emotet | a2e8e46ba6387fd9ed8bb48ca8af38613829d48d2597d18b0e8a9dc104cf29d0

General

Target

a2e8e46ba6387fd9ed8bb48ca8af38613829d48d2597d18b0e8a9dc104cf29d0.dll
Size

219KB
MD5

9b39659a40f2adc3a18d8ff3a617a2d6
SHA1

dbad43acf7a2e258278b65b18b792dfeeb353853
SHA256

a2e8e46ba6387fd9ed8bb48ca8af38613829d48d2597d18b0e8a9dc104cf29d0
SHA512

b567e6a6aa6d872c27f6fe4480cc8c3e6202b20473418ddc04877e762c32162ce1f81e9f9f85d6a216e9dcd22fa9365adeeb3a459b24bbd920d2ea5d0b1eb067

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

173.70.61.180:80

59.21.235.119:80

50.116.111.59:8080

173.249.20.233:443

188.165.214.98:8080

72.188.173.74:80

74.40.205.197:443

64.207.182.168:8080

97.120.3.198:80

190.29.166.0:80

123.176.25.234:80

155.186.9.160:80

138.68.87.218:443

139.99.158.11:443

78.24.219.147:8080

58.1.242.115:80

108.21.72.56:443

188.219.31.12:80

70.180.33.202:80

181.171.209.241:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet3 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4256-134-0x0000000002B10000-0x0000000002B2F000-memory.dmp	Emotet3
behavioral2/memory/1884-138-0x0000000000AA0000-0x0000000000ABF000-memory.dmp	Emotet3

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

22 1884 rundll32.exe
26 1884 rundll32.exe
30 1884 rundll32.exe
35 1884 rundll32.exe
36 1884 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1884 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Hbdr\yeo.mmv rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
22	1884	rundll32.exe
26	1884	rundll32.exe
30	1884	rundll32.exe
35	1884	rundll32.exe
36	1884	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Hbdr\yeo.mmv	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

4256 rundll32.exe

pid	process
4256	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1320 wrote to memory of 4256	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 4256	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 4256	1320	rundll32.exe	rundll32.exe
PID 4256 wrote to memory of 1884	4256	rundll32.exe	rundll32.exe
PID 4256 wrote to memory of 1884	4256	rundll32.exe	rundll32.exe
PID 4256 wrote to memory of 1884	4256	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2e8e46ba6387fd9ed8bb48ca8af38613829d48d2597d18b0e8a9dc104cf29d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2e8e46ba6387fd9ed8bb48ca8af38613829d48d2597d18b0e8a9dc104cf29d0.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hbdr\yeo.mmv",RunDLL
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbdr\yeo.mmv

MD5
9b39659a40f2adc3a18d8ff3a617a2d6

SHA1
dbad43acf7a2e258278b65b18b792dfeeb353853

SHA256
a2e8e46ba6387fd9ed8bb48ca8af38613829d48d2597d18b0e8a9dc104cf29d0

SHA512
b567e6a6aa6d872c27f6fe4480cc8c3e6202b20473418ddc04877e762c32162ce1f81e9f9f85d6a216e9dcd22fa9365adeeb3a459b24bbd920d2ea5d0b1eb067

Download Submit
memory/1884-138-0x0000000000AA0000-0x0000000000ABF000-memory.dmp

Filesize
124KB

Download
memory/4256-134-0x0000000002B10000-0x0000000002B2F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads