Analysis
-
max time kernel
128s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 11:00
Static task
static1
Behavioral task
behavioral1
Sample
KmhH.exe
Resource
win7v20210408
General
-
Target
KmhH.exe
-
Size
424KB
-
MD5
555e45ba89efae4a83028a4f93bc4723
-
SHA1
097319fb3efef3d141d900a187f5def90ea29b16
-
SHA256
cb79b3769e2186d1dbc29905cad5b083650a1a1b192e6172543f78a5295549d4
-
SHA512
9ae027d2aa71150bb5763a72a48a9416bb778dfdfc0f1f24808b3c889f7def25e23cc44e39acb4dfb5a27064e22d0297d7e3110f30720cb866ae1519d3e40b04
Malware Config
Extracted
emotet
Epoch3
49.243.9.118:80
162.241.41.111:7080
190.85.46.52:7080
162.144.42.60:8080
157.245.138.101:7080
103.133.66.57:443
167.71.227.113:8080
80.200.62.81:20
78.186.65.230:80
185.142.236.163:443
78.114.175.216:80
202.166.170.43:80
37.205.9.252:7080
118.243.83.70:80
116.202.10.123:8080
223.135.30.189:80
120.51.34.254:80
139.59.61.215:443
8.4.9.137:8080
202.153.220.157:80
179.5.118.12:80
75.127.14.170:8080
45.177.120.37:8080
41.185.29.128:8080
79.133.6.236:8080
192.241.220.183:8080
203.153.216.178:7080
115.176.16.221:80
113.161.148.81:80
178.33.167.120:8080
183.77.227.38:80
46.105.131.68:8080
181.95.133.104:80
93.20.157.143:80
172.105.78.244:8080
139.59.12.63:8080
190.192.39.136:80
41.212.89.128:80
27.73.70.219:8080
109.206.139.119:80
192.163.221.191:8080
113.160.248.110:80
182.227.240.189:443
185.208.226.142:8080
126.126.139.26:443
185.80.172.199:80
103.229.73.17:8080
5.79.70.250:8080
95.216.205.155:8080
190.194.12.132:80
37.46.129.215:8080
51.38.201.19:7080
195.201.56.70:8080
175.103.38.146:80
73.55.128.120:80
74.208.173.91:8080
189.150.209.206:80
91.83.93.103:443
86.57.216.23:80
36.91.44.183:80
181.80.129.181:80
50.116.78.109:8080
14.241.182.160:80
60.125.114.64:443
113.156.82.32:80
190.191.171.72:80
67.121.104.51:20
111.89.241.139:80
220.106.127.191:443
46.32.229.152:8080
115.79.59.157:80
58.27.215.3:8080
192.210.217.94:8080
118.33.121.37:80
169.1.211.133:80
54.38.143.245:8080
198.57.203.63:8080
138.201.45.2:8080
172.96.190.154:8080
143.95.101.72:8080
45.239.204.100:80
103.93.220.182:80
185.86.148.68:443
119.92.77.17:80
186.20.52.237:80
115.79.195.246:80
223.17.215.76:80
77.74.78.80:443
113.203.238.130:80
220.147.247.145:80
153.229.219.1:443
187.189.66.200:8080
103.80.51.61:8080
27.7.14.122:80
200.116.93.61:80
182.253.83.234:7080
91.75.75.46:80
128.106.187.110:80
113.193.239.51:443
180.148.4.130:8080
157.7.164.178:8081
88.247.58.26:80
37.187.100.220:7080
Signatures
-
Emotet Payload 3 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/3856-114-0x0000000002210000-0x0000000002222000-memory.dmp emotet behavioral2/memory/3856-117-0x00000000001F0000-0x0000000000200000-memory.dmp emotet behavioral2/memory/3856-119-0x00000000001E0000-0x00000000001EF000-memory.dmp emotet -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
KmhH.exepid process 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe 3856 KmhH.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KmhH.exepid process 3856 KmhH.exe