emotet | 6b14a533653d8535dc86e29deca21ba3266ab9088b2d7cf08cb96993136356cc

Analysis

max time kernel
4294181s
max time network
140s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b14a533653d8535dc86e29deca21ba3266ab9088b2d7cf08cb96993136356cc.dll
Size

58KB
MD5

2969958cda104c3c7b8fa66e1dd94b75
SHA1

875ed549c0d9e6e1ae8bc3b49c7b04b01dd5fe35
SHA256

6b14a533653d8535dc86e29deca21ba3266ab9088b2d7cf08cb96993136356cc
SHA512

0484fff46ccbf55a69bc8bfc3bc1b1582992c15f7f288343128997b3dfbda18db1d0fe9648922537c1799990d74a52794a6411eb088334f388c909b237f768f7

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

49.205.182.134:80

72.229.97.235:80

188.165.214.98:8080

185.201.9.197:8080

64.207.182.168:8080

5.39.91.110:7080

155.186.9.160:80

24.178.90.49:80

157.245.99.39:8080

174.118.202.24:443

50.246.154.69:80

79.137.83.50:443

110.145.11.73:80

190.29.166.0:80

176.111.60.55:8080

24.69.65.8:8080

46.105.131.79:8080

62.30.7.67:443

172.125.40.123:80

209.141.54.221:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 1 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/2016-55-0x00000000001A0000-0x00000000001B0000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2016 rundll32.exe
2016 rundll32.exe

pid	process
2016	rundll32.exe
2016	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2016	1152	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b14a533653d8535dc86e29deca21ba3266ab9088b2d7cf08cb96993136356cc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b14a533653d8535dc86e29deca21ba3266ab9088b2d7cf08cb96993136356cc.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download