emotet | b2dbd1c8908ec68298ff2f5a01a604583ef3cb315f1f4b7470a795ce3c1b2ea6

Analysis

max time kernel
156s
max time network
284s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2dbd1c8908ec68298ff2f5a01a604583ef3cb315f1f4b7470a795ce3c1b2ea6.dll
Size

252KB
MD5

a31265b6b1ff3fa3729087c4f56642db
SHA1

ac5c7cba7d52bb9e3a6a7ebe0839645b16c0a0cc
SHA256

b2dbd1c8908ec68298ff2f5a01a604583ef3cb315f1f4b7470a795ce3c1b2ea6
SHA512

4642caf74a4169ce9d710bc3126ad37093000bfd9abe780999d936bf460f3b1d7bee4e578122b51b49c1abcd0f5e0086c18bc680f2a1ac888cbf8de2100628de

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

8 3500 rundll32.exe
15 3500 rundll32.exe
16 3500 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3500 rundll32.exe
3500 rundll32.exe

flow	pid	process
8	3500	rundll32.exe
15	3500	rundll32.exe
16	3500	rundll32.exe

pid	process
3500	rundll32.exe
3500	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3760 wrote to memory of 2220	3760	rundll32.exe	rundll32.exe
PID 3760 wrote to memory of 2220	3760	rundll32.exe	rundll32.exe
PID 3760 wrote to memory of 2220	3760	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 3500	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 3500	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 3500	2220	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2dbd1c8908ec68298ff2f5a01a604583ef3cb315f1f4b7470a795ce3c1b2ea6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2dbd1c8908ec68298ff2f5a01a604583ef3cb315f1f4b7470a795ce3c1b2ea6.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b2dbd1c8908ec68298ff2f5a01a604583ef3cb315f1f4b7470a795ce3c1b2ea6.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-115-0x0000000000000000-mapping.dmp

Download
memory/2220-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/3500-116-0x0000000000000000-mapping.dmp

Download