Soti11ocy.exe

max time kernel144s
max time network146s
platformwindows10_x64
resourcewin10v20201028
submitted29-03-2021 07:51

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Soti11ocy.exe

Filesize

400KB

Completed

29-03-2021 07:54

Score

10^/10

MD5

4e27ee113c23797b54f1b6c63b765d4a

SHA1

612af6784376e793e6e4b5020ff9564a4458e23f

SHA256

c1a2022a08cfa600b70e3db5a7a235826fa676c9d5c8919533a897e362a09ffa

Extracted

Family	emotet
Botnet	Epoch2
C2	102.182.145.130:80 173.173.254.105:80 64.207.182.168:8080 51.89.199.141:8080 167.114.153.111:8080 173.63.222.65:80 218.147.193.146:80 59.125.219.109:443 172.104.97.173:8080 190.162.215.233:80 68.115.186.26:80 78.188.106.53:443 190.240.194.77:443 24.133.106.23:80 80.227.52.78:80 79.137.83.50:443 120.150.218.241:443 62.171.142.179:8080 194.4.58.192:7080 62.30.7.67:443 134.209.144.106:443 24.230.141.169:80 194.190.67.75:80 172.91.208.86:80 201.241.127.190:80 185.94.252.104:443 104.131.11.150:443 71.15.245.148:8080 176.111.60.55:8080 172.86.188.251:8080 194.187.133.160:443 113.61.66.94:80 91.211.88.52:7080 202.134.4.216:8080 154.91.33.137:443 74.40.205.197:443 87.106.139.101:8080 66.76.12.94:8080 139.59.60.244:8080 112.185.64.233:80 85.105.111.166:80 74.208.45.104:8080 94.230.70.6:80 49.3.224.99:8080 119.59.116.21:8080 182.208.30.18:443 184.180.181.202:80 47.36.140.164:80 186.70.56.94:443 187.161.206.24:80 102.182.93.220:80 201.171.244.130:80 190.12.119.180:443 89.121.205.18:80 110.145.77.103:80 172.105.13.66:443 190.29.166.0:80 108.46.29.236:80 49.50.209.131:80 75.143.247.51:80 137.59.187.107:8080 188.219.31.12:80 61.33.119.226:443 209.141.54.221:7080 95.213.236.64:8080 120.150.60.189:80 190.164.104.62:80 186.74.215.34:80 139.99.158.11:443 76.27.179.47:80 142.112.10.95:20 61.19.246.238:443 121.7.31.214:80 88.153.35.32:80 5.39.91.110:7080 123.142.37.166:80 50.245.107.73:443 95.9.5.93:80 37.139.21.175:8080 157.245.99.39:8080 217.123.207.149:80 72.186.136.247:443 115.94.207.99:443 202.141.243.254:443 78.24.219.147:8080 97.82.79.83:80 217.20.166.178:7080 203.153.216.189:7080 220.245.198.194:80 168.235.67.138:7080 110.142.236.207:80 162.241.140.129:8080 76.175.162.101:80 27.114.9.93:80 24.178.90.49:80 202.134.4.211:8080 123.176.25.234:80 61.76.222.210:80 109.116.245.80:80 139.162.60.124:8080 190.108.228.27:443 94.23.237.171:443 2.58.16.89:8080 37.179.204.33:80 96.245.227.43:80 216.139.123.119:80 89.216.122.92:80 37.187.72.193:8080 74.214.230.200:80 93.147.212.206:80 103.86.49.11:8080 174.106.122.139:80 138.68.87.218:443 118.83.154.64:443 200.116.145.225:443 94.200.114.161:80 62.75.141.82:80 121.124.124.40:7080 176.113.52.6:443 24.137.76.62:80 41.185.28.84:8080 50.91.114.38:80 46.105.131.79:8080 109.74.5.95:8080 67.170.250.203:443 100.37.240.62:80 102.182.145.130:80 173.173.254.105:80 64.207.182.168:8080 51.89.199.141:8080 167.114.153.111:8080 173.63.222.65:80 218.147.193.146:80 59.125.219.109:443 172.104.97.173:8080 190.162.215.233:80 68.115.186.26:80 78.188.106.53:443 190.240.194.77:443 24.133.106.23:80 80.227.52.78:80 