emotet | 46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769

General

Target

46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe
Size

428KB
MD5

d7663446854c99557e1b25f73fa45acd
SHA1

3fe8b600ec8a48c6a4f87e44df34ee9967babe1c
SHA256

46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769
SHA512

e1c4eef05b472e7cceabf267974e52850d9c572b87886c0461fbe1a43dcb102ea7b52bf846188aa13e9ef1c488ac6e54b92064ec6dabee0d9dbefccf43e95b0c

Score

10^/10

emotet epoch2 banker trojan upx

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

71.126.247.90:80

98.239.119.52:80

80.86.91.91:8080

104.236.28.47:8080

47.155.214.239:443

180.92.239.110:8080

87.106.136.232:8080

76.104.80.47:80

173.16.62.227:80

92.222.216.44:8080

47.153.183.211:80

74.130.83.133:80

47.156.70.145:80

110.36.217.66:8080

160.16.215.66:8080

200.116.145.225:443

181.13.24.82:80

24.94.237.248:80

5.32.55.214:80

31.172.240.91:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
task2/memory/4940-1-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
task2/memory/4252-3-0x0000000000400000-0x00000000004DA000-memory.dmp	upx

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
4940	46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe
4252	wininitext.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4252	wininitext.exe
4252	wininitext.exe
4252	wininitext.exe
4252	wininitext.exe
4252	wininitext.exe
4252	wininitext.exe
4252	wininitext.exe
4252	wininitext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4940	46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4940	46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe
4252	wininitext.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4252	4940	46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe	76
PID 4940 wrote to memory of 4252	4940	46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe	76
PID 4940 wrote to memory of 4252	4940	46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe	76

C:\Users\Admin\AppData\Local\Temp\46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe
"C:\Users\Admin\AppData\Local\Temp\46d44d81a8f0992c60be5edd73fade52c91acb9e2d7c227ee55b5a8a50862769.exe"
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\wininitext\wininitext.exe
  "C:\Windows\SysWOW64\wininitext\wininitext.exe"
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4252-2-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/4252-3-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/4940-0-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/4940-1-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing