emotet | 2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d

General

Target

2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe
Size

612KB
MD5

a5a3a2c77fa586b03c1a694984383585
SHA1

f5a553d1ae11d96c91b21d3824de67fdfdeb7dbc
SHA256

2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d
SHA512

c656842dabcc7bfafe09755dab19191ff5c7150520a506a55a5bcf83a8fd0a14b9189b43ffeace00166379876b9877a7698f50e260054c050389d4c9bca1589e

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\delegatorprovider\PresentationCFFRasterizerNative_v0300.exe	2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exePresentationCFFRasterizerNative_v0300.exe

pid	process
2584	2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe
2584	2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe
644	PresentationCFFRasterizerNative_v0300.exe
644	PresentationCFFRasterizerNative_v0300.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe

pid process

2584 2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe

description	pid	process	target process
PID 2584 wrote to memory of 644	2584	2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe	PresentationCFFRasterizerNative_v0300.exe
PID 2584 wrote to memory of 644	2584	2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe	PresentationCFFRasterizerNative_v0300.exe
PID 2584 wrote to memory of 644	2584	2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe	PresentationCFFRasterizerNative_v0300.exe

Executes dropped EXE 1 IoCs

Processes:

PresentationCFFRasterizerNative_v0300.exe

pid process

644 PresentationCFFRasterizerNative_v0300.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PresentationCFFRasterizerNative_v0300.exe

pid	process
644	PresentationCFFRasterizerNative_v0300.exe
644	PresentationCFFRasterizerNative_v0300.exe
644	PresentationCFFRasterizerNative_v0300.exe
644	PresentationCFFRasterizerNative_v0300.exe

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/2584-0-0x0000000000640000-0x000000000064C000-memory.dmp	emotet
behavioral1/memory/644-3-0x0000000000600000-0x000000000060C000-memory.dmp	emotet

C:\Users\Admin\AppData\Local\Temp\2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe
"C:\Users\Admin\AppData\Local\Temp\2193f5baf3a91ab8bb2181c1af0327f17c61c6dd4e017ed9f7b0baf8fe8d196d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\delegatorprovider\PresentationCFFRasterizerNative_v0300.exe
"C:\Windows\SysWOW64\delegatorprovider\PresentationCFFRasterizerNative_v0300.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delegatorprovider\PresentationCFFRasterizerNative_v0300.exe

Download Submit
memory/644-1-0x0000000000000000-mapping.dmp

Download
memory/644-3-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2584-0-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads