emotet | e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5

General

Target

e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe
Size

38KB
MD5

dae7d3d570d2662257f3425f28a998b7
SHA1

212a492da3c3035719205d520e6424df148b7bda
SHA256

e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5
SHA512

44cca1f68b776182684d96359b3b857b5666f505b8fbe593a80715f8eaecb6d8c35d7f27e6231e988e1c65a7a92b3d4f6cc2908555935cae3ba04d8a3ad86d2d

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

181.225.24.251:80

190.240.194.77:80

198.58.119.85:8080

45.55.179.121:8080

95.66.182.136:80

177.144.130.105:443

46.32.229.152:8080

178.33.167.120:8080

78.189.60.109:443

172.104.70.207:8080

144.76.56.36:8080

41.215.79.182:80

113.160.88.86:443

114.151.14.161:80

190.17.94.108:443

70.60.238.62:80

109.236.109.159:8080

181.39.96.86:443

190.171.153.139:80

186.223.86.136:443

rsa_pubkey.plain

Signatures

Drops file in System32 directory 1 IoCs

Processes:

e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe

description	ioc	process
File renamed	C:\Users\Admin\AppData\Local\Temp\e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe => C:\Windows\SysWOW64\InkObjCore\InkObjCore.exe	e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exeInkObjCore.exe

pid process

4812 e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe
5052 InkObjCore.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe

pid process

4812 e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe

pid	process
4812	e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe
5052	InkObjCore.exe

pid	process
4812	e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe

description	pid	process	target process
PID 4812 wrote to memory of 5052	4812	e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe	InkObjCore.exe
PID 4812 wrote to memory of 5052	4812	e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe	InkObjCore.exe
PID 4812 wrote to memory of 5052	4812	e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe	InkObjCore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

InkObjCore.exe

pid process

5052 InkObjCore.exe
5052 InkObjCore.exe
5052 InkObjCore.exe
5052 InkObjCore.exe
5052 InkObjCore.exe
5052 InkObjCore.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

pid	process
5052	InkObjCore.exe
5052	InkObjCore.exe
5052	InkObjCore.exe
5052	InkObjCore.exe
5052	InkObjCore.exe
5052	InkObjCore.exe

C:\Users\Admin\AppData\Local\Temp\e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe
"C:\Users\Admin\AppData\Local\Temp\e70938317e22ca1d78129c8540761fecacdf48bf3b52a73bcc005272a4962fd5.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\InkObjCore\InkObjCore.exe
"C:\Windows\SysWOW64\InkObjCore\InkObjCore.exe"
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4812-0-0x0000000000D90000-0x0000000000D9B13C-memory.dmp

Filesize
44KB

Download
memory/5052-1-0x0000000000D90000-0x0000000000D9B13C-memory.dmp

Filesize
44KB

Download

Analysis

Sharing