emotet | 763d2a1a32df52fe199d7ab1bc2dc6c028521244b8faad7b6be21fd76657c8ab

Analysis

max time kernel
64s
max time network
153s
platform
windows7_x64
resource
win7
submitted
13-07-2020 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Emotet (2).bin.exe
Size

104KB
MD5

cc217469d3c5b9163db9debdeda105f7
SHA1

5572b1e822116ecc5a6a1891681d38b6484b67d6
SHA256

763d2a1a32df52fe199d7ab1bc2dc6c028521244b8faad7b6be21fd76657c8ab
SHA512

7fa2f38d26038816afb87c757ef958ff6cba802f1cc6366a002ece6b66a24fa69fc29d50ba1053189d0245470a70c8e80f5f532c62fa76693a6476dd5d7bfc78

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

181.230.65.232:80

77.74.78.80:443

192.241.220.183:8080

195.201.56.70:8080

125.63.106.22:80

203.153.216.178:7080

139.59.12.63:8080

190.251.235.239:80

14.99.112.138:80

192.163.221.191:8080

46.49.124.53:80

81.214.253.80:443

46.32.229.152:8080

74.208.173.91:8080

163.172.107.70:8080

37.46.129.215:8080

212.112.113.235:80

50.116.78.109:8080

113.161.148.81:80

78.188.170.128:80

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Emotet (2).bin.exe

description	pid	process	target process
PID 1340 wrote to memory of 1556	1340	Emotet (2).bin.exe	ole32.exe
PID 1340 wrote to memory of 1556	1340	Emotet (2).bin.exe	ole32.exe
PID 1340 wrote to memory of 1556	1340	Emotet (2).bin.exe	ole32.exe
PID 1340 wrote to memory of 1556	1340	Emotet (2).bin.exe	ole32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ole32.exe

pid process

1556 ole32.exe
1556 ole32.exe
1556 ole32.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Emotet (2).bin.exeole32.exe

pid process

1340 Emotet (2).bin.exe
1340 Emotet (2).bin.exe
1556 ole32.exe
1556 ole32.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

Emotet (2).bin.exeole32.exe

pid process

1340 Emotet (2).bin.exe
1556 ole32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Emotet (2).bin.exe

pid process

1340 Emotet (2).bin.exe

pid	process
1556	ole32.exe
1556	ole32.exe
1556	ole32.exe

pid	process
1340	Emotet (2).bin.exe
1340	Emotet (2).bin.exe
1556	ole32.exe
1556	ole32.exe

pid	process
1340	Emotet (2).bin.exe
1556	ole32.exe

pid	process
1340	Emotet (2).bin.exe

C:\Users\Admin\AppData\Local\Temp\Emotet (2).bin.exe
"C:\Users\Admin\AppData\Local\Temp\Emotet (2).bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
PID:1340

C:\Windows\SysWOW64\ole32\ole32.exe
"C:\Windows\SysWOW64\ole32\ole32.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-0-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1340-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1556-2-0x0000000000000000-mapping.dmp

Download
memory/1556-3-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1556-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download