emotet | 1fac819d27c8122dac5d2993604437cb773af37ec22aa54d39ed02aab29716ca

Analysis

max time kernel
121s
max time network
220s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fac819d27c8122dac5d2993604437cb773af37ec22aa54d39ed02aab29716ca.dll
Size

252KB
MD5

810e5a906831908c8ea3bdcef5ff81a5
SHA1

22c706a2cb57ddb8e14812248a299bf82e4f9b49
SHA256

1fac819d27c8122dac5d2993604437cb773af37ec22aa54d39ed02aab29716ca
SHA512

6801c7ade35bcbceaceb43288f16edfdcada46453c63e7287aa66fdf37687d1c5ae3214c7034b5ec66c7774e5f350728610fefc286c64e99ed38e339ca1be4d3

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

16 3012 rundll32.exe
23 3012 rundll32.exe
24 3012 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3012 rundll32.exe
3012 rundll32.exe

flow	pid	process
16	3012	rundll32.exe
23	3012	rundll32.exe
24	3012	rundll32.exe

pid	process
3012	rundll32.exe
3012	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3524 wrote to memory of 2236	3524	rundll32.exe	rundll32.exe
PID 3524 wrote to memory of 2236	3524	rundll32.exe	rundll32.exe
PID 3524 wrote to memory of 2236	3524	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 3012	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 3012	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 3012	2236	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fac819d27c8122dac5d2993604437cb773af37ec22aa54d39ed02aab29716ca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fac819d27c8122dac5d2993604437cb773af37ec22aa54d39ed02aab29716ca.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\1fac819d27c8122dac5d2993604437cb773af37ec22aa54d39ed02aab29716ca.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-118-0x0000000000000000-mapping.dmp

Download
memory/2236-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/3012-119-0x0000000000000000-mapping.dmp

Download