emotet | e1a43b3b1f53d31d9269e7278b0cc338614ee06fc3f0599904aa21a38e0f0e05

Analysis

max time kernel
120s
max time network
220s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a43b3b1f53d31d9269e7278b0cc338614ee06fc3f0599904aa21a38e0f0e05.dll
Size

252KB
MD5

307b2b52d71cb3983d7d7c09a6abf8bf
SHA1

a328d0669139bfda1bba344dce0ca5832c18be71
SHA256

e1a43b3b1f53d31d9269e7278b0cc338614ee06fc3f0599904aa21a38e0f0e05
SHA512

046301e6066141ae8a037d8e6aec77ab997a71e5cb5fb35b8ad7f8d48e9b54f9a8869eb2e979a16a8866c86d1505735118974b9eb4006717336592f593b0875d

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

8 1804 rundll32.exe
11 1804 rundll32.exe
12 1804 rundll32.exe
20 1804 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1804 rundll32.exe
1804 rundll32.exe

flow	pid	process
8	1804	rundll32.exe
11	1804	rundll32.exe
12	1804	rundll32.exe
20	1804	rundll32.exe

pid	process
1804	rundll32.exe
1804	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2976 wrote to memory of 2176	2976	rundll32.exe	rundll32.exe
PID 2976 wrote to memory of 2176	2976	rundll32.exe	rundll32.exe
PID 2976 wrote to memory of 2176	2976	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 1804	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 1804	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 1804	2176	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a43b3b1f53d31d9269e7278b0cc338614ee06fc3f0599904aa21a38e0f0e05.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a43b3b1f53d31d9269e7278b0cc338614ee06fc3f0599904aa21a38e0f0e05.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\e1a43b3b1f53d31d9269e7278b0cc338614ee06fc3f0599904aa21a38e0f0e05.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1804-116-0x0000000000000000-mapping.dmp

Download
memory/2176-115-0x0000000000000000-mapping.dmp

Download
memory/2176-117-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download