emotet | 534a598ae3170e8f39e8cc1fb1976a8bbeb418128fb23fde6420fe624eee2ec6

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ptrjctad.rmz.dll
Size

342KB
MD5

ea8d08d8faecc54887e4dc2be3b3b341
SHA1

2811f4b31e912a40b871b96f3f7c15d3d4c0ffb9
SHA256

534a598ae3170e8f39e8cc1fb1976a8bbeb418128fb23fde6420fe624eee2ec6
SHA512

089dfcc735aecdbf57251eb24dce7c7df8fa23f5c2bdd15da3b61d7f77bf4626ef93c5d24873b19b939278dac1b8e4f700d80e4876e3e0164b361fcd773bab5e

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

6 1912 rundll32.exe
9 1912 rundll32.exe
10 1912 rundll32.exe
13 1912 rundll32.exe
14 1912 rundll32.exe
17 1912 rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1912 rundll32.exe
1912 rundll32.exe
1912 rundll32.exe
1912 rundll32.exe

flow	pid	process
6	1912	rundll32.exe
9	1912	rundll32.exe
10	1912	rundll32.exe
13	1912	rundll32.exe
14	1912	rundll32.exe
17	1912	rundll32.exe

pid	process
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1912	380	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ptrjctad.rmz.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ptrjctad.rmz.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-6-0x000007FEF7D40000-0x000007FEF7FBA000-memory.dmp

Filesize
2.5MB

Download
memory/1912-2-0x0000000000000000-mapping.dmp

Download
memory/1912-3-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1912-4-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1912-5-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download