emotet | 5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510

Analysis

max time kernel
132s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
Size

696KB
MD5

ea3a4afd0e26b39045f1c1983e077aeb
SHA1

86aad6e514bf442aafa59babd39315aa63b2a96d
SHA256

5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510
SHA512

14bd55f0782bbac13cc19cfccc2993b21d1c518e865fec2940810835995b1c182e07eea880d1f9a4e538c6f93793f6c6d7fb916659522a9055b19416b023f454
SSDEEP

12288:1IPPTFEzVCoWbjXLZAboDBrXkQB12ewU4XL3xdj7rv:1ITFiVCXjubyBjf19A

Score

10^/10

emotet epoch2 banker dave trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

47.36.140.164:80

169.50.76.149:8080

162.241.140.129:8080

104.131.123.136:443

95.213.236.64:8080

130.0.132.242:80

123.176.25.234:80

46.105.131.79:8080

157.245.99.39:8080

79.98.24.39:8080

49.50.209.131:80

72.143.73.234:443

50.91.114.38:80

89.216.122.92:80

5.39.91.110:7080

121.124.124.40:7080

71.72.196.159:80

5.196.74.210:8080

139.162.108.71:8080

61.19.246.238:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/2024-55-0x00000000004C0000-0x00000000004DF000-memory.dmp	emotet
behavioral1/memory/2024-59-0x0000000001CA0000-0x0000000001CBE000-memory.dmp	emotet
behavioral1/memory/2024-63-0x00000000003E0000-0x00000000003FD000-memory.dmp	emotet

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/2024-63-0x00000000003E0000-0x00000000003FD000-memory.dmp	dave

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe

pid	process
2024	5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
2024	5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
2024	5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
2024	5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
2024	5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
2024	5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe

pid process

2024 5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe

C:\Users\Admin\AppData\Local\Temp\5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe
"C:\Users\Admin\AppData\Local\Temp\5fe3b9a03bb8e5a039d498da5fb984d6ebdcdfc4d58835a9b498e0d291b68510.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x00000000004C0000-0x00000000004DF000-memory.dmp

Filesize
124KB

Download
memory/2024-59-0x0000000001CA0000-0x0000000001CBE000-memory.dmp

Filesize
120KB

Download
memory/2024-63-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download