emotet | 85a94f69dd7c66f94070de801cc5571231084948ad691df09e20bd5ec62a7ea1

Analysis

max time kernel
124s
max time network
141s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a94f69dd7c66f94070de801cc5571231084948ad691df09e20bd5ec62a7ea1.dll
Size

252KB
MD5

a123d2853b5cc5a9a608e0de1cb7b5f2
SHA1

a2cbbea474cc52ce7d9074a03103b4e736f4d189
SHA256

85a94f69dd7c66f94070de801cc5571231084948ad691df09e20bd5ec62a7ea1
SHA512

768e40633872858bdee12fdd0aa5fc612ec3d7b29fb42bd1ef3390400549797d3724c746bc60add7982d25c54e209ec17392f8d9722c91d21fee290fdd543ac7

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

21 4048 rundll32.exe
26 4048 rundll32.exe
27 4048 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4048 rundll32.exe
4048 rundll32.exe

flow	pid	process
21	4048	rundll32.exe
26	4048	rundll32.exe
27	4048	rundll32.exe

pid	process
4048	rundll32.exe
4048	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3992 wrote to memory of 3952	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 3952	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 3952	3992	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 4048	3952	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 4048	3952	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 4048	3952	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\85a94f69dd7c66f94070de801cc5571231084948ad691df09e20bd5ec62a7ea1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\85a94f69dd7c66f94070de801cc5571231084948ad691df09e20bd5ec62a7ea1.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\85a94f69dd7c66f94070de801cc5571231084948ad691df09e20bd5ec62a7ea1.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3952-118-0x0000000000000000-mapping.dmp

Download
memory/3952-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/4048-119-0x0000000000000000-mapping.dmp

Download