emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe

General
Target

emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe

Filesize

504KB

Completed

17-11-2020 20:28

Score
10 /10
MD5

9e100eaaf1083a359e29eab50fbf3517

SHA1

0c135f253d4ce53ec8cb3d87e974c00683f9bde9

SHA256

e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5

Malware Config

Extracted

Family emotet
Botnet Epoch3
C2

24.26.151.3:80

162.144.42.60:8080

134.209.193.138:443

68.183.233.80:8080

105.209.235.113:8080

198.57.203.63:8080

175.29.183.2:80

178.87.171.199:80

177.32.8.85:80

71.57.180.213:80

190.190.15.20:80

31.146.61.34:80

157.7.164.178:8081

82.239.200.118:80

220.254.198.228:443

41.185.29.128:8080

113.161.148.81:80

51.38.201.19:7080

179.5.118.12:80

66.61.94.36:80

87.106.231.60:8080

188.0.135.237:80

189.39.32.161:80

173.94.215.84:80

81.17.93.134:80

185.86.148.68:443

190.96.15.50:80

177.144.130.105:443

168.0.97.6:80

60.125.114.64:443

50.116.78.109:8080

190.53.144.120:80

37.205.9.252:7080

115.79.195.246:80

201.235.10.215:80

75.127.14.170:8080

181.126.54.234:80

172.96.190.154:8080

192.241.220.183:8080

190.164.75.175:80

81.214.253.80:443

139.99.157.213:8080

91.75.75.46:80

46.32.229.152:8080

37.187.100.220:7080

107.161.30.122:8080

157.245.138.101:7080

5.79.70.250:8080

185.142.236.163:443

118.101.24.148:80

rsa_pubkey.plain
Signatures 3

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious behavior: EnumeratesProcesses
    emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe

    Reported IOCs

    pidprocess
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
  • Suspicious use of SetWindowsHookEx
    emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe

    Reported IOCs

    pidprocess
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    988emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe
    "C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_e25fa46e210c423e955fa8d34c9420c1055e90ea5b5b1d7eae11c2d94a4b8ef5_2020-11-17__182819.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of SetWindowsHookEx
    PID:988
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/988-0-0x0000000002220000-0x000000000222C000-memory.dmp