emotet | bf21a50e28b3948fbc1fa7730f62828bcf229943eaf1616bc78e6b14db01c482

Analysis

max time kernel
78s
max time network
141s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf21a50e28b3948fbc1fa7730f62828bcf229943eaf1616bc78e6b14db01c482.dll
Size

252KB
MD5

2e295554cdb79cc04271aaef33f34f33
SHA1

e44c5bc1f61e4617c1d25e45d7ac13106f5c8815
SHA256

bf21a50e28b3948fbc1fa7730f62828bcf229943eaf1616bc78e6b14db01c482
SHA512

69126bd7d79ce14479a7d165436caa0f1b3cef0b12c8b6e66ff7d80cf29ffe0833c8e6cc39e89cf9190caa81ed1c94e7ee2159123018e2f6af0d05b21887bb3d

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

20 2860 rundll32.exe
25 2860 rundll32.exe
27 2860 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2860 rundll32.exe
2860 rundll32.exe

flow	pid	process
20	2860	rundll32.exe
25	2860	rundll32.exe
27	2860	rundll32.exe

pid	process
2860	rundll32.exe
2860	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3688 wrote to memory of 1864	3688	rundll32.exe	rundll32.exe
PID 3688 wrote to memory of 1864	3688	rundll32.exe	rundll32.exe
PID 3688 wrote to memory of 1864	3688	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 2860	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 2860	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 2860	1864	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf21a50e28b3948fbc1fa7730f62828bcf229943eaf1616bc78e6b14db01c482.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf21a50e28b3948fbc1fa7730f62828bcf229943eaf1616bc78e6b14db01c482.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\bf21a50e28b3948fbc1fa7730f62828bcf229943eaf1616bc78e6b14db01c482.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-118-0x0000000000000000-mapping.dmp

Download
memory/1864-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2860-119-0x0000000000000000-mapping.dmp

Download