Resubmissions

13-09-2021 08:52

210913-ks55sagdgk 10

13-09-2021 06:23

210913-g5gq6sdad2 10

Analysis

  • max time kernel
    146s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    13-09-2021 06:23

General

  • Target

    6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe

  • Size

    648KB

  • MD5

    16bcd0a10f1a57d1194165dc42fab16f

  • SHA1

    71d05db8382ea1954bcebea4229b6bfddb78c5cb

  • SHA256

    6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c

  • SHA512

    9c85849680ab5ffd5acf21709f7723b4d13e35c3002a9952e16ab21458f32dd2bf3942d23d996c9020b574881d0a3eb6a4fb6ab4a9743b405433d31cbffa82c7

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

162.154.38.103:80

95.216.118.202:8080

60.250.78.22:443

120.151.135.224:80

101.187.97.173:80

185.94.252.104:443

168.235.67.138:7080

103.86.49.11:8080

92.222.216.44:8080

190.160.53.126:80

31.31.77.83:443

195.244.215.206:80

5.196.74.210:8080

79.45.112.220:80

41.60.200.34:80

95.213.236.64:8080

5.39.91.110:7080

58.171.38.26:80

209.151.248.242:8080

178.20.74.212:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
    "C:\Users\Admin\AppData\Local\Temp\6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1652-53-0x0000000075231000-0x0000000075233000-memory.dmp

    Filesize

    8KB

  • memory/1652-54-0x00000000003C0000-0x00000000003CE000-memory.dmp

    Filesize

    56KB

  • memory/1652-57-0x00000000003D0000-0x00000000003DC000-memory.dmp

    Filesize

    48KB

  • memory/1652-59-0x0000000000230000-0x000000000023B000-memory.dmp

    Filesize

    44KB