emotet | 0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8

General

Target

0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
Size

176KB
MD5

53e9f2b5a7b01961f9f346581a5d7522
SHA1

300a775e5c1df294428511a87115ae07c97b94d6
SHA256

0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8
SHA512

2657dd26469ea44e5ed8a43760811ae67e1e58221cec720b7db0315fb6b60414181ee756c6a1418aad0326cacd9337cd49ac34c360e57c5bb6443886b7953072

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3604	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
3604	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
2360	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
2360	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
1356	bearscookies.exe
1356	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe
4976	bearscookies.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2360	3604	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe	81
PID 3604 wrote to memory of 2360	3604	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe	81
PID 3604 wrote to memory of 2360	3604	0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe	81
PID 1356 wrote to memory of 4976	1356	bearscookies.exe	85
PID 1356 wrote to memory of 4976	1356	bearscookies.exe	85
PID 1356 wrote to memory of 4976	1356	bearscookies.exe	85

C:\Users\Admin\AppData\Local\Temp\0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
"C:\Users\Admin\AppData\Local\Temp\0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe
  "C:\Users\Admin\AppData\Local\Temp\0b11f581e4d4a3fa3cc31b94839c221ea8b386a341c880e0d49f739dc12182b8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:2360

C:\Windows\SysWOW64\bearscookies.exe
"C:\Windows\SysWOW64\bearscookies.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\bearscookies.exe
  "C:\Windows\SysWOW64\bearscookies.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-155-0x0000000000E10000-0x0000000000E30000-memory.dmp

Filesize
128KB

Download
memory/1356-146-0x0000000000DF0000-0x0000000000E07000-memory.dmp

Filesize
92KB

Download
memory/1356-150-0x0000000000DF0000-0x0000000000E07000-memory.dmp

Filesize
92KB

Download
memory/1356-153-0x00000000008A0000-0x0000000000B21000-memory.dmp

Filesize
2.5MB

Download
memory/2360-140-0x0000000002140000-0x0000000002157000-memory.dmp

Filesize
92KB

Download
memory/2360-159-0x00000000008A0000-0x00000000008B7000-memory.dmp

Filesize
92KB

Download
memory/2360-136-0x0000000002140000-0x0000000002157000-memory.dmp

Filesize
92KB

Download
memory/2360-143-0x00000000008A0000-0x00000000008B7000-memory.dmp

Filesize
92KB

Download
memory/2360-144-0x0000000002160000-0x0000000002180000-memory.dmp

Filesize
128KB

Download
memory/2360-145-0x00000000008A0000-0x00000000008B7000-memory.dmp

Filesize
92KB

Download
memory/3604-142-0x0000000000650000-0x0000000000670000-memory.dmp

Filesize
128KB

Download
memory/3604-134-0x0000000000630000-0x0000000000647000-memory.dmp

Filesize
92KB

Download
memory/3604-141-0x0000000000610000-0x0000000000627000-memory.dmp

Filesize
92KB

Download
memory/3604-130-0x0000000000630000-0x0000000000647000-memory.dmp

Filesize
92KB

Download
memory/4976-152-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/4976-158-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/4976-160-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/4976-161-0x0000000000B30000-0x0000000000B50000-memory.dmp

Filesize
128KB

Download
memory/4976-162-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing