emotet | 26a617b36fce136b57408352b178fb6d0d6dfde977935a4f81673466a8c8d2b6

General

Target

family.exe
Size

332KB
MD5

f9249b74e2440ac8f6ef8d1c89e318e9
SHA1

876f3e39a3c80ed0920fe078a080315fa69a9d9b
SHA256

26a617b36fce136b57408352b178fb6d0d6dfde977935a4f81673466a8c8d2b6
SHA512

e6ed62c9980d88f966e6604f6b1e555653e20422013c351b1282ac25a212051657787391d3b69bc82e9400e9e57015a9af39e9a8ac767b05d3c3c7d359d82527

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

222.239.249.166:443

217.26.163.82:7080

91.205.173.54:8080

163.172.97.112:8080

103.205.177.229:80

176.58.93.123:80

212.112.113.235:80

201.196.15.79:990

193.34.144.138:8080

172.104.70.207:8080

104.238.80.237:8080

181.44.166.242:80

119.159.150.176:443

5.189.148.98:8080

139.162.185.116:443

190.189.79.73:80

78.46.87.133:8080

192.241.220.183:8080

23.253.207.142:8080

216.70.88.55:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

dispiddeploy.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	dispiddeploy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dispiddeploy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dispiddeploy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dispiddeploy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dispiddeploy.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

dispiddeploy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dispiddeploy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dispiddeploy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dispiddeploy.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

family.exedispiddeploy.exe

pid process

1840 family.exe
2836 dispiddeploy.exe

pid	process
1840	family.exe
2836	dispiddeploy.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

dispiddeploy.exe

pid	process
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe
2836	dispiddeploy.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

family.exe

pid process

1840 family.exe

pid	process
1840	family.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

family.exedispiddeploy.exe

description	pid	process	target process
PID 984 wrote to memory of 1840	984	family.exe	family.exe
PID 984 wrote to memory of 1840	984	family.exe	family.exe
PID 984 wrote to memory of 1840	984	family.exe	family.exe
PID 196 wrote to memory of 2836	196	dispiddeploy.exe	dispiddeploy.exe
PID 196 wrote to memory of 2836	196	dispiddeploy.exe	dispiddeploy.exe
PID 196 wrote to memory of 2836	196	dispiddeploy.exe	dispiddeploy.exe

C:\Users\Admin\AppData\Local\Temp\family.exe
"C:\Users\Admin\AppData\Local\Temp\family.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\family.exe
--5ed55408
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
PID:1840

C:\Windows\SysWOW64\dispiddeploy.exe
"C:\Windows\SysWOW64\dispiddeploy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\dispiddeploy.exe
--3fdc62d6
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ff
MD5
d854e5bf32f6eff669679c3a9acd847a

SHA1
0d43be3bd4161a1cbb329c910fdf62346fa45b20

SHA256
5a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660

SHA512
2dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259

Download Submit
memory/196-4-0x0000000000D10000-0x0000000000D24000-memory.dmp

Filesize
80KB

Download
memory/984-0-0x00000000021A0000-0x00000000021B4000-memory.dmp

Filesize
80KB

Download
memory/1840-1-0x0000000000000000-mapping.dmp

Download
memory/1840-2-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/1840-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2836-5-0x0000000000000000-mapping.dmp

Download
memory/2836-7-0x00000000006A0000-0x00000000006B4000-memory.dmp

Filesize
80KB

Download
memory/2836-8-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads