emotet | 4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43

Analysis

max time kernel
110s
max time network
167s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll
Size

252KB
MD5

d8508848ae1b76693a0e74944c6b0104
SHA1

37be1eac49e9fd747bb0405d2d1b1f8481923b80
SHA256

4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43
SHA512

8b75be9397ceb212abb027c80773e511a2c8955b7fbbe73c5b7df2468162247ae92fc52dffc8eeaf20910660bc88657b3b1351cb7dd62c478cb17b80a60ca880

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

17 1320 rundll32.exe
21 1320 rundll32.exe
28 1320 rundll32.exe
29 1320 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1320 rundll32.exe
1320 rundll32.exe

flow	pid	process
17	1320	rundll32.exe
21	1320	rundll32.exe
28	1320	rundll32.exe
29	1320	rundll32.exe

pid	process
1320	rundll32.exe
1320	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 656 wrote to memory of 2300	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 2300	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 2300	656	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 1320	2300	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 1320	2300	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 1320	2300	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-117-0x0000000000000000-mapping.dmp

Download
memory/2300-115-0x0000000000000000-mapping.dmp

Download
memory/2300-116-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download