emotet | bda2e4103023333799ded1b5d00c7a2f0bb81c7f1aa5b5afbfa9a7944269f9d3

Analysis

max time kernel
119s
max time network
137s
platform
windows7_x64
resource
win7-en-20211014
submitted
16-11-2021 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dfaf39642098ae3f698be2cead39866.dll
Size

252KB
MD5

1dfaf39642098ae3f698be2cead39866
SHA1

6cdbce2a942ab56630eef948b46b4414fa9355df
SHA256

bda2e4103023333799ded1b5d00c7a2f0bb81c7f1aa5b5afbfa9a7944269f9d3
SHA512

9ca60b62ee25c129dd1ebf3ddd616d995abc1e581361526c7e025bd8e8ca85f8d72e2bf57d309094a61406fd3fd05132e1cd6e0be4e8f8e2a752afd3dc080a9d

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

4 1180 rundll32.exe
5 1180 rundll32.exe
6 1180 rundll32.exe
7 1180 rundll32.exe
9 1180 rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1180 rundll32.exe

flow	pid	process
4	1180	rundll32.exe
5	1180	rundll32.exe
6	1180	rundll32.exe
7	1180	rundll32.exe
9	1180	rundll32.exe

pid	process
1180	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 676	524	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1180	676	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfaf39642098ae3f698be2cead39866.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfaf39642098ae3f698be2cead39866.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\1dfaf39642098ae3f698be2cead39866.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-55-0x0000000000000000-mapping.dmp

Download
memory/676-56-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/676-59-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/1180-57-0x0000000000000000-mapping.dmp

Download