emotet | e59e7db0c75cef4bb6e057d725bae7ed5e13fd011b54fe39c3fe7cdb123b684f

Analysis

max time kernel
288s
max time network
305s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
Size

244KB
MD5

ec6363acaf183e7c3bcdc5b009ac277c
SHA1

94bf19b87591a990a40ea61e3235314a02f105e2
SHA256

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47
SHA512

be05c7ef26a3216cd01cbadb1086962caae4075a0ce322c248c56ad3d97c9cb85d19173e52db754152eac8678317ea637fe18d10cc89133f7eadc885fb92d402

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

174.118.202.24:443

161.0.153.60:80

64.207.182.168:8080

51.89.36.180:443

51.89.199.141:8080

109.116.245.80:80

50.91.114.38:80

188.219.31.12:80

109.74.5.95:8080

201.171.244.130:80

190.162.215.233:80

74.40.205.197:443

118.83.154.64:443

134.209.144.106:443

104.131.11.150:443

200.116.145.225:443

96.245.227.43:80

24.137.76.62:80

172.86.188.251:8080

139.59.60.244:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral21/memory/1928-54-0x0000000000240000-0x0000000000252000-memory.dmp	emotet
behavioral21/memory/1928-58-0x00000000002E0000-0x00000000002F0000-memory.dmp	emotet
behavioral21/memory/1928-62-0x0000000000230000-0x000000000023F000-memory.dmp	emotet
behavioral21/memory/1508-65-0x00000000002D0000-0x00000000002E2000-memory.dmp	emotet
behavioral21/memory/1508-69-0x00000000002F0000-0x0000000000300000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

rdrleakdiag.exe

pid process

1508 rdrleakdiag.exe

Drops file in System32 directory 1 IoCs

Processes:

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\KBDINPUN\rdrleakdiag.exe	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe

Drops file in Windows directory 2 IoCs

Processes:

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exerdrleakdiag.exe

description	ioc	process
File opened for modification	C:\Windows\notepad.exe	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
File opened for modification	C:\Windows\notepad.exe	rdrleakdiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rdrleakdiag.exe

pid	process
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe
1508	rdrleakdiag.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe

pid process

1928 6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exerdrleakdiag.exe

pid process

1928 6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
1508 rdrleakdiag.exe

pid	process
1928	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe

pid	process
1928	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
1508	rdrleakdiag.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe

description	pid	process	target process
PID 1928 wrote to memory of 1508	1928	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe	rdrleakdiag.exe
PID 1928 wrote to memory of 1508	1928	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe	rdrleakdiag.exe
PID 1928 wrote to memory of 1508	1928	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe	rdrleakdiag.exe
PID 1928 wrote to memory of 1508	1928	6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe	rdrleakdiag.exe

C:\Users\Admin\AppData\Local\Temp\6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
"C:\Users\Admin\AppData\Local\Temp\6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\KBDINPUN\rdrleakdiag.exe
"C:\Windows\SysWOW64\KBDINPUN\rdrleakdiag.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KBDINPUN\rdrleakdiag.exe

Filesize
244KB

MD5
ec6363acaf183e7c3bcdc5b009ac277c

SHA1
94bf19b87591a990a40ea61e3235314a02f105e2

SHA256
6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47

SHA512
be05c7ef26a3216cd01cbadb1086962caae4075a0ce322c248c56ad3d97c9cb85d19173e52db754152eac8678317ea637fe18d10cc89133f7eadc885fb92d402

Download Submit
memory/1508-63-0x0000000000000000-mapping.dmp

Download
memory/1508-65-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1508-69-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1928-54-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1928-58-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1928-61-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1928-62-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download