emotet | f4fa8f87f2d0a991f410a0e592ec5858b8def1a5e85641ee94e90bfc73e05cae

Analysis

max time kernel
266s
max time network
265s
platform
windows10_x64
resource
win10v20201028
submitted
23-01-2021 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4fa8f87f2d0a991f410a0e592ec5858b8def1a5e85641ee94e90bfc73e05cae.dll
Size

346KB
MD5

f6ff77940493fc76f4c93d1f56043264
SHA1

6eac421a04fecfe28d0b5a19f5ee9dbc707ba732
SHA256

f4fa8f87f2d0a991f410a0e592ec5858b8def1a5e85641ee94e90bfc73e05cae
SHA512

996d5d0db27901dfcee46f0186ad17ec2447add5dc2fbd955e7b5ddfdbd97d3ff687ddf8e8069a9d4fd22e10b5ce31271c28b1f20e7170c8036bef0336584f8c

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

84.232.229.24:80

51.255.203.164:8080

217.160.169.110:8080

51.15.7.145:80

177.85.167.10:80

186.177.174.163:80

190.114.254.163:8080

185.183.16.47:80

149.202.72.142:7080

181.30.61.163:443

31.27.59.105:80

50.28.51.143:8080

68.183.190.199:8080

85.214.26.7:8080

137.74.106.111:7080

200.75.39.254:80

85.105.239.184:443

190.45.24.210:80

170.81.48.2:80

109.101.137.162:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

20 3704 rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3704 rundll32.exe
3704 rundll32.exe
3704 rundll32.exe
3704 rundll32.exe

flow	pid	process
20	3704	rundll32.exe

pid	process
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3884 wrote to memory of 3704	3884	rundll32.exe	rundll32.exe
PID 3884 wrote to memory of 3704	3884	rundll32.exe	rundll32.exe
PID 3884 wrote to memory of 3704	3884	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4fa8f87f2d0a991f410a0e592ec5858b8def1a5e85641ee94e90bfc73e05cae.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4fa8f87f2d0a991f410a0e592ec5858b8def1a5e85641ee94e90bfc73e05cae.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3704-2-0x0000000000000000-mapping.dmp

Download
memory/3704-4-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3704-3-0x00000000005E0000-0x0000000000601000-memory.dmp

Filesize
132KB

Download