emotet | 7c5996dd7b34e23b86b013809fde1b8bb4d8f0f3961b5e817c1e58ce565d1b44

General

Target

7c5996dd7b34e23b86b013809fde1b8bb4d8f0f3961b5e817c1e58ce565d1b44.dll
Size

252KB
MD5

24b52b16465bbafc9188d77c8a6eb5a4
SHA1

1331ddf78267d54d86c6eafbb31b9a35d16e55ad
SHA256

7c5996dd7b34e23b86b013809fde1b8bb4d8f0f3961b5e817c1e58ce565d1b44
SHA512

9096755cc35b47580d35daa8e040a85951694e578c155ec0ee36a7b5a58856e3989b7b1a357ada81e1b2cb80efc50a885cacaccf403072fe04a679a86914a915

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

12 668 rundll32.exe
23 668 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Dstkbvhwm\imqacsinwtby.riq rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

668 rundll32.exe
668 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

936 rundll32.exe

flow	pid	process
12	668	rundll32.exe
23	668	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Dstkbvhwm\imqacsinwtby.riq	rundll32.exe

pid	process
668	rundll32.exe
668	rundll32.exe

pid	process
936	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 412 wrote to memory of 3380	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 3380	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 3380	412	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 936	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 936	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 936	3380	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 1360	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 1360	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 1360	936	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 668	1360	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 668	1360	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 668	1360	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5996dd7b34e23b86b013809fde1b8bb4d8f0f3961b5e817c1e58ce565d1b44.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5996dd7b34e23b86b013809fde1b8bb4d8f0f3961b5e817c1e58ce565d1b44.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\7c5996dd7b34e23b86b013809fde1b8bb4d8f0f3961b5e817c1e58ce565d1b44.dll",Control_RunDLL
3⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dstkbvhwm\imqacsinwtby.riq",qkjFbkTzlV
4⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dstkbvhwm\imqacsinwtby.riq",Control_RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-119-0x0000000000000000-mapping.dmp

Download
memory/936-116-0x0000000000000000-mapping.dmp

Download
memory/1360-118-0x0000000000000000-mapping.dmp

Download
memory/3380-115-0x0000000000000000-mapping.dmp

Download
memory/3380-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing