emotet | 5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924

Analysis

max time kernel
176s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
Size

728KB
MD5

06c974f4e64fea6332a5ace68ffcc7d7
SHA1

d5c53c686d7fd4d86ed150fb74ec59a47099b075
SHA256

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924
SHA512

98d009db32e02bb1ea18a0cafcb8269375fe0576747b793a70fd8fe2aed196e3cdfa9ac85734568fc1de1de50d828084ebbcfa9771f5b22a8b2091d8f076314b
SSDEEP

12288:D+LMN1XrQ+LeMnUMOwOozWCf8qXC+EATlTe5L:HN1XPVU7wGD7iTe

Score

10^/10

emotet epoch3 banker dave trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

125.200.20.233:80

93.186.197.189:7080

188.166.220.180:7080

192.175.111.217:7080

118.243.83.70:80

103.80.51.61:8080

185.80.172.199:80

172.96.190.154:8080

116.202.10.123:8080

46.105.131.68:8080

223.17.215.76:80

192.210.217.94:8080

190.194.12.132:80

115.79.59.157:80

190.191.171.72:80

24.231.51.190:80

203.153.216.178:7080

175.103.38.146:80

36.91.44.183:80

213.165.178.214:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/1856-132-0x0000000002270000-0x000000000228F000-memory.dmp	emotet
behavioral2/memory/1856-136-0x0000000002290000-0x00000000022AD000-memory.dmp	emotet
behavioral2/memory/1856-140-0x0000000002250000-0x000000000226C000-memory.dmp	emotet

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/1856-140-0x0000000002250000-0x000000000226C000-memory.dmp	dave

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

pid	process
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
1856	5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

pid process

1856 5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe

C:\Users\Admin\AppData\Local\Temp\5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe
"C:\Users\Admin\AppData\Local\Temp\5779db9d50105073aded54df045c927d9c331853b161a171f68cd7bd0f29c924.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-132-0x0000000002270000-0x000000000228F000-memory.dmp

Filesize
124KB

Download
memory/1856-136-0x0000000002290000-0x00000000022AD000-memory.dmp

Filesize
116KB

Download
memory/1856-140-0x0000000002250000-0x000000000226C000-memory.dmp

Filesize
112KB

Download