emotet | d6f01232a80a0be3d54f58cc856a5582378b2678066000172381602c174299ad

Analysis

max time kernel
19s
max time network
21s
platform
windows10_x64
resource
win10v20201028
submitted
20-01-2021 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6f01232a80a0be3d54f58cc856a5582378b2678066000172381602c174299ad.dll
Size

348KB
MD5

2a7b4fe52153defcfc316f3e903c4d24
SHA1

35917e76c8a56730c75a96a1b9b5a0c973abf45c
SHA256

d6f01232a80a0be3d54f58cc856a5582378b2678066000172381602c174299ad
SHA512

29c6d824faa32953bb23a85c47da54488711b306751e75fe63d529d52efabbe4a9e2b78a28fff46105f1464792f328ddd02efd66fbcead807b1ed19c4178548a

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

152.231.89.226:80

2.58.16.88:8080

206.189.232.2:8080

154.127.113.242:80

190.114.254.163:8080

190.210.246.253:80

138.197.99.250:8080

172.104.169.32:8080

85.214.26.7:8080

152.170.79.100:80

190.45.24.210:80

143.0.85.206:7080

46.43.2.95:8080

110.39.162.2:443

1.226.84.243:8080

87.106.46.107:8080

111.67.12.221:8080

137.74.106.111:7080

81.17.93.134:80

62.84.75.50:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	3632	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3632	rundll32.exe
3632	rundll32.exe
3632	rundll32.exe
3632	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3632	1204	rundll32.exe	72
PID 1204 wrote to memory of 3632	1204	rundll32.exe	72
PID 1204 wrote to memory of 3632	1204	rundll32.exe	72

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6f01232a80a0be3d54f58cc856a5582378b2678066000172381602c174299ad.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6f01232a80a0be3d54f58cc856a5582378b2678066000172381602c174299ad.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:3632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3632-3-0x0000000002940000-0x0000000002961000-memory.dmp

Filesize
132KB

Download
memory/3632-4-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download