emotet | 763d2a1a32df52fe199d7ab1bc2dc6c028521244b8faad7b6be21fd76657c8ab

Analysis

max time kernel
138s
max time network
148s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Emotet (2).bin.exe
Size

104KB
MD5

cc217469d3c5b9163db9debdeda105f7
SHA1

5572b1e822116ecc5a6a1891681d38b6484b67d6
SHA256

763d2a1a32df52fe199d7ab1bc2dc6c028521244b8faad7b6be21fd76657c8ab
SHA512

7fa2f38d26038816afb87c757ef958ff6cba802f1cc6366a002ece6b66a24fa69fc29d50ba1053189d0245470a70c8e80f5f532c62fa76693a6476dd5d7bfc78

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

181.230.65.232:80

77.74.78.80:443

192.241.220.183:8080

195.201.56.70:8080

125.63.106.22:80

203.153.216.178:7080

139.59.12.63:8080

190.251.235.239:80

14.99.112.138:80

192.163.221.191:8080

46.49.124.53:80

81.214.253.80:443

46.32.229.152:8080

74.208.173.91:8080

163.172.107.70:8080

37.46.129.215:8080

212.112.113.235:80

50.116.78.109:8080

113.161.148.81:80

78.188.170.128:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Emotet (2).bin.exemsxml3.exe

pid process

992 Emotet (2).bin.exe
992 Emotet (2).bin.exe
1632 msxml3.exe
1632 msxml3.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

Emotet (2).bin.exemsxml3.exe

pid process

992 Emotet (2).bin.exe
1632 msxml3.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Emotet (2).bin.exe

pid process

992 Emotet (2).bin.exe

pid	process
992	Emotet (2).bin.exe
992	Emotet (2).bin.exe
1632	msxml3.exe
1632	msxml3.exe

pid	process
992	Emotet (2).bin.exe
1632	msxml3.exe

pid	process
992	Emotet (2).bin.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Emotet (2).bin.exe

description	pid	process	target process
PID 992 wrote to memory of 1632	992	Emotet (2).bin.exe	msxml3.exe
PID 992 wrote to memory of 1632	992	Emotet (2).bin.exe	msxml3.exe
PID 992 wrote to memory of 1632	992	Emotet (2).bin.exe	msxml3.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msxml3.exe

pid process

1632 msxml3.exe
1632 msxml3.exe
1632 msxml3.exe
1632 msxml3.exe
1632 msxml3.exe
1632 msxml3.exe

pid	process
1632	msxml3.exe
1632	msxml3.exe
1632	msxml3.exe
1632	msxml3.exe
1632	msxml3.exe
1632	msxml3.exe

C:\Users\Admin\AppData\Local\Temp\Emotet (2).bin.exe
"C:\Users\Admin\AppData\Local\Temp\Emotet (2).bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\msxml3\msxml3.exe
"C:\Windows\SysWOW64\msxml3\msxml3.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-0-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/992-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1632-2-0x0000000000000000-mapping.dmp

Download
memory/1632-3-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/1632-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download