emotet | 8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897

General

Target

8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
Size

352KB
MD5

6cb0a519e981f65f5fa3eb7894a9d975
SHA1

564285b2d70cc9c592c84ae0774f25825cff7cc4
SHA256

8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897
SHA512

e66cc0f6e3d6ed2fd6ee9692d6c78a4e32a94322aee775cfd8c0ef8a22f25eec5f0c8625a2c45da50a631535e5f460e88b5749b4cb81840359cbd68b247a3085

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 3 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/2752-115-0x00000000027A0000-0x00000000027DD000-memory.dmp	emotet
behavioral2/memory/2752-118-0x00000000027E1000-0x00000000027EC000-memory.dmp	emotet
behavioral2/memory/2752-121-0x0000000002760000-0x000000000279A000-memory.dmp	emotet

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe

pid	process
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2752	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe

C:\Users\Admin\AppData\Local\Temp\8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
"C:\Users\Admin\AppData\Local\Temp\8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:3936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:1460

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2752-115-0x00000000027A0000-0x00000000027DD000-memory.dmp

Filesize
244KB

Download
memory/2752-118-0x00000000027E1000-0x00000000027EC000-memory.dmp

Filesize
44KB

Download
memory/2752-119-0x00000000027EC000-0x00000000027ED000-memory.dmp

Filesize
4KB

Download
memory/2752-120-0x00000000027F0000-0x000000000281C000-memory.dmp

Filesize
176KB

Download
memory/2752-121-0x0000000002760000-0x000000000279A000-memory.dmp

Filesize
232KB

Download

Resubmissions

Analysis

Sharing