emotet | 1e8137f27a22cebdd73f4a56a958e8e707ae21e26827484b8a1e41bc95d5aaf9

Analysis

max time kernel
120s
max time network
201s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e8137f27a22cebdd73f4a56a958e8e707ae21e26827484b8a1e41bc95d5aaf9.dll
Size

252KB
MD5

7093d897f830180a06a8b56e9f05cb5b
SHA1

ea3c80ea96eb8408d5b21ca6b34522a6a6fda74f
SHA256

1e8137f27a22cebdd73f4a56a958e8e707ae21e26827484b8a1e41bc95d5aaf9
SHA512

841ed212d5ae464a3fcc9ea07922f30048604cb92aed1fe1617ecb442e2750bbfb8786b378073d0d0131b768226b25400d62b76de73c600dfed004cbcd07a1b3

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

10 872 rundll32.exe
19 872 rundll32.exe
20 872 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

872 rundll32.exe
872 rundll32.exe

flow	pid	process
10	872	rundll32.exe
19	872	rundll32.exe
20	872	rundll32.exe

pid	process
872	rundll32.exe
872	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3140 wrote to memory of 3112	3140	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 3112	3140	rundll32.exe	rundll32.exe
PID 3140 wrote to memory of 3112	3140	rundll32.exe	rundll32.exe
PID 3112 wrote to memory of 872	3112	rundll32.exe	rundll32.exe
PID 3112 wrote to memory of 872	3112	rundll32.exe	rundll32.exe
PID 3112 wrote to memory of 872	3112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e8137f27a22cebdd73f4a56a958e8e707ae21e26827484b8a1e41bc95d5aaf9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e8137f27a22cebdd73f4a56a958e8e707ae21e26827484b8a1e41bc95d5aaf9.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\1e8137f27a22cebdd73f4a56a958e8e707ae21e26827484b8a1e41bc95d5aaf9.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-116-0x0000000000000000-mapping.dmp

Download
memory/3112-115-0x0000000000000000-mapping.dmp

Download
memory/3112-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download