emotet | 3897dbbf619853c8f37abb9e653487ea12a38b1f1e2d02d5bbd3ccf8e4e4a8a5

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-06-2023 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08995099.dll
Size

252KB
MD5

30891d20c065fe6378c9b2568c73a7f0
SHA1

76fffb0ef26bacf0925de63886cf12e911e8793a
SHA256

3897dbbf619853c8f37abb9e653487ea12a38b1f1e2d02d5bbd3ccf8e4e4a8a5
SHA512

06e7fb5bdaed8fcb65232112502724d5e9aba4b12da5a7553f217ecda7919d9df6d4d47e5173e41352e9fa984cd0c3cbfa8dd0d4be00127feb13b72a560dc9e0
SSDEEP

3072:PtgItJoMl9eJ02kGuBDhk3VsbwVBQdP6ZkiaoZa74jZUUzdDIm6O80MTcdfokHJm:OHK9eSBFA+bwVB35tMTc5ocEFWTBiz

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1860	rundll32.exe
5	1860	rundll32.exe
6	1860	rundll32.exe
7	1860	rundll32.exe
8	1860	rundll32.exe
9	1860	rundll32.exe
11	1860	rundll32.exe
12	1860	rundll32.exe
13	1860	rundll32.exe
16	1860	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1860 rundll32.exe

pid	process
1860	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 832	1388	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1860	832	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08995099.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08995099.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\08995099.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-54-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/1860-55-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download
memory/1860-56-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download
memory/1860-57-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download