emotet | b74507b01e19be7d2be37748643fa21868953c384f01c4ebda0f3c675b347736

Analysis

max time kernel
114s
max time network
142s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wlandlg.bin.exe
Size

692KB
MD5

2709b1cb95453bfd6a2570ba336cd4b3
SHA1

15c0cc33f2e6cf69ecb8aae335c61b5147909d1b
SHA256

b74507b01e19be7d2be37748643fa21868953c384f01c4ebda0f3c675b347736
SHA512

dad56e7be4373411efc0b35395ba522db5dce7ef696136bf2835f60d29ab2844e934131813add7f3247c7d5adfe6cbed7689a207ef0e10198803cb7745f71aa1

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

181.120.79.227:80

91.236.4.234:443

190.17.195.202:80

104.131.103.37:8080

190.147.137.153:443

186.3.232.68:80

190.163.1.31:8080

143.0.87.101:80

70.32.115.157:8080

177.66.190.130:80

82.196.15.205:8080

77.90.136.129:8080

175.114.178.83:443

46.28.111.142:7080

94.176.234.118:443

114.109.179.60:80

70.32.84.74:8080

172.104.169.32:8080

113.190.254.245:80

81.169.202.3:443

rsa_pubkey.plain

Signatures

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
2536	wlandlg.bin.exe
2812	offfilt.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2536	wlandlg.bin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2812	2536	wlandlg.bin.exe	68
PID 2536 wrote to memory of 2812	2536	wlandlg.bin.exe	68
PID 2536 wrote to memory of 2812	2536	wlandlg.bin.exe	68

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2812	offfilt.exe
2812	offfilt.exe
2812	offfilt.exe
2812	offfilt.exe
2812	offfilt.exe
2812	offfilt.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2536	wlandlg.bin.exe
2536	wlandlg.bin.exe
2812	offfilt.exe
2812	offfilt.exe

C:\Users\Admin\AppData\Local\Temp\wlandlg.bin.exe
"C:\Users\Admin\AppData\Local\Temp\wlandlg.bin.exe"
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:2536
- C:\Windows\SysWOW64\offfilt\offfilt.exe
  "C:\Windows\SysWOW64\offfilt\offfilt.exe"
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-0-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/2536-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-3-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/2812-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download