emotet | b4c37dde6546566bb11ff568d9a930b4fee72556d8e6221ccf97a41c0be654e1

Analysis

max time kernel
122s
max time network
137s
platform
windows7_x64
resource
win7-en-20211104
submitted
18/11/2021, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

696e5bfe78999005ae36b9e2d2b426bf.dll
Size

259KB
MD5

696e5bfe78999005ae36b9e2d2b426bf
SHA1

be9525dd3c11e033562fa339a111fbde20790cd3
SHA256

b4c37dde6546566bb11ff568d9a930b4fee72556d8e6221ccf97a41c0be654e1
SHA512

a6e8fdfd35a2dd25178a5885d44302a90dc9cc76786093e681ae24cf208eb8dd84058ad22be77a7201e2bb888bd7f95db1f16383f65b486e22396be2d2d24576

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1644	rundll32.exe
6	1644	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1644	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1452 wrote to memory of 1700	1452	rundll32.exe	27
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29
PID 1700 wrote to memory of 1644	1700	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\696e5bfe78999005ae36b9e2d2b426bf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\696e5bfe78999005ae36b9e2d2b426bf.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\696e5bfe78999005ae36b9e2d2b426bf.dll",Control_RunDLL
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-56-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1700-59-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download