emotet | 378deb0bdc91b8ccc212186bef8fa8006771b3cb736c514a967381e4b6abd877

Analysis

max time kernel
121s
max time network
141s
platform
windows10_x64
resource
win10-en-20211104
submitted
16-11-2021 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378deb0bdc91b8ccc212186bef8fa8006771b3cb736c514a967381e4b6abd877.dll
Size

252KB
MD5

8a1e5ce5fc88a803d66de33af63d49be
SHA1

c66a5d3908f87b7d98c8be529ca751f80df65eea
SHA256

378deb0bdc91b8ccc212186bef8fa8006771b3cb736c514a967381e4b6abd877
SHA512

802c54c9074e1f8fa7aa76d72ea4ec27090a73043147c9d0c5a37b9e07783c295792253c8be0965c96291eb3d9577cd5bc77493e6cbb3b2a7ff173808654c9bb

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

18 3692 rundll32.exe
25 3692 rundll32.exe
26 3692 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3692 rundll32.exe
3692 rundll32.exe

flow	pid	process
18	3692	rundll32.exe
25	3692	rundll32.exe
26	3692	rundll32.exe

pid	process
3692	rundll32.exe
3692	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3712 wrote to memory of 4068	3712	rundll32.exe	rundll32.exe
PID 3712 wrote to memory of 4068	3712	rundll32.exe	rundll32.exe
PID 3712 wrote to memory of 4068	3712	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 3692	4068	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 3692	4068	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 3692	4068	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\378deb0bdc91b8ccc212186bef8fa8006771b3cb736c514a967381e4b6abd877.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\378deb0bdc91b8ccc212186bef8fa8006771b3cb736c514a967381e4b6abd877.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\378deb0bdc91b8ccc212186bef8fa8006771b3cb736c514a967381e4b6abd877.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3692-119-0x0000000000000000-mapping.dmp

Download
memory/4068-118-0x0000000000000000-mapping.dmp

Download
memory/4068-120-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download