emotet | 5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924

Analysis

max time kernel
153s
max time network
187s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
Size

728KB
MD5

06c974f4e64fea6332a5ace68ffcc7d7
SHA1

d5c53c686d7fd4d86ed150fb74ec59a47099b075
SHA256

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924
SHA512

98d009db32e02bb1ea18a0cafcb8269375fe0576747b793a70fd8fe2aed196e3cdfa9ac85734568fc1de1de50d828084ebbcfa9771f5b22a8b2091d8f076314b
SSDEEP

12288:D+LMN1XrQ+LeMnUMOwOozWCf8qXC+EATlTe5L:HN1XPVU7wGD7iTe

Score

10^/10

emotet epoch3 banker dave trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

125.200.20.233:80

93.186.197.189:7080

188.166.220.180:7080

192.175.111.217:7080

118.243.83.70:80

103.80.51.61:8080

185.80.172.199:80

172.96.190.154:8080

116.202.10.123:8080

46.105.131.68:8080

223.17.215.76:80

192.210.217.94:8080

190.194.12.132:80

115.79.59.157:80

190.191.171.72:80

24.231.51.190:80

203.153.216.178:7080

175.103.38.146:80

36.91.44.183:80

213.165.178.214:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/1772-55-0x0000000000370000-0x000000000038F000-memory.dmp	emotet
behavioral1/memory/1772-61-0x0000000000350000-0x000000000036C000-memory.dmp	emotet
behavioral1/memory/1772-59-0x0000000000390000-0x00000000003AD000-memory.dmp	emotet

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1772-61-0x0000000000350000-0x000000000036C000-memory.dmp	dave

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

pid	process
1772	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1772	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1772	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

pid process

1772 5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

C:\Users\Admin\AppData\Local\Temp\5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
"C:\Users\Admin\AppData\Local\Temp\5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1772-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1772-55-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/1772-61-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1772-59-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download