emotet | dc48f86d492fe69ee6f33c39b01b9b91d05b69ae59d1eb8ff561c9fda4f37a45

Analysis

max time kernel
108s
max time network
148s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc48f86d492fe69ee6f33c39b01b9b91d05b69ae59d1eb8ff561c9fda4f37a45.dll
Size

252KB
MD5

86d53aa2c53372fd91929947c41aadf4
SHA1

e5c6401ef951382bd8837d57376b6b76776b0fe4
SHA256

dc48f86d492fe69ee6f33c39b01b9b91d05b69ae59d1eb8ff561c9fda4f37a45
SHA512

23e8dfabff049e693565c892ed0d6ad97a9f5b47b6ff6c47fe7e469b954e830824d78356f46540f21045845fba1ea83c9b4bb169e4551bc7e6f6f727431e9fd5

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

15 4088 rundll32.exe
20 4088 rundll32.exe
22 4088 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4088 rundll32.exe
4088 rundll32.exe

flow	pid	process
15	4088	rundll32.exe
20	4088	rundll32.exe
22	4088	rundll32.exe

pid	process
4088	rundll32.exe
4088	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2504 wrote to memory of 2644	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2644	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2644	2504	rundll32.exe	rundll32.exe
PID 2644 wrote to memory of 4088	2644	rundll32.exe	rundll32.exe
PID 2644 wrote to memory of 4088	2644	rundll32.exe	rundll32.exe
PID 2644 wrote to memory of 4088	2644	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc48f86d492fe69ee6f33c39b01b9b91d05b69ae59d1eb8ff561c9fda4f37a45.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc48f86d492fe69ee6f33c39b01b9b91d05b69ae59d1eb8ff561c9fda4f37a45.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\dc48f86d492fe69ee6f33c39b01b9b91d05b69ae59d1eb8ff561c9fda4f37a45.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-115-0x0000000000000000-mapping.dmp

Download
memory/2644-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/4088-116-0x0000000000000000-mapping.dmp

Download