43E6.tmp

General
Target

43E6.tmp.exe

Filesize

372KB

Completed

18-02-2021 16:21

Score
10/10
MD5

0573884ab205d9b7bf0d51ee8a3b93af

SHA1

39df9c19bd28b3228f31219805fe44e8adb7ec87

SHA256

b264bcc61b75044b36066cadc82baf5642955b71913d284d7d7a2c7a3a7de203

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

174.102.48.180:80

88.217.172.164:443

51.75.33.120:8080

62.138.26.28:8080

169.239.182.217:8080

114.146.222.200:80

116.203.32.252:8080

103.86.49.11:8080

74.120.55.163:80

41.60.200.34:80

209.182.216.177:443

157.245.99.39:8080

87.106.139.101:8080

152.168.248.128:443

104.236.246.93:8080

47.144.21.12:443

139.130.242.43:80

181.230.116.163:80

72.12.127.184:443

61.19.246.238:443

222.214.218.37:4143

119.198.40.179:80

47.153.182.47:80

95.179.229.244:8080

5.39.91.110:7080

181.211.11.242:80

76.27.179.47:80

167.86.90.214:8080

70.167.215.250:8080

95.213.236.64:8080

203.153.216.189:7080

81.2.235.111:8080

165.165.171.160:8080

176.111.60.55:8080

142.105.151.124:443

110.145.77.103:80

200.55.243.138:8080

183.101.175.193:80

190.160.53.126:80

104.131.44.150:8080

37.187.72.193:8080

47.146.117.214:80

2.58.16.85:7080

209.143.35.232:80

24.137.76.62:80

153.126.210.205:7080

78.24.219.147:8080

96.8.113.4:8080

91.211.88.52:7080

104.131.11.150:443

rsa_pubkey.plain
Signatures 4

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet Payload

    Description

    Detects Emotet payload in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1044-3-0x0000000000280000-0x000000000028C000-memory.dmpemotet
    behavioral1/memory/1044-4-0x0000000000270000-0x0000000000279000-memory.dmpemotet
  • Suspicious behavior: EnumeratesProcesses
    43E6.tmp.exe

    Reported IOCs

    pidprocess
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
    104443E6.tmp.exe
  • Suspicious use of SetWindowsHookEx
    43E6.tmp.exe

    Reported IOCs

    pidprocess
    104443E6.tmp.exe
    104443E6.tmp.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\43E6.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\43E6.tmp.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of SetWindowsHookEx
    PID:1044
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1044-2-0x00000000760A1000-0x00000000760A3000-memory.dmp

                          • memory/1044-3-0x0000000000280000-0x000000000028C000-memory.dmp

                          • memory/1044-4-0x0000000000270000-0x0000000000279000-memory.dmp

                          • memory/1220-5-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp