emotet | 4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8

Analysis

max time kernel
69s
max time network
154s
platform
windows7_x64
resource
win7
submitted
14/07/2020, 22:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe
Size

92KB
MD5

cd71beb08ca6b582e97eb4104154b009
SHA1

d6875ef9d36960432f3f175123d91ba587c0a879
SHA256

4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8
SHA512

e0cb49327a3aca9d2a17932c794677af0c1ad9c904cbffbd90a913fb1411764ae042589c1374d0fe90d8a16c8d6e5322dc62f2dfda38b7d955b560bd124d1532

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

78.12.27.172:80

91.236.4.234:443

177.139.131.143:443

202.62.39.111:80

91.83.93.124:7080

187.162.248.237:80

192.241.143.52:8080

143.0.87.101:80

185.94.252.13:443

152.170.222.65:80

118.69.71.14:80

178.79.163.131:8080

104.131.41.185:8080

177.73.3.204:80

37.187.6.63:8080

201.213.32.59:80

177.38.15.151:80

104.131.103.37:8080

181.31.211.181:80

164.77.130.222:80

rsa_pubkey.plain

Signatures

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1284	1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe	24
PID 1088 wrote to memory of 1284	1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe	24
PID 1088 wrote to memory of 1284	1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe	24
PID 1088 wrote to memory of 1284	1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1284	Storprop.exe
1284	Storprop.exe
1284	Storprop.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe
1284	Storprop.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1088	4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe
1284	Storprop.exe

C:\Users\Admin\AppData\Local\Temp\4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe
"C:\Users\Admin\AppData\Local\Temp\4d0539b3f9eb7d08f259aee1935e7bd75644579c659ac1be2f103988f763d4a8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:1088
- C:\Windows\SysWOW64\Storprop\Storprop.exe
  "C:\Windows\SysWOW64\Storprop\Storprop.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EmotetMutantsSpam
  PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-0-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1088-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1284-3-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1284-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download