emotet | 4e760d5dd0e4bea820703e9fed57e9f4dd5248959ce9c4bd91a5dd2d16170b82

General

Target

sucio_emotet.ps1
Size

2KB
MD5

d28c5040735a63198adc4b6e16ded5cd
SHA1

80eb0aaa6960b7e78df721b3b3329dbbaf60b6c8
SHA256

4e760d5dd0e4bea820703e9fed57e9f4dd5248959ce9c4bd91a5dd2d16170b82
SHA512

a3d62c329f4e7caca207b73ecf70c668bb54c8c2761d6bcde575bed7282dc5c3c15cb6c5742db2195d8216effddb705ef712488b43ef3689e731b172b05ac4aa

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

152.170.79.100:80

190.247.139.101:80

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

191.241.233.198:80

83.169.21.32:7080

113.163.216.135:80

70.32.84.74:8080

217.13.106.14:8080

177.23.7.151:80

172.104.169.32:8080

187.39.237.56:8080

80.15.100.37:80

177.144.130.105:443

168.121.4.238:80

1.234.65.61:80

191.182.6.118:80

170.81.48.2:80

45.184.103.73:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

8 3940 powershell.exe
17 1136 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3140 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Ahzlbqpsz\ltdgvvqv.cye rundll32.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exerundll32.exe

pid process

3940 powershell.exe
3940 powershell.exe
3940 powershell.exe
1136 rundll32.exe
1136 rundll32.exe
1136 rundll32.exe
1136 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3940 powershell.exe

flow	pid	process
8	3940	powershell.exe
17	1136	rundll32.exe

pid	process
3140	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ahzlbqpsz\ltdgvvqv.cye	rundll32.exe

pid	process
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3940	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3940 wrote to memory of 3380	3940	powershell.exe	rundll32.exe
PID 3940 wrote to memory of 3380	3940	powershell.exe	rundll32.exe
PID 3380 wrote to memory of 3140	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 3140	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 3140	3380	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 1136	3140	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 1136	3140	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 1136	3140	rundll32.exe	rundll32.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sucio_emotet.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dll,Control_RunDLL
2⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dll,Control_RunDLL
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ahzlbqpsz\ltdgvvqv.cye",Control_RunDLL
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dll
MD5
01bf9ef0d2e74e0940683ba8e92d89f1

SHA1
227a9276875c1e744366511cd83e593b6b36d454

SHA256
57473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432

SHA512
44195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda

Download Submit
\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dll
MD5
01bf9ef0d2e74e0940683ba8e92d89f1

SHA1
227a9276875c1e744366511cd83e593b6b36d454

SHA256
57473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432

SHA512
44195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda

Download Submit
memory/1136-10-0x0000000000000000-mapping.dmp

Download
memory/1136-11-0x0000000004D60000-0x0000000004D7F000-memory.dmp

Filesize
124KB

Download
memory/3140-7-0x0000000000000000-mapping.dmp

Download
memory/3140-9-0x0000000004A50000-0x0000000004A6F000-memory.dmp

Filesize
124KB

Download
memory/3380-5-0x0000000000000000-mapping.dmp

Download
memory/3940-2-0x00007FF8EA330000-0x00007FF8EAD1C000-memory.dmp

Filesize
9.9MB

Download
memory/3940-3-0x0000025DF6AF0000-0x0000025DF6AF1000-memory.dmp

Filesize
4KB

Download
memory/3940-4-0x0000025DF9040000-0x0000025DF9041000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing