Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 18:28

General

  • Target

    emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe

  • Size

    504KB

  • MD5

    9e100eaaf1083a359e29eab50fbf3517

  • SHA1

    0c135f253d4ce53ec8cb3d87e974c00683f9bde9

  • SHA256

    e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5

  • SHA512

    a3d3b8fec1f48161125a2788659280dafd13cff218faf3cf2713efb3bcb555c69e7ffc7746309cb169350126e9b161ed18148dacd902fcaf5e392dd7532d71b1

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

24.26.151.3:80

162.144.42.60:8080

134.209.193.138:443

68.183.233.80:8080

105.209.235.113:8080

198.57.203.63:8080

175.29.183.2:80

178.87.171.199:80

177.32.8.85:80

71.57.180.213:80

190.190.15.20:80

31.146.61.34:80

157.7.164.178:8081

82.239.200.118:80

220.254.198.228:443

41.185.29.128:8080

113.161.148.81:80

51.38.201.19:7080

179.5.118.12:80

66.61.94.36:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    "C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1424-1-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp
    Filesize

    2.5MB

  • memory/1804-0-0x0000000000380000-0x000000000038C000-memory.dmp
    Filesize

    48KB