emotet | 5e39ca2a30ab5c9ad281c98e3958169f7bc63e42d8862b8a88782a99b5b9cdf1

Analysis

max time kernel
122s
max time network
215s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e39ca2a30ab5c9ad281c98e3958169f7bc63e42d8862b8a88782a99b5b9cdf1.dll
Size

252KB
MD5

7c01f9b386fcc7d06bd39821c34943fc
SHA1

79b0ff1cb80087a719f8a701d872388e0d1949f6
SHA256

5e39ca2a30ab5c9ad281c98e3958169f7bc63e42d8862b8a88782a99b5b9cdf1
SHA512

8da16166a75bc65bd48ed3cfa57891bd31bbedd61db410c4d194e88d521d8d965942897dcde1291acfb4e94ebd316c56eb1ee883ff7c6d1a2ae021e4e4b87ced

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

7 4148 rundll32.exe
17 4148 rundll32.exe
19 4148 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4148 rundll32.exe
4148 rundll32.exe

flow	pid	process
7	4148	rundll32.exe
17	4148	rundll32.exe
19	4148	rundll32.exe

pid	process
4148	rundll32.exe
4148	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4164 wrote to memory of 4180	4164	rundll32.exe	rundll32.exe
PID 4164 wrote to memory of 4180	4164	rundll32.exe	rundll32.exe
PID 4164 wrote to memory of 4180	4164	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4148	4180	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4148	4180	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4148	4180	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e39ca2a30ab5c9ad281c98e3958169f7bc63e42d8862b8a88782a99b5b9cdf1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e39ca2a30ab5c9ad281c98e3958169f7bc63e42d8862b8a88782a99b5b9cdf1.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\5e39ca2a30ab5c9ad281c98e3958169f7bc63e42d8862b8a88782a99b5b9cdf1.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4148-116-0x0000000000000000-mapping.dmp

Download
memory/4180-115-0x0000000000000000-mapping.dmp

Download
memory/4180-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download