emotet | 6c9a6e7ab47bbcf8ef67e6a03dd057c28443f5d91e346c56930cf5a96466b202

Analysis

max time kernel
110s
max time network
185s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c9a6e7ab47bbcf8ef67e6a03dd057c28443f5d91e346c56930cf5a96466b202.dll
Size

252KB
MD5

94623da2f055d1ccae02c39d849bedde
SHA1

6d8e2187c8b2924e5244421ee315eb9cd619dbec
SHA256

6c9a6e7ab47bbcf8ef67e6a03dd057c28443f5d91e346c56930cf5a96466b202
SHA512

208de1f512ccfcbbc6e91b282349cf2410db67b97fa43eb1f5d5b763f3cc40c6211ddfa9d1f542506d8b6d5ccd817c11516b3c720a049f0dc958bfe9b61b3a5e

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

12 3740 rundll32.exe
19 3740 rundll32.exe
20 3740 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3740 rundll32.exe
3740 rundll32.exe

flow	pid	process
12	3740	rundll32.exe
19	3740	rundll32.exe
20	3740	rundll32.exe

pid	process
3740	rundll32.exe
3740	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2756 wrote to memory of 2800	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 2800	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 2800	2756	rundll32.exe	rundll32.exe
PID 2800 wrote to memory of 3740	2800	rundll32.exe	rundll32.exe
PID 2800 wrote to memory of 3740	2800	rundll32.exe	rundll32.exe
PID 2800 wrote to memory of 3740	2800	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c9a6e7ab47bbcf8ef67e6a03dd057c28443f5d91e346c56930cf5a96466b202.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c9a6e7ab47bbcf8ef67e6a03dd057c28443f5d91e346c56930cf5a96466b202.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\6c9a6e7ab47bbcf8ef67e6a03dd057c28443f5d91e346c56930cf5a96466b202.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2800-115-0x0000000000000000-mapping.dmp

Download
memory/2800-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/3740-116-0x0000000000000000-mapping.dmp

Download