emotet | b74507b01e19be7d2be37748643fa21868953c384f01c4ebda0f3c675b347736

Analysis

max time kernel
64s
max time network
129s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wlandlg.bin.exe
Size

692KB
MD5

2709b1cb95453bfd6a2570ba336cd4b3
SHA1

15c0cc33f2e6cf69ecb8aae335c61b5147909d1b
SHA256

b74507b01e19be7d2be37748643fa21868953c384f01c4ebda0f3c675b347736
SHA512

dad56e7be4373411efc0b35395ba522db5dce7ef696136bf2835f60d29ab2844e934131813add7f3247c7d5adfe6cbed7689a207ef0e10198803cb7745f71aa1

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

181.120.79.227:80

91.236.4.234:443

190.17.195.202:80

104.131.103.37:8080

190.147.137.153:443

186.3.232.68:80

190.163.1.31:8080

143.0.87.101:80

70.32.115.157:8080

177.66.190.130:80

82.196.15.205:8080

77.90.136.129:8080

175.114.178.83:443

46.28.111.142:7080

94.176.234.118:443

114.109.179.60:80

70.32.84.74:8080

172.104.169.32:8080

113.190.254.245:80

81.169.202.3:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1588	wlandlg.bin.exe
1588	wlandlg.bin.exe
800	xwtpw32.exe
800	xwtpw32.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1588	wlandlg.bin.exe
800	xwtpw32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1588	wlandlg.bin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 800	1588	wlandlg.bin.exe	24
PID 1588 wrote to memory of 800	1588	wlandlg.bin.exe	24
PID 1588 wrote to memory of 800	1588	wlandlg.bin.exe	24
PID 1588 wrote to memory of 800	1588	wlandlg.bin.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
800	xwtpw32.exe
800	xwtpw32.exe
800	xwtpw32.exe

C:\Users\Admin\AppData\Local\Temp\wlandlg.bin.exe
"C:\Users\Admin\AppData\Local\Temp\wlandlg.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\xwtpw32\xwtpw32.exe
  "C:\Windows\SysWOW64\xwtpw32\xwtpw32.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: EnumeratesProcesses
  PID:800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-3-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/800-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-0-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/1588-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download