emotet | 31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5

Analysis

max time kernel
30s
max time network
32s
platform
windows10_x64
resource
win10v200722
submitted
29-07-2020 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe
Size

668KB
MD5

21d37a1bbfac4766df8e494d63802c76
SHA1

371a58eb1894d1a0a822945c7ed40a3cc1f8606f
SHA256

31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5
SHA512

b3dd4a539e7e5111376ff54a72e7179d1f22b467a053c7ea8819d7cba4449d1195728632ed2d9f29b29bb4259270fad095c68f64f31c9d4ce85a8e277296dffc

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 716	484	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe	66
PID 484 wrote to memory of 716	484	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe	66
PID 484 wrote to memory of 716	484	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe	66

Executes dropped EXE 1 IoCs

pid	Process
716	wmpshell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
716	wmpshell.exe
716	wmpshell.exe
716	wmpshell.exe
716	wmpshell.exe

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

resource	yara_rule
behavioral1/memory/484-0-0x0000000000600000-0x000000000060C000-memory.dmp	emotet
behavioral1/memory/716-3-0x0000000000630000-0x000000000063C000-memory.dmp	emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker\wmpshell.exe	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
484	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe
484	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe
716	wmpshell.exe
716	wmpshell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
484	31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe

C:\Users\Admin\AppData\Local\Temp\31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe
"C:\Users\Admin\AppData\Local\Temp\31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: RenamesItself
PID:484
- C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker\wmpshell.exe
  "C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker\wmpshell.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-0-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/716-3-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download