emotet | 98a24889c609f2323a2fca774bc97cdd1ed64929607a6e5bf4c3d5433cda0728

Analysis

max time kernel
121s
max time network
144s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98a24889c609f2323a2fca774bc97cdd1ed64929607a6e5bf4c3d5433cda0728.dll
Size

252KB
MD5

54a25ea3ce8ce106b28b96632533a27d
SHA1

50fc937cb74a6162c4d8a30ffe04d9d93faac581
SHA256

98a24889c609f2323a2fca774bc97cdd1ed64929607a6e5bf4c3d5433cda0728
SHA512

eb6732b59e4bc561f396b58dde4a3217cb90a6e8777304f6a834b7846c41839d342b1c291fb32a845e31490f7a45880318ae6901c1199155793505d4935217a6

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

8 3984 rundll32.exe
17 3984 rundll32.exe
21 3984 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3984 rundll32.exe
3984 rundll32.exe

flow	pid	process
8	3984	rundll32.exe
17	3984	rundll32.exe
21	3984	rundll32.exe

pid	process
3984	rundll32.exe
3984	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2680 wrote to memory of 2700	2680	rundll32.exe	rundll32.exe
PID 2680 wrote to memory of 2700	2680	rundll32.exe	rundll32.exe
PID 2680 wrote to memory of 2700	2680	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 3984	2700	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 3984	2700	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 3984	2700	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98a24889c609f2323a2fca774bc97cdd1ed64929607a6e5bf4c3d5433cda0728.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98a24889c609f2323a2fca774bc97cdd1ed64929607a6e5bf4c3d5433cda0728.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\98a24889c609f2323a2fca774bc97cdd1ed64929607a6e5bf4c3d5433cda0728.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-115-0x0000000000000000-mapping.dmp

Download
memory/2700-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/3984-116-0x0000000000000000-mapping.dmp

Download