emotet | 7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952

General

Target

7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe
Size

368KB
MD5

5d5aabcfacffe957d4a27c89f5d9263b
SHA1

a5656b7815bd3e5bbecc2cb0e1f1a5eec34bca32
SHA256

7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952
SHA512

8d1d8a8b83ce5b3526aaf9bd457fd2fcbe0d9372c780b1c715fe5d8bf1db845eec770ad597b60bec42cd0363483e4589b21ea8c7c35024b619f909bfd0b13e8c

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

118.167.155.233:80

110.37.226.196:443

178.33.167.120:8080

124.150.175.133:443

87.252.100.28:80

75.127.14.170:8080

190.247.9.40:443

181.225.24.251:80

45.55.179.121:8080

154.120.227.190:443

91.83.93.103:443

188.251.213.180:443

211.20.154.102:443

186.80.169.128:80

192.210.217.94:8080

58.93.151.148:80

178.62.75.204:8080

70.45.30.28:80

14.161.30.33:443

45.118.136.92:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ipsmsnap.exe

pid process

1588 ipsmsnap.exe
1588 ipsmsnap.exe
1588 ipsmsnap.exe
1588 ipsmsnap.exe
1588 ipsmsnap.exe
1588 ipsmsnap.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe

pid process

1100 7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe

pid	process
1588	ipsmsnap.exe
1588	ipsmsnap.exe
1588	ipsmsnap.exe
1588	ipsmsnap.exe
1588	ipsmsnap.exe
1588	ipsmsnap.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exeipsmsnap.exe

pid	process
1100	7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe
1100	7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe
1588	ipsmsnap.exe
1588	ipsmsnap.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe

description	pid	process	target process
PID 1100 wrote to memory of 1588	1100	7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe	ipsmsnap.exe
PID 1100 wrote to memory of 1588	1100	7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe	ipsmsnap.exe
PID 1100 wrote to memory of 1588	1100	7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe	ipsmsnap.exe
PID 1100 wrote to memory of 1588	1100	7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe	ipsmsnap.exe

C:\Users\Admin\AppData\Local\Temp\7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe
"C:\Users\Admin\AppData\Local\Temp\7cbc4b2ce565cdc79e1affd8bb914d7d0446e7de6d5577efbc240c9b54708952.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\ipsmsnap\ipsmsnap.exe
"C:\Windows\SysWOW64\ipsmsnap\ipsmsnap.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-59-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1100-60-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1100-62-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1588-63-0x0000000000000000-mapping.dmp

Download
memory/1588-65-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing