emotet | 5c6b3fa21edceeb05e50540d3a637934876eed80b90a9515e18de2860451322f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-07-2022 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
Size

400KB
MD5

6630cddbe93c8c6b7cf2457cf09ed587
SHA1

1911f736d8970cc9fd5c6ad9b37ef2d259b01b54
SHA256

5c6b3fa21edceeb05e50540d3a637934876eed80b90a9515e18de2860451322f
SHA512

0c8295c2087f5dfab53a8c397c363c60c568cf7d4264eb2c480bed2356d65cb01cc4b2283c134069af9b8ab17c20bf620ca004ee1af918d2e9726a99ff2bd8c4

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

190.202.229.74:80

118.69.11.81:7080

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

37.187.161.206:8080

45.46.37.97:80

138.97.60.141:7080

177.144.130.105:8080

169.1.39.242:80

209.236.123.42:8080

202.134.4.210:7080

193.251.77.110:80

2.45.176.233:80

217.13.106.14:8080

189.223.16.99:80

190.101.156.139:80

77.238.212.227:80

181.58.181.9:80

37.183.81.217:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 1 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/4996-133-0x00000000022A0000-0x00000000022B0000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe

pid	process
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996	1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe

pid process

4996 1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
4996 1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe

C:\Users\Admin\AppData\Local\Temp\1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe
"C:\Users\Admin\AppData\Local\Temp\1911f736d8970cc9fd5c6ad9b37ef2d259b01b54.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4996-133-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download