emotet | 967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638

General

Target

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
Size

584KB
MD5

430b59363f1aaebb0682c525d60e7bf6
SHA1

75afa9329b922fc49430c34ef37514f2f9e5802b
SHA256

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638
SHA512

20587cfa212f8d9554fc97ba336c27438e75d0525baa1ffacfc594bbfa570fe02077d4ab8097496933cc93ca2653404301220ec642d0505360ff8f8ec32ec1ac

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

94.49.254.194:80

212.51.142.238:8080

91.231.166.124:8080

162.241.92.219:8080

79.98.24.39:8080

109.117.53.230:443

78.189.165.52:8080

113.160.130.116:8443

121.124.124.40:7080

101.187.97.173:80

168.235.67.138:7080

104.131.44.150:8080

5.39.91.110:7080

139.59.60.244:8080

81.2.235.111:8080

116.203.32.252:8080

61.19.246.238:443

176.111.60.55:8080

190.55.181.54:443

108.48.41.69:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 3 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/3488-115-0x0000000002210000-0x000000000221C000-memory.dmp	emotet
behavioral2/memory/3488-118-0x0000000002200000-0x0000000002209000-memory.dmp	emotet
behavioral2/memory/1580-121-0x0000000002050000-0x000000000205C000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

security.exe

pid process

1580 security.exe

Drops file in System32 directory 1 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\qwave\security.exe	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

security.exe

pid	process
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe
1580	security.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

pid process

3488 967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exesecurity.exe

pid	process
3488	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
3488	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
1580	security.exe
1580	security.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

description	pid	process	target process
PID 3488 wrote to memory of 1580	3488	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	security.exe
PID 3488 wrote to memory of 1580	3488	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	security.exe
PID 3488 wrote to memory of 1580	3488	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	security.exe

C:\Users\Admin\AppData\Local\Temp\967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
"C:\Users\Admin\AppData\Local\Temp\967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\qwave\security.exe
"C:\Windows\SysWOW64\qwave\security.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qwave\security.exe

MD5
430b59363f1aaebb0682c525d60e7bf6

SHA1
75afa9329b922fc49430c34ef37514f2f9e5802b

SHA256
967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638

SHA512
20587cfa212f8d9554fc97ba336c27438e75d0525baa1ffacfc594bbfa570fe02077d4ab8097496933cc93ca2653404301220ec642d0505360ff8f8ec32ec1ac

Download Submit
memory/1580-119-0x0000000000000000-mapping.dmp

Download
memory/1580-121-0x0000000002050000-0x000000000205C000-memory.dmp

Filesize
48KB

Download
memory/3488-115-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/3488-118-0x0000000002200000-0x0000000002209000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads