Overview

overview

10

Static

static

3

eba98abe00...70.exe

windows7-x64

10

eba98abe00...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eba98abe00f0a411e6736cf916d05c70.exe

  • Size

    572KB

  • MD5

    eba98abe00f0a411e6736cf916d05c70

  • SHA1

    fba38ef52ce7f582ffa8582dafc7517b310c396b

  • SHA256

    7c017123bdcb32ece3624c846e7262f9b9cd04ce4e8608e5f3d02448ea9c1bbc

  • SHA512

    1df1c131751fb709778c61e3de005ea295661fbf9556ff0c90659fdba62b129c7b758bc7fea14e3705c178fbe9641f8ac5ce7fb56eae43533dde11d2e5db4cc7

  • SSDEEP

    6144:hLOYXpa/ummNl/C5lXS/U6zJjSOd77yPZ5qxSorTCQ2z07517k0bbS9ZuXCBnS91:h6ummjiX6B+PZC+OByZJS9rVFN

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

2.38.99.79:80

98.24.231.64:80

47.156.70.145:80

37.59.24.177:8080

66.34.201.20:7080

108.179.206.219:8080

45.56.88.91:443

206.189.112.148:8080

120.150.246.241:80

190.56.255.118:80

200.71.148.138:8080

192.241.255.77:8080

211.63.71.72:8080

190.53.135.159:21

183.102.238.69:465

108.191.2.72:80

107.170.24.125:8080

167.114.242.226:8080

91.73.197.90:80

178.209.71.63:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eba98abe00f0a411e6736cf916d05c70.exe
    "C:\Users\Admin\AppData\Local\Temp\eba98abe00f0a411e6736cf916d05c70.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\eba98abe00f0a411e6736cf916d05c70.exe
      --9927d7e7
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:2296
  • C:\Windows\SysWOW64\scanmalert.exe
    "C:\Windows\SysWOW64\scanmalert.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\scanmalert.exe
      --c910d2be
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2296-6-0x0000000000380000-0x0000000000397000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2724-11-0x0000000000610000-0x0000000000627000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2756-0-0x0000000000390000-0x00000000003A7000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2756-4-0x00000000002E0000-0x00000000002F1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2860-16-0x0000000000630000-0x0000000000647000-memory.dmp
    Filesize

    92KB

    Download