emotet | 001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d

General

Target

emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe
Size

688KB
MD5

b7f8aaaa75c6ffcd3ed95e9abcf41cf7
SHA1

e26f21c62a6266b9a2c9531292beb8b469e396f5
SHA256

001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d
SHA512

2be433bd57539b61f2e360434971b1c60e72df7f3396aff9c38b1393026f7946044da47a720789815ba5b422fd27d62db61eac3b8a734ab6bdbc38a3e453431a

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	KBDUS.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3056	KBDUS.exe
3056	KBDUS.exe
3056	KBDUS.exe
3056	KBDUS.exe
3056	KBDUS.exe
3056	KBDUS.exe

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

resource	yara_rule
behavioral2/memory/3816-0-0x0000000000670000-0x000000000067C000-memory.dmp	emotet
behavioral2/memory/3056-3-0x0000000002140000-0x000000000214C000-memory.dmp	emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winrshost\KBDUS.exe	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3816	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe
3816	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe
3056	KBDUS.exe
3056	KBDUS.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3816	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 3056	3816	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe	66
PID 3816 wrote to memory of 3056	3816	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe	66
PID 3816 wrote to memory of 3056	3816	emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe	66

C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe
"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_001588e09c39c49964e12f781e30d12bdde8bdb799b5859f9b2225518f7b5d1d_2020-07-29__052658._exe.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\winrshost\KBDUS.exe
  "C:\Windows\SysWOW64\winrshost\KBDUS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3056-3-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/3816-0-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing