emotet | 26a617b36fce136b57408352b178fb6d0d6dfde977935a4f81673466a8c8d2b6

General

Target

family.exe
Size

332KB
MD5

f9249b74e2440ac8f6ef8d1c89e318e9
SHA1

876f3e39a3c80ed0920fe078a080315fa69a9d9b
SHA256

26a617b36fce136b57408352b178fb6d0d6dfde977935a4f81673466a8c8d2b6
SHA512

e6ed62c9980d88f966e6604f6b1e555653e20422013c351b1282ac25a212051657787391d3b69bc82e9400e9e57015a9af39e9a8ac767b05d3c3c7d359d82527

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

222.239.249.166:443

217.26.163.82:7080

91.205.173.54:8080

163.172.97.112:8080

103.205.177.229:80

176.58.93.123:80

212.112.113.235:80

201.196.15.79:990

193.34.144.138:8080

172.104.70.207:8080

104.238.80.237:8080

181.44.166.242:80

119.159.150.176:443

5.189.148.98:8080

139.162.185.116:443

190.189.79.73:80

78.46.87.133:8080

192.241.220.183:8080

23.253.207.142:8080

216.70.88.55:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

moretitle.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	moretitle.exe

Modifies data under HKEY_USERS 25 IoCs

Processes:

moretitle.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	moretitle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	moretitle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 303c41a712c2d601	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 30b872cc12c2d601	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 303c41a712c2d601	moretitle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	moretitle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	moretitle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	moretitle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	moretitle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	moretitle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	moretitle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	moretitle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	moretitle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	moretitle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	moretitle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	moretitle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	moretitle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	moretitle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	moretitle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30b872cc12c2d601	moretitle.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

family.exemoretitle.exe

pid process

1776 family.exe
752 moretitle.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

moretitle.exe

pid process

752 moretitle.exe
752 moretitle.exe
752 moretitle.exe
752 moretitle.exe
752 moretitle.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

family.exe

pid process

1776 family.exe

pid	process
1776	family.exe
752	moretitle.exe

pid	process
752	moretitle.exe
752	moretitle.exe
752	moretitle.exe
752	moretitle.exe
752	moretitle.exe

pid	process
1776	family.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

family.exemoretitle.exe

description	pid	process	target process
PID 1848 wrote to memory of 1776	1848	family.exe	family.exe
PID 1848 wrote to memory of 1776	1848	family.exe	family.exe
PID 1848 wrote to memory of 1776	1848	family.exe	family.exe
PID 1848 wrote to memory of 1776	1848	family.exe	family.exe
PID 604 wrote to memory of 752	604	moretitle.exe	moretitle.exe
PID 604 wrote to memory of 752	604	moretitle.exe	moretitle.exe
PID 604 wrote to memory of 752	604	moretitle.exe	moretitle.exe
PID 604 wrote to memory of 752	604	moretitle.exe	moretitle.exe

C:\Users\Admin\AppData\Local\Temp\family.exe
"C:\Users\Admin\AppData\Local\Temp\family.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\family.exe
--5ed55408
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
PID:1776

C:\Windows\SysWOW64\moretitle.exe
"C:\Windows\SysWOW64\moretitle.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\moretitle.exe
--d4a55a79
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-4-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/752-5-0x0000000000000000-mapping.dmp

Download
memory/752-6-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/752-7-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1776-1-0x0000000000000000-mapping.dmp

Download
memory/1776-2-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1776-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1848-0-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads