emotet | 604fe2531212c6d8271b1d9cc90ac5fbc152db73bcf8b17a3c3db9aec040da7c

Analysis

max time kernel
122s
max time network
138s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604fe2531212c6d8271b1d9cc90ac5fbc152db73bcf8b17a3c3db9aec040da7c.dll
Size

252KB
MD5

47007ff9a8679eb46000f78d9b609633
SHA1

1b8dbd0172c0174d41c0d70ec8f1e224996125f0
SHA256

604fe2531212c6d8271b1d9cc90ac5fbc152db73bcf8b17a3c3db9aec040da7c
SHA512

b6409d4a755f7a1d47e2392afd08bbe2e79eac6e0dccca49556b1f3437b7714553924e85d073b29dba1c0081fa7cf118bf56d0f671294683fae001c5ccece567

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

22 3644 rundll32.exe
28 3644 rundll32.exe
29 3644 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3644 rundll32.exe
3644 rundll32.exe

flow	pid	process
22	3644	rundll32.exe
28	3644	rundll32.exe
29	3644	rundll32.exe

pid	process
3644	rundll32.exe
3644	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3844 wrote to memory of 3716	3844	rundll32.exe	rundll32.exe
PID 3844 wrote to memory of 3716	3844	rundll32.exe	rundll32.exe
PID 3844 wrote to memory of 3716	3844	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 3644	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 3644	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 3644	3716	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\604fe2531212c6d8271b1d9cc90ac5fbc152db73bcf8b17a3c3db9aec040da7c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\604fe2531212c6d8271b1d9cc90ac5fbc152db73bcf8b17a3c3db9aec040da7c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\604fe2531212c6d8271b1d9cc90ac5fbc152db73bcf8b17a3c3db9aec040da7c.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3644-119-0x0000000000000000-mapping.dmp

Download
memory/3716-118-0x0000000000000000-mapping.dmp

Download
memory/3716-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download