emotet | 21e72a1e20f68bdb5baf534962705486f02db066de104de41592a3def2798ef2

General

Target

21e72a1e20f68bdb5baf534962705486f02db066de104de41592a3def2798ef2.dll
Size

252KB
MD5

7a04e1422fbfcc3ddf5c42709464439c
SHA1

c52582f57060289e9106cc4bcbeb9f11ee6f7ceb
SHA256

21e72a1e20f68bdb5baf534962705486f02db066de104de41592a3def2798ef2
SHA512

d14742756c4ab2d68a7e7cc6958bd63f54aa33fad8a562e19f0ce3f9736cbfca3b4d8b9d1eff6af4db4279b68fc5a8e5ab288fdb28070a39c80e2d710bd35f06

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

18 500 rundll32.exe
23 500 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Lzwoeczlismkfvbv\vyftegxi.lvb rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

500 rundll32.exe
500 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

3320 rundll32.exe

flow	pid	process
18	500	rundll32.exe
23	500	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Lzwoeczlismkfvbv\vyftegxi.lvb	rundll32.exe

pid	process
500	rundll32.exe
500	rundll32.exe

pid	process
3320	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2716 wrote to memory of 2764	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2764	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2764	2716	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 3320	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 3320	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 3320	2764	rundll32.exe	rundll32.exe
PID 3320 wrote to memory of 3696	3320	rundll32.exe	rundll32.exe
PID 3320 wrote to memory of 3696	3320	rundll32.exe	rundll32.exe
PID 3320 wrote to memory of 3696	3320	rundll32.exe	rundll32.exe
PID 3696 wrote to memory of 500	3696	rundll32.exe	rundll32.exe
PID 3696 wrote to memory of 500	3696	rundll32.exe	rundll32.exe
PID 3696 wrote to memory of 500	3696	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e72a1e20f68bdb5baf534962705486f02db066de104de41592a3def2798ef2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e72a1e20f68bdb5baf534962705486f02db066de104de41592a3def2798ef2.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\21e72a1e20f68bdb5baf534962705486f02db066de104de41592a3def2798ef2.dll",Control_RunDLL
3⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lzwoeczlismkfvbv\vyftegxi.lvb",hgvQBva
4⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lzwoeczlismkfvbv\vyftegxi.lvb",Control_RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-119-0x0000000000000000-mapping.dmp

Download
memory/2764-115-0x0000000000000000-mapping.dmp

Download
memory/2764-116-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/3320-117-0x0000000000000000-mapping.dmp

Download
memory/3696-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing