emotet | 4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe

General

Target

4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
Size

120KB
MD5

7cd51ed7687a080cbf8cb1ce8c809822
SHA1

f5287b9f5ebfc74b63d9d059be5684c8bf05e583
SHA256

4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe
SHA512

131ec0c2c25f0a946d16553115fdd6a347b87d73b73b9ee514bfc4148e09249186cc1a64e9931ea0a3b42516fc60f62b7072e1cd5784d78e834b53fd3a73a255

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exeboostdroid.exeboostdroid.exe

pid	process
4128	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
4128	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
4704	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
4704	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
2628	boostdroid.exe
2628	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe
2292	boostdroid.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe

pid process

4704 4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe

pid	process
4704	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exeboostdroid.exe

description	pid	process	target process
PID 4128 wrote to memory of 4704	4128	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
PID 4128 wrote to memory of 4704	4128	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
PID 4128 wrote to memory of 4704	4128	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe	4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
PID 2628 wrote to memory of 2292	2628	boostdroid.exe	boostdroid.exe
PID 2628 wrote to memory of 2292	2628	boostdroid.exe	boostdroid.exe
PID 2628 wrote to memory of 2292	2628	boostdroid.exe	boostdroid.exe

C:\Users\Admin\AppData\Local\Temp\4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
"C:\Users\Admin\AppData\Local\Temp\4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe
"C:\Users\Admin\AppData\Local\Temp\4e473457ea8eea869cc68754ddc1aca54d0343e912d16276a7ec7da023a16ffe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4704

C:\Windows\SysWOW64\boostdroid.exe
"C:\Windows\SysWOW64\boostdroid.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\boostdroid.exe
"C:\Windows\SysWOW64\boostdroid.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-153-0x0000000000000000-mapping.dmp

Download
memory/2292-166-0x0000000001760000-0x0000000001776000-memory.dmp

Filesize
88KB

Download
memory/2292-163-0x0000000000740000-0x0000000000763000-memory.dmp

Filesize
140KB

Download
memory/2292-164-0x0000000001760000-0x0000000001776000-memory.dmp

Filesize
88KB

Download
memory/2292-165-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/2292-154-0x0000000001780000-0x0000000001796000-memory.dmp

Filesize
88KB

Download
memory/2292-158-0x0000000001780000-0x0000000001796000-memory.dmp

Filesize
88KB

Download
memory/2628-161-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2628-152-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2628-159-0x0000000000740000-0x0000000000763000-memory.dmp

Filesize
140KB

Download
memory/2628-160-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/2628-148-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/4128-144-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/4128-142-0x0000000000740000-0x0000000000763000-memory.dmp

Filesize
140KB

Download
memory/4128-143-0x0000000000E60000-0x0000000000E76000-memory.dmp

Filesize
88KB

Download
memory/4128-130-0x0000000000740000-0x0000000000763000-memory.dmp

Filesize
140KB

Download
memory/4128-135-0x0000000000E80000-0x0000000000E96000-memory.dmp

Filesize
88KB

Download
memory/4128-131-0x0000000000E80000-0x0000000000E96000-memory.dmp

Filesize
88KB

Download
memory/4704-145-0x0000000000740000-0x0000000000763000-memory.dmp

Filesize
140KB

Download
memory/4704-141-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download
memory/4704-162-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/4704-146-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/4704-147-0x0000000000B20000-0x0000000000DA1000-memory.dmp

Filesize
2.5MB

Download
memory/4704-137-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download
memory/4704-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing