emotet | a4bd9036900b93b7760b04c885cae7b24e43c64139b2d47817aa3ceb3161b9de

Analysis

max time kernel
122s
max time network
145s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4bd9036900b93b7760b04c885cae7b24e43c64139b2d47817aa3ceb3161b9de.dll
Size

252KB
MD5

62801c951585008be080795105ff123d
SHA1

64b8acbe06da6aa06f634fe07f6baaaa73133285
SHA256

a4bd9036900b93b7760b04c885cae7b24e43c64139b2d47817aa3ceb3161b9de
SHA512

2ae543f2c1f11902ddf0957789be75757e45263061e17577b8a5720df74accd1581f7ded48b2a0a42d9b0296e71a9b1da8e8f4d8d5407dd7f0d0dffa7a1fdec4

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

20 2752 rundll32.exe
25 2752 rundll32.exe
27 2752 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2752 rundll32.exe
2752 rundll32.exe

flow	pid	process
20	2752	rundll32.exe
25	2752	rundll32.exe
27	2752	rundll32.exe

pid	process
2752	rundll32.exe
2752	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4276 wrote to memory of 4284	4276	rundll32.exe	rundll32.exe
PID 4276 wrote to memory of 4284	4276	rundll32.exe	rundll32.exe
PID 4276 wrote to memory of 4284	4276	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 2752	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 2752	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 2752	4284	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4bd9036900b93b7760b04c885cae7b24e43c64139b2d47817aa3ceb3161b9de.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4bd9036900b93b7760b04c885cae7b24e43c64139b2d47817aa3ceb3161b9de.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\a4bd9036900b93b7760b04c885cae7b24e43c64139b2d47817aa3ceb3161b9de.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2752-119-0x0000000000000000-mapping.dmp

Download
memory/4284-118-0x0000000000000000-mapping.dmp

Download
memory/4284-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download