emotet | b6dea66efa7692e91417d20e3f6afa4520511d4b42565da9d345297c38d5191b

Analysis

max time kernel
116s
max time network
129s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e090ecdc6c7b118ff7d4b28676ceb0ec.exe
Size

568KB
MD5

96dd0f6910c80646cd390fc7804c1be8
SHA1

6c9a6bf9be087ac60fe35a0c3e7a12dac2c7dbad
SHA256

b6dea66efa7692e91417d20e3f6afa4520511d4b42565da9d345297c38d5191b
SHA512

3f3235821744c6af3a4fd2bd2477ae5a38a20f30ba4cacb26ae5a9ce84bdc127364bbe7d10b71bf83dbc050c8b895d944e06ced412a6f4805151433a6e106667

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

88.153.35.32:80

107.170.146.252:8080

173.212.214.235:7080

167.114.153.111:8080

202.141.243.254:443

75.143.247.51:80

85.105.111.166:80

216.139.123.119:80

113.61.66.94:80

162.241.140.129:8080

190.12.119.180:443

2.58.16.89:8080

91.211.88.52:7080

93.147.212.206:80

71.15.245.148:8080

157.245.99.39:8080

27.114.9.93:80

50.91.114.38:80

174.106.122.139:80

47.36.140.164:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 1 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1580-3-0x00000000003D0000-0x00000000003E0000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e090ecdc6c7b118ff7d4b28676ceb0ec.exe

pid	process
1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe
1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe
1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe
1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe
1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e090ecdc6c7b118ff7d4b28676ceb0ec.exe

pid process

1580 e090ecdc6c7b118ff7d4b28676ceb0ec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e090ecdc6c7b118ff7d4b28676ceb0ec.exe

description	pid	process	target process
PID 1580 wrote to memory of 1492	1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe	splwow64.exe
PID 1580 wrote to memory of 1492	1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe	splwow64.exe
PID 1580 wrote to memory of 1492	1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe	splwow64.exe
PID 1580 wrote to memory of 1492	1580	e090ecdc6c7b118ff7d4b28676ceb0ec.exe	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\e090ecdc6c7b118ff7d4b28676ceb0ec.exe
"C:\Users\Admin\AppData\Local\Temp\e090ecdc6c7b118ff7d4b28676ceb0ec.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-2-0x0000000000000000-mapping.dmp

Download
memory/1580-3-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1628-4-0x000007FEF6780000-0x000007FEF69FA000-memory.dmp

Filesize
2.5MB

Download