emotet | fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f

Analysis

max time kernel
591s
max time network
609s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-10-2022 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe
Size

432KB
MD5

500221e174762c63829c2ea9718ca44f
SHA1

25b3a1a2f9a5756a684c8b77f630527321ad1fb0
SHA256

fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f
SHA512

1b406fff66f3bf9bdf60c24b17d32bc430fecf73b91c2554bd8ad7785d7a98a3504c5e09a90d1dbc07ca269d8d835d77980466beb298d933f57d4820a0433419
SSDEEP

6144:Xil8BxssHF5REV9v+RsZ0qLpYCyMsaji++6gK5cGT:Xil8BjHFfEn3CUpYyG76gfA

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

173.73.87.96:80

71.222.233.135:443

60.250.78.22:443

80.86.91.91:8080

104.236.28.47:8080

162.241.92.219:8080

74.208.45.104:8080

178.20.74.212:80

85.105.205.77:8080

190.220.19.82:443

78.24.219.147:8080

47.26.155.17:80

110.44.113.2:80

113.52.123.226:7080

120.151.135.224:80

108.191.2.72:80

70.127.155.33:80

98.156.206.153:80

47.6.15.79:443

104.131.44.150:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

rasdial.exe

pid	process
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe
1756	rasdial.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe

pid process

1996 fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe

pid	process
1996	fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe

description	pid	process	target process
PID 1996 wrote to memory of 1756	1996	fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe	rasdial.exe
PID 1996 wrote to memory of 1756	1996	fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe	rasdial.exe
PID 1996 wrote to memory of 1756	1996	fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe	rasdial.exe
PID 1996 wrote to memory of 1756	1996	fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe	rasdial.exe

C:\Users\Admin\AppData\Local\Temp\fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe
"C:\Users\Admin\AppData\Local\Temp\fc11f30fb0debf8b8f42a7e9c0678df69c8b171c0038ea7aca7217b43b3c220f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\rasdial\rasdial.exe
"C:\Windows\SysWOW64\rasdial\rasdial.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-59-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1996-54-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1996-57-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1996-58-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download