emotet | 299c27cec1387cbec191fbc8d7764bc9cde20d3598c4a8079a09b594f15d5205

Analysis

max time kernel
62s
max time network
165s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299c27cec1387cbec191fbc8d7764bc9cde20d3598c4a8079a09b594f15d5205.dll
Size

252KB
MD5

bb47fc054d45d731d680d7f8f0a89aec
SHA1

95c869c057e188859de0a67ffe76b2b82c4d2fe2
SHA256

299c27cec1387cbec191fbc8d7764bc9cde20d3598c4a8079a09b594f15d5205
SHA512

0fe76fd51a3d61893b53614cf8fd90748a0b0f0898a786d95376c705c4d33c6a19cedc518b6a48bc572f09e14aed8cf5ebb979bc35ec0986676f64eb4501444c

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

8 3036 rundll32.exe
19 3036 rundll32.exe
21 3036 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3036 rundll32.exe
3036 rundll32.exe

flow	pid	process
8	3036	rundll32.exe
19	3036	rundll32.exe
21	3036	rundll32.exe

pid	process
3036	rundll32.exe
3036	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3388 wrote to memory of 3916	3388	rundll32.exe	rundll32.exe
PID 3388 wrote to memory of 3916	3388	rundll32.exe	rundll32.exe
PID 3388 wrote to memory of 3916	3388	rundll32.exe	rundll32.exe
PID 3916 wrote to memory of 3036	3916	rundll32.exe	rundll32.exe
PID 3916 wrote to memory of 3036	3916	rundll32.exe	rundll32.exe
PID 3916 wrote to memory of 3036	3916	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\299c27cec1387cbec191fbc8d7764bc9cde20d3598c4a8079a09b594f15d5205.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\299c27cec1387cbec191fbc8d7764bc9cde20d3598c4a8079a09b594f15d5205.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\299c27cec1387cbec191fbc8d7764bc9cde20d3598c4a8079a09b594f15d5205.dll",Control_RunDLL
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-117-0x0000000000000000-mapping.dmp

Download
memory/3916-115-0x0000000000000000-mapping.dmp

Download
memory/3916-116-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download