emotet | 730b629f404173e76d98dc6c80ab031472ffb35be5c96fa57c2f714e18996388

Analysis

max time kernel
122s
max time network
139s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

730b629f404173e76d98dc6c80ab031472ffb35be5c96fa57c2f714e18996388.dll
Size

252KB
MD5

382d2d863bf2002763bfecab3f96a069
SHA1

d93170da7dd076d183c31240a318179235de0b30
SHA256

730b629f404173e76d98dc6c80ab031472ffb35be5c96fa57c2f714e18996388
SHA512

05d2075f9c75aaed24beb74d5c2291680564e31547734bda714c3724525a3f39a823599e28571614ef44dbcd6a84f0248293e5348df33760c3b97b46490a4386

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

15 4188 rundll32.exe
21 4188 rundll32.exe
22 4188 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4188 rundll32.exe
4188 rundll32.exe

flow	pid	process
15	4188	rundll32.exe
21	4188	rundll32.exe
22	4188	rundll32.exe

pid	process
4188	rundll32.exe
4188	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1980 wrote to memory of 4136	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 4136	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 4136	1980	rundll32.exe	rundll32.exe
PID 4136 wrote to memory of 4188	4136	rundll32.exe	rundll32.exe
PID 4136 wrote to memory of 4188	4136	rundll32.exe	rundll32.exe
PID 4136 wrote to memory of 4188	4136	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\730b629f404173e76d98dc6c80ab031472ffb35be5c96fa57c2f714e18996388.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\730b629f404173e76d98dc6c80ab031472ffb35be5c96fa57c2f714e18996388.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\730b629f404173e76d98dc6c80ab031472ffb35be5c96fa57c2f714e18996388.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4136-115-0x0000000000000000-mapping.dmp

Download
memory/4136-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/4188-116-0x0000000000000000-mapping.dmp

Download