Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-11-2020 13:48

General

  • Target

    3c9a81ab2ae316d07173dda1e13cdbe6c4f0e3bade17c2771d57d7ef12a8bf93.bin.exe

  • Size

    176KB

  • MD5

    3185ede9818d5c63e2f005f5f55ee77c

  • SHA1

    0e44f1dd1b0c2c5170b2784ab621dff30cad896e

  • SHA256

    3c9a81ab2ae316d07173dda1e13cdbe6c4f0e3bade17c2771d57d7ef12a8bf93

  • SHA512

    745ae608bc0cbb584f36c830d98ad9bc4f4c286d89740723536674e9c79be0f2e4ffa3527a937aeffae7cc8fcac0653c9ebd993ea0ab42890db43485db748479

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

118.7.227.42:443

188.226.165.170:8080

188.40.170.197:80

51.38.50.144:8080

153.229.219.1:443

162.144.145.58:8080

126.126.139.26:443

85.246.78.192:80

177.130.51.198:80

42.200.96.63:80

73.55.128.120:80

113.203.238.130:80

202.29.237.113:8080

181.59.59.54:80

58.27.215.3:8080

60.108.128.186:80

190.192.39.136:80

185.63.32.149:80

50.116.78.109:8080

121.117.147.153:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c9a81ab2ae316d07173dda1e13cdbe6c4f0e3bade17c2771d57d7ef12a8bf93.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\3c9a81ab2ae316d07173dda1e13cdbe6c4f0e3bade17c2771d57d7ef12a8bf93.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1080-0-0x00000000003D0000-0x00000000003E5000-memory.dmp
    Filesize

    84KB

  • memory/1080-1-0x0000000001B50000-0x0000000001B63000-memory.dmp
    Filesize

    76KB

  • memory/1704-2-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp
    Filesize

    2.5MB