ptrjctad.rmz

General
Target

ptrjctad.rmz.dll

Filesize

342KB

Completed

04-02-2021 15:06

Score
10/10
MD5

ea8d08d8faecc54887e4dc2be3b3b341

SHA1

2811f4b31e912a40b871b96f3f7c15d3d4c0ffb9

SHA256

534a598ae3170e8f39e8cc1fb1976a8bbeb418128fb23fde6420fe624eee2ec6

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080

144.217.7.207:7080

95.213.236.64:8080

46.105.131.79:8080

176.111.60.55:8080

174.118.202.24:443

94.23.237.171:443

138.68.87.218:443

110.145.101.66:443

134.209.144.106:443

74.208.45.104:8080

24.178.90.49:80

172.125.40.123:80

157.245.99.39:8080

118.83.154.64:443

202.134.4.211:8080

121.124.124.40:7080

172.104.97.173:8080

110.145.11.73:80

172.105.13.66:443

168.235.67.138:7080

78.188.225.105:80

59.21.235.119:80

185.94.252.104:443

24.179.13.119:80

49.205.182.134:80

51.89.36.180:443

115.21.224.117:80

202.134.4.216:8080

190.251.200.206:80

78.189.148.42:80
rsa_pubkey.plain
Signatures 4

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    61912rundll32.exe
    91912rundll32.exe
    101912rundll32.exe
    131912rundll32.exe
    141912rundll32.exe
    171912rundll32.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    1912rundll32.exe
    1912rundll32.exe
    1912rundll32.exe
    1912rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
    PID 380 wrote to memory of 1912380rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ptrjctad.rmz.dll,#1
    Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ptrjctad.rmz.dll,#1
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1912
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/1296-6-0x000007FEF7D40000-0x000007FEF7FBA000-memory.dmp

                            Download

                          • memory/1912-2-0x0000000000000000-mapping.dmp

                            Download

                          • memory/1912-3-0x0000000075D01000-0x0000000075D03000-memory.dmp

                            Download

                          • memory/1912-4-0x00000000001F0000-0x0000000000210000-memory.dmp

                            Download

                          • memory/1912-5-0x0000000010000000-0x0000000010023000-memory.dmp

                            Download