emotet | 41773363c126fcef3ff2b60ea328de912421e03b3071ddabaf08be94d3c4e5b1

Analysis

max time kernel
122s
max time network
173s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41773363c126fcef3ff2b60ea328de912421e03b3071ddabaf08be94d3c4e5b1.dll
Size

252KB
MD5

b04911ac1d7a3c1daa6f9b7ac2fa7a68
SHA1

5a3fe7cf41eee849be92b6f71af7d5783bec2d75
SHA256

41773363c126fcef3ff2b60ea328de912421e03b3071ddabaf08be94d3c4e5b1
SHA512

867af14d834ca3295dc86923dacc50dc433e244d40bfa2b269478ff92ec97912b878183892d4e205d4965a68a7447933410abbd54c811484c88bde8304635b20

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

7 4084 rundll32.exe
20 4084 rundll32.exe
22 4084 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4084 rundll32.exe
4084 rundll32.exe

flow	pid	process
7	4084	rundll32.exe
20	4084	rundll32.exe
22	4084	rundll32.exe

pid	process
4084	rundll32.exe
4084	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2452 wrote to memory of 2620	2452	rundll32.exe	rundll32.exe
PID 2452 wrote to memory of 2620	2452	rundll32.exe	rundll32.exe
PID 2452 wrote to memory of 2620	2452	rundll32.exe	rundll32.exe
PID 2620 wrote to memory of 4084	2620	rundll32.exe	rundll32.exe
PID 2620 wrote to memory of 4084	2620	rundll32.exe	rundll32.exe
PID 2620 wrote to memory of 4084	2620	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41773363c126fcef3ff2b60ea328de912421e03b3071ddabaf08be94d3c4e5b1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41773363c126fcef3ff2b60ea328de912421e03b3071ddabaf08be94d3c4e5b1.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\41773363c126fcef3ff2b60ea328de912421e03b3071ddabaf08be94d3c4e5b1.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2620-115-0x0000000000000000-mapping.dmp

Download
memory/2620-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/4084-116-0x0000000000000000-mapping.dmp

Download