emotet | 6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c

General

Target

6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
Size

648KB
MD5

16bcd0a10f1a57d1194165dc42fab16f
SHA1

71d05db8382ea1954bcebea4229b6bfddb78c5cb
SHA256

6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c
SHA512

9c85849680ab5ffd5acf21709f7723b4d13e35c3002a9952e16ab21458f32dd2bf3942d23d996c9020b574881d0a3eb6a4fb6ab4a9743b405433d31cbffa82c7

Score

10^/10

emotet epoch2 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

162.154.38.103:80

95.216.118.202:8080

60.250.78.22:443

120.151.135.224:80

101.187.97.173:80

185.94.252.104:443

168.235.67.138:7080

103.86.49.11:8080

92.222.216.44:8080

190.160.53.126:80

31.31.77.83:443

195.244.215.206:80

5.196.74.210:8080

79.45.112.220:80

41.60.200.34:80

95.213.236.64:8080

5.39.91.110:7080

58.171.38.26:80

209.151.248.242:8080

178.20.74.212:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M8
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M8
suricata

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe

pid	process
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
4000	6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe

pid process

4000 6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe

C:\Users\Admin\AppData\Local\Temp\6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe
"C:\Users\Admin\AppData\Local\Temp\6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4000-115-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/4000-118-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/4000-120-0x00000000005C0000-0x00000000005CB000-memory.dmp

Filesize
44KB

Download

Resubmissions

Analysis

Sharing