79.137.83.50:443 120.150.218.241:443 62.171.142.179:8080 194.4.58.192:7080 62.30.7.67:443 134.209.144.106:443 24.230.141.169:80 194.190.67.75:80 172.91.208.86:80 201.241.127.190:80 185.94.252.104:443 104.131.11.150:443 71.15.245.148:8080 176.111.60.55:8080 172.86.188.251:8080 194.187.133.160:443 113.61.66.94:80 91.211.88.52:7080 202.134.4.216:8080 154.91.33.137:443 74.40.205.197:443 87.106.139.101:8080 66.76.12.94:8080 139.59.60.244:8080 112.185.64.233:80 85.105.111.166:80 74.208.45.104:8080 94.230.70.6:80 49.3.224.99:8080 119.59.116.21:8080 182.208.30.18:443 184.180.181.202:80 47.36.140.164:80 186.70.56.94:443 187.161.206.24:80 102.182.93.220:80 201.171.244.130:80 190.12.119.180:443 89.121.205.18:80 110.145.77.103:80 172.105.13.66:443 190.29.166.0:80 108.46.29.236:80 49.50.209.131:80 75.143.247.51:80 137.59.187.107:8080 188.219.31.12:80 61.33.119.226:443 209.141.54.221:7080 95.213.236.64:8080 120.150.60.189:80 190.164.104.62:80 186.74.215.34:80 139.99.158.11:443 76.27.179.47:80 142.112.10.95:20 61.19.246.238:443 121.7.31.214:80 88.153.35.32:80 5.39.91.110:7080 123.142.37.166:80 50.245.107.73:443 95.9.5.93:80 37.139.21.175:8080 157.245.99.39:8080 217.123.207.149:80 72.186.136.247:443 115.94.207.99:443 202.141.243.254:443 78.24.219.147:8080 97.82.79.83:80 217.20.166.178:7080 203.153.216.189:7080 220.245.198.194:80 168.235.67.138:7080 110.142.236.207:80 162.241.140.129:8080 76.175.162.101:80 27.114.9.93:80 24.178.90.49:80 202.134.4.211:8080 123.176.25.234:80 61.76.222.210:80 109.116.245.80:80 139.162.60.124:8080 190.108.228.27:443 94.23.237.171:443 2.58.16.89:8080 37.179.204.33:80 96.245.227.43:80 216.139.123.119:80 89.216.122.92:80 37.187.72.193:8080 74.214.230.200:80 93.147.212.206:80 103.86.49.11:8080 174.106.122.139:80 138.68.87.218:443 118.83.154.64:443 200.116.145.225:443 94.200.114.161:80 62.75.141.82:80 121.124.124.40:7080 176.113.52.6:443 24.137.76.62:80 41.185.28.84:8080 50.91.114.38:80 46.105.131.79:8080 109.74.5.95:8080 67.170.250.203:443 100.37.240.62:80
rsa_pubkey.plain

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet
Emotet Payload

Description

Detects Emotet payload in memory.

Reported IOCs

resource yara_rule

behavioral2/memory/1052-5-0x0000000002270000-0x0000000002280000-memory.dmp emotet

resource	yara_rule
behavioral2/memory/1052-5-0x0000000002270000-0x0000000002280000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses

Soti11ocy.exe

Reported IOCs

pid	process
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe
1052	Soti11ocy.exe

Suspicious use of SetWindowsHookEx
Soti11ocy.exe

Reported IOCs

pid process

1052 Soti11ocy.exe
1052 Soti11ocy.exe

C:\Users\Admin\AppData\Local\Temp\Soti11ocy.exe

"C:\Users\Admin\AppData\Local\Temp\Soti11ocy.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:1052

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1052-5-0x0000000002270000-0x0000000002280000-memory.dmp

Download

Soti11ocy.exe

Extracted

Filter: none

Description

Tags

Description

Reported IOCs

Reported IOCs

Reported IOCs

Title