Triage | Behavioral Report

Analysis

max time kernel
120s
max time network
148s
platform
windows7_x64
resource
win7
submitted
09-09-2020 17:32

Sharing

Report Files Registry Network Processes Mutex Misc

General

Target

E3.bin.exe
Size

608KB
MD5

2f29d97e32543fc84bcce2329f7fa67a
SHA1

10a01a286ccd88c8d4851d99a3ed35fd080eeb3a
SHA256

b1bea682ad5cd9c75f156c91d950baf9e7b6e2febc2c775f5f7eefe681c6bda4
SHA512

b2e46a07daa43eef710a9a1911a09a4022eda136c822fbdaf4c264e6664e5a8009cf84ab2d91a0e41b533525b8fdd959edbf071f772df524fbcba9d5bd7112d7

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family	emotet
C2	190.194.12.132:80 51.254.140.91:7080 51.75.163.68:7080 162.144.42.60:8080 77.74.78.80:443 143.95.101.72:8080 81.214.253.80:443 222.159.240.58:80 37.205.9.252:7080 45.182.161.17:80 188.0.135.237:80 118.10.44.53:80 223.17.215.76:80 80.200.62.81:20 179.191.239.255:80 172.105.78.244:8080 181.122.154.240:80 41.185.29.128:8080 198.57.203.63:8080 179.62.238.49:80 54.38.143.245:8080 37.187.100.220:7080 5.79.70.250:8080 81.17.93.134:80 190.190.15.20:80 91.83.93.103:443 153.198.1.184:443 58.27.215.3:8080 185.208.226.142:8080 91.105.94.200:80 128.106.187.110:80 114.158.45.53:80 179.5.118.12:80 91.75.75.46:80 192.163.221.191:8080 190.212.133.239:443 66.61.94.36:80 37.46.129.215:8080 185.86.148.68:443 157.245.138.101:7080 8.4.9.137:8080 201.213.177.139:80 113.156.82.32:80 188.251.213.180:443 74.208.173.91:8080 181.137.229.1:80 113.161.148.81:80 157.7.164.178:8081 89.2.145.86:80 172.96.190.154:8080 139.59.12.63:8080 50.116.78.109:8080 95.216.205.155:8080 86.98.143.163:80 73.84.105.76:80 167.71.227.113:8080 190.164.75.175:80 103.80.51.61:8080 88.247.58.26:80 46.105.131.68:8080 88.249.181.198:443 190.53.144.120:80 203.153.216.178:7080 185.142.236.163:443 51.38.201.19:7080 192.241.220.183:8080 178.33.167.120:8080 60.125.114.64:443 190.96.15.50:80 177.144.130.105:443 175.29.183.2:80 197.232.36.108:80 115.78.11.155:80 24.26.151.3:80 115.79.195.246:80 46.32.229.152:8080 192.210.217.94:8080 195.201.56.70:8080 75.127.14.170:8080 36.91.44.183:80 190.136.179.102:80 190.212.140.6:80 118.101.24.148:80 105.209.235.113:8080 2.144.244.204:443 177.94.227.143:80 190.194.12.132:80 51.254.140.91:7080 51.75.163.68:7080 162.144.42.60:8080 77.74.78.80:443 143.95.101.72:8080 81.214.253.80:443 222.159.240.58:80 37.205.9.252:7080 45.182.161.17:80 188.0.135.237:80 118.10.44.53:80 223.17.215.76:80 80.200.62.81:20 179.191.239.255:80 172.105.78.244:8080 181.122.154.240:80 41.185.29.128:8080 198.57.203.63:8080 179.62.238.49:80 54.38.143.245:8080 37.187.100.220:7080 5.79.70.250:8080 81.17.93.134:80 190.190.15.20:80 91.83.93.103:443 153.198.1.184:443 58.27.215.3:8080 185.208.226.142:8080 91.105.94.200:80 128.106.187.110:80 114.158.45.53:80 179.5.118.12:80 91.75.75.46:80 192.163.221.191:8080 190.212.133.239:443 66.61.94.36:80 37.46.129.215:8080 185.86.148.68:443 157.245.138.101:7080 8.4.9.137:8080 201.213.177.139:80 113.156.82.32:80 188.251.213.180:443 74.208.173.91:8080 181.137.229.1:80 113.161.148.81:80 157.7.164.178:8081 89.2.145.86:80 172.96.190.154:8080 139.59.12.63:8080 50.116.78.109:8080 95.216.205.155:8080 86.98.143.163:80 73.84.105.76:80 167.71.227.113:8080 190.164.75.175:80 103.80.51.61:8080 88.247.58.26:80 46.105.131.68:8080 88.249.181.198:443 190.53.144.120:80 203.153.216.178:7080 185.142.236.163:443 51.38.201.19:7080 192.241.220.183:8080 178.33.167.120:8080 60.125.114.64:443 190.96.15.50:80 177.144.130.105:443 175.29.183.2:80 197.232.36.108:80 115.78.11.155:80 24.26.151.3:80 115.79.195.246:80 46.32.229.152:8080 192.210.217.94:8080 195.201.56.70:8080 75.127.14.170:8080 36.91.44.183:80 190.136.179.102:80 190.212.140.6:80 118.101.24.148:80 105.209.235.113:8080 2.144.244.204:443 177.94.227.143:80
rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes:

E3.bin.exe

pid process

900 E3.bin.exe
900 E3.bin.exe
Suspicious use of SetWindowsHookEx ⋅ 1 IoCs

Processes:

E3.bin.exe

pid process

900 E3.bin.exe

C:\Users\Admin\AppData\Local\Temp\E3.bin.exe

"C:\Users\Admin\AppData\Local\Temp\E3.bin.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:900

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/900-0-0x00000000001C0000-0x00000000001D2000-memory.dmp

Download
memory/900-1-0x0000000000270000-0x0000000000280000-memory.dmp

Download
memory/1596-2-0x000007FEF6BB0000-0x000007FEF6E2A000-memory.dmp

Download