emotet | ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

Resubmissions

13-09-2021 08:57

210913-kwvs8agdgq 10

05-09-2021 05:09

210905-fs5f2aega2 10

Analysis

max time kernel
144s
max time network
183s
platform
windows7_x64
resource
win7v20210408
submitted
05-09-2021 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c429a72_zXsYESTega.exe
Size

427KB
MD5

3c429a72611aa11d54a78008d531e232
SHA1

66979ad58f8447912d1c6b1195e22fd5e5aa7dd5
SHA256

ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf
SHA512

9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 3 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1932-60-0x0000000000300000-0x0000000000312000-memory.dmp	emotet
behavioral1/memory/1932-63-0x0000000000230000-0x0000000000240000-memory.dmp	emotet
behavioral1/memory/1932-65-0x00000000002F0000-0x00000000002FF000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3c429a72_zXsYESTega.exe

pid process

1932 3c429a72_zXsYESTega.exe
1932 3c429a72_zXsYESTega.exe
1932 3c429a72_zXsYESTega.exe
1932 3c429a72_zXsYESTega.exe

pid	process
1932	3c429a72_zXsYESTega.exe
1932	3c429a72_zXsYESTega.exe
1932	3c429a72_zXsYESTega.exe
1932	3c429a72_zXsYESTega.exe

C:\Users\Admin\AppData\Local\Temp\3c429a72_zXsYESTega.exe
"C:\Users\Admin\AppData\Local\Temp\3c429a72_zXsYESTega.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-60-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1932-63-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1932-65-0x00000000002F0000-0x00000000002FF000-memory.dmp

Filesize
60KB

Download
memory/1932-66-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download