emotet | 553c805bb18b6f3cfff5896a5a19e737fe67da687ba7ae08b0ea924ea6ce0126

Analysis

max time kernel
165s
max time network
298s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

553c805bb18b6f3cfff5896a5a19e737fe67da687ba7ae08b0ea924ea6ce0126.dll
Size

252KB
MD5

9cd9b4a5a6afc6cda98127e2e48614c2
SHA1

00545df977071cd27582dc6f0fa2a5a07f9e4a4b
SHA256

553c805bb18b6f3cfff5896a5a19e737fe67da687ba7ae08b0ea924ea6ce0126
SHA512

8e6c55d1d3519953f900bff6b4c3371a0c53cb77a469c64e4b1e95cca3d943091bd0b7a855b7e17e73fc0007af01678997a1fc71dd9710dcf8971fa6ef225dde

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

10 3848 rundll32.exe
19 3848 rundll32.exe
20 3848 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3848 rundll32.exe
3848 rundll32.exe

flow	pid	process
10	3848	rundll32.exe
19	3848	rundll32.exe
20	3848	rundll32.exe

pid	process
3848	rundll32.exe
3848	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4340 wrote to memory of 4344	4340	rundll32.exe	rundll32.exe
PID 4340 wrote to memory of 4344	4340	rundll32.exe	rundll32.exe
PID 4340 wrote to memory of 4344	4340	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 3848	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 3848	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 3848	4344	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\553c805bb18b6f3cfff5896a5a19e737fe67da687ba7ae08b0ea924ea6ce0126.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\553c805bb18b6f3cfff5896a5a19e737fe67da687ba7ae08b0ea924ea6ce0126.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\553c805bb18b6f3cfff5896a5a19e737fe67da687ba7ae08b0ea924ea6ce0126.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3848-116-0x0000000000000000-mapping.dmp

Download
memory/4344-115-0x0000000000000000-mapping.dmp

Download
memory/4344-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download