emotet | 2e92a8e508f0b6163e4bea06ef9b8e53f6598d731af8b5a8738578267814ff0b

Analysis

max time kernel
110s
max time network
143s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e92a8e508f0b6163e4bea06ef9b8e53f6598d731af8b5a8738578267814ff0b.dll
Size

252KB
MD5

cc9873dc0fdf66dc3782153e08c1e640
SHA1

a6ee004ea080a4dc6c56571a49acbcbfa04f06e0
SHA256

2e92a8e508f0b6163e4bea06ef9b8e53f6598d731af8b5a8738578267814ff0b
SHA512

0ee457a34b9132c2be01594d7d8ee3a376d9204ac873cfb06f03ef76c6ceba889ed74fbd1f7b4b8560ab2327c7ee860309827fb95936f657751cc267acb2f0c5

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

17 4056 rundll32.exe
24 4056 rundll32.exe
25 4056 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4056 rundll32.exe
4056 rundll32.exe

flow	pid	process
17	4056	rundll32.exe
24	4056	rundll32.exe
25	4056	rundll32.exe

pid	process
4056	rundll32.exe
4056	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3820 wrote to memory of 3788	3820	rundll32.exe	rundll32.exe
PID 3820 wrote to memory of 3788	3820	rundll32.exe	rundll32.exe
PID 3820 wrote to memory of 3788	3820	rundll32.exe	rundll32.exe
PID 3788 wrote to memory of 4056	3788	rundll32.exe	rundll32.exe
PID 3788 wrote to memory of 4056	3788	rundll32.exe	rundll32.exe
PID 3788 wrote to memory of 4056	3788	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e92a8e508f0b6163e4bea06ef9b8e53f6598d731af8b5a8738578267814ff0b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e92a8e508f0b6163e4bea06ef9b8e53f6598d731af8b5a8738578267814ff0b.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\2e92a8e508f0b6163e4bea06ef9b8e53f6598d731af8b5a8738578267814ff0b.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3788-118-0x0000000000000000-mapping.dmp

Download
memory/3788-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/4056-119-0x0000000000000000-mapping.dmp

Download