe	29

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1144	f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe
752	wmistrviolet.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1144	f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
752	wmistrviolet.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

Drops file in System32 directory 2 IoCs

description	ioc	Process
File renamed	C:\Users\Admin\AppData\Local\Temp\f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe => C:\Windows\SysWOW64\wmistrviolet.exe	f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wmistrviolet.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1980	f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe
1144	f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe
1416	wmistrviolet.exe
752	wmistrviolet.exe

C:\Users\Admin\AppData\Local\Temp\f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe
"C:\Users\Admin\AppData\Local\Temp\f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1980
- C:\Users\Admin\AppData\Local\Temp\f1c64bff70543fe447502109429bf85a54e5bfcf0af11637b9cc6c9010bc6a2c.exe
  --420e60e7
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: RenamesItself
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1144

C:\Windows\SysWOW64\wmistrviolet.exe
"C:\Windows\SysWOW64\wmistrviolet.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1416
- C:\Windows\SysWOW64\wmistrviolet.exe
  --f66750f
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-4-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/752-5-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1144-1-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/1144-2-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1416-3-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1980-0-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing