emotet | ffbcf5e11564aa99ec6b8b6686fd02f9ef65ba1a5929e180d46b9bc3da3aa5dc

Sharing

Copy URL

Twitter E-mail

General

Target

ffbcf5e11564aa99ec6b8b6686fd02f9ef65ba1a5929e180d46b9bc3da3aa5dc
Size

81KB
MD5

71c50c8e9b397f5c411eef6a4bcfd95e
SHA1

d673dba48390fa8d87cb5cb0318aed397a0382d4
SHA256

ffbcf5e11564aa99ec6b8b6686fd02f9ef65ba1a5929e180d46b9bc3da3aa5dc
SHA512

7c265b82dbec012de0aa8aad45d2f6d09e51fd0f7614bb0cec6bf046ac3b84306acdab4c2257772629bd333781e94dc0663a5daff1377db5b5b91af7b8044623
SSDEEP

1536:RQ14LR8spFrd2kxP9GkYsPHmmXZxhDVSQo/l7xmGzFBnOQi8sVJTcWYWLWY:2+8sLd2kJ9GSZjhSz/l7cGhEQiJ3wWL

Score

10^/10

epoch2 emotet

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

149.167.86.174:990

181.164.8.25:80

181.143.194.138:443

192.241.250.202:8080

63.142.253.122:8080

178.254.6.27:7080

92.222.125.16:7080

142.44.162.209:8080

86.98.25.30:53

31.172.240.91:8080

149.202.153.252:8080

201.250.11.236:50000

189.129.231.76:20

182.76.6.2:8080

189.209.217.49:80

87.106.136.232:8080

91.205.215.66:8080

212.71.234.16:8080

178.79.161.166:443

162.243.125.212:8080

rsa_pubkey.plain

Signatures

Emotet family
emotet

Files

ffbcf5e11564aa99ec6b8b6686fd02f9ef65ba1a5929e180d46b9bc3da3aa5dc
.exe windows x86

76e325c37944c099823b0759fa87484e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

IsProcessorFeaturePresent
CreateMutexW
lstrcpynW
WaitForSingleObject
CreateProcessW
CreateEventW
ResetEvent
GetCurrentProcessId
CopyFileW
GetTempPathW
Wow64DisableWow64FsRedirection
GetTempFileNameW
VirtualAlloc
SetFilePointer
CreateFileW
SetLastError
lstrcmpiW
Process32NextW
GetVolumeInformationW
lstrcpyW
UnlockFileEx
VirtualFree
SetFileAttributesW
VirtualQueryEx
Wow64RevertWow64FsRedirection
GetNativeSystemInfo
LoadLibraryA
TerminateProcess
WriteFile
LoadLibraryW
ReleaseMutex
lstrlen
CreateDirectoryW
GetFileAttributesW
GetThreadContext
HeapAlloc
lstrlenW
SignalObjectAndWait
GetCurrentProcess
Sleep
CreateThread
GetComputerNameW
ExitProcess
FreeLibrary
SetThreadContext
WideCharToMultiByte
VirtualAllocEx
VirtualProtectEx
WTSGetActiveConsoleSessionId
MultiByteToWideChar
CloseHandle
GetTickCount
GetProcessHeap
ResumeThread
GetModuleFileNameW
lstrcatW
UnmapViewOfFile
SetEvent
GetLastError
GetWindowsDirectoryW
GetFileSize
CreateFileMappingW
ProcessIdToSessionId
WriteProcessMemory
LockFileEx
DeleteFileW
MapViewOfFile
GetProcAddress
GetCommandLineW
CreateToolhelp32Snapshot
SetErrorMode
IsWow64Process
HeapFree
FlushFileBuffers
MoveFileExW
GetCurrentThreadId
LocalFree
Process32FirstW
GetLocalTime
HeapReAlloc
GetModuleHandleW

advapi32

AdjustTokenPrivileges
RegisterServiceCtrlHandlerExW
CryptImportKey
CryptReleaseContext
CreateProcessAsUserW
OpenSCManagerW
CryptVerifySignatureW
EnumServicesStatusExW
LookupPrivilegeValueW
CryptExportKey
DuplicateTokenEx
RegCreateKeyExW
CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptEncrypt
StartServiceW
SetServiceStatus
OpenProcessToken
StartServiceCtrlDispatcherW
ImpersonateLoggedOnUser
GetServiceDisplayNameW
CryptGenKey
CryptDestroyKey
CryptDuplicateHash
GetTokenInformation
DuplicateToken
RevertToSelf
RegQueryValueExW
CreateServiceW
ChangeServiceConfig2W
CryptGetHashParam
RegSetValueExW
RegCloseKey
OpenServiceW
CloseServiceHandle
QueryServiceConfig2W
DeleteService
CryptDestroyHash
GetLengthSid

crypt32

CryptDecodeObjectEx

ntdll

RtlGetVersion
_snwprintf
RtlComputeCrc32
_vsnprintf
memset
_vsnwprintf
_snprintf
NtUnmapViewOfSection
memcpy

shell32

SHGetFolderPathW
SHFileOperationW

urlmon

ObtainUserAgentString

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

wininet

HttpSendRequestW
InternetReadFile
InternetCloseHandle
HttpQueryInfoW
InternetConnectW
InternetReadFileExA
HttpOpenRequestW
InternetSetOptionW
HttpSendRequestExA
InternetCrackUrlW
InternetReadFileExW
HttpEndRequestW
InternetQueryOptionW
InternetSetStatusCallbackW
InternetOpenW

wtsapi32

QueryUserToken
WTSEnumerateSessionsW
WTSFreeMemory

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

76e325c37944c099823b0759fa87484e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

crypt32

ntdll

shell32

urlmon

userenv

wininet

wtsapi32

Sections

.text Size: 60KB - Virtual size: 60KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 4KB - Virtual size: 19KB

.CRT Size: 512B - Virtual size: 4B

.reloc Size: 12KB - Virtual size: 12KB

.text
Size: 60KB - Virtual size: 60KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 19KB

.CRT
Size: 512B - Virtual size: 4B

.reloc
Size: 12KB - Virtual size: 12KB