3c429a72_zXsYESTega

General
Target

3c429a72_zXsYESTega.exe

Filesize

427KB

Completed

05-09-2021 05:12

Score
10/10
MD5

3c429a72611aa11d54a78008d531e232

SHA1

66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256

ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

187.161.206.24:80

172.91.208.86:80

124.41.215.226:80

107.5.122.110:80

200.123.150.89:443

95.179.229.244:8080

83.169.36.251:8080

1.221.254.82:80

95.213.236.64:8080

181.169.34.190:80

47.144.21.12:443

203.153.216.189:7080

89.216.122.92:80

84.39.182.7:80

94.200.114.161:80

104.236.246.93:8080

139.99.158.11:443

176.111.60.55:8080

78.24.219.147:8080

220.245.198.194:80

62.30.7.67:443

139.162.108.71:8080

104.32.141.43:80

153.232.188.106:80

93.147.212.206:80

79.137.83.50:443

96.249.236.156:443

24.43.99.75:80

75.80.124.4:80

42.200.107.142:80
rsa_pubkey.plain
Signatures 3

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Emotet Payload

    Description

    Detects Emotet payload in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1932-60-0x0000000000300000-0x0000000000312000-memory.dmpemotet
    behavioral1/memory/1932-63-0x0000000000230000-0x0000000000240000-memory.dmpemotet
    behavioral1/memory/1932-65-0x00000000002F0000-0x00000000002FF000-memory.dmpemotet
  • Suspicious behavior: EnumeratesProcesses
    3c429a72_zXsYESTega.exe

    Reported IOCs

    pidprocess
    19323c429a72_zXsYESTega.exe
    19323c429a72_zXsYESTega.exe
    19323c429a72_zXsYESTega.exe
    19323c429a72_zXsYESTega.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\3c429a72_zXsYESTega.exe
    "C:\Users\Admin\AppData\Local\Temp\3c429a72_zXsYESTega.exe"
    Suspicious behavior: EnumeratesProcesses
    PID:1932
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/1932-60-0x0000000000300000-0x0000000000312000-memory.dmp

                            Download

                          • memory/1932-63-0x0000000000230000-0x0000000000240000-memory.dmp

                            Download

                          • memory/1932-65-0x00000000002F0000-0x00000000002FF000-memory.dmp

                            Download

                          • memory/1932-66-0x0000000075D51000-0x0000000075D53000-memory.dmp

                            Download