emotet | 335d5d8ec7dc191d2ac973e34c65d33381ff3a11da2bd99e7ae8f7f3636ada46

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b0a4b66456ab0811ca41dfd1a58484f.dll
Size

275KB
MD5

9b0a4b66456ab0811ca41dfd1a58484f
SHA1

08a1a07dd30c5d6954dfa4e75ef133449f855cd0
SHA256

335d5d8ec7dc191d2ac973e34c65d33381ff3a11da2bd99e7ae8f7f3636ada46
SHA512

b9aae92d4338029d0586af0bfe09170779a5168549f6ce66e367423a08ca790641af904be426a2b4a77098a4e31c509fdd29cf25a2d4d15e917afe3f7a7fcd68
SSDEEP

6144:NyPfYWVk+AQOwHUjj7bzrQ8Xu4MSLH3xvH/oC:NyPF+sOwaHbzrQmRLH3ZHg

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

200.75.39.254:80

201.185.69.28:443

206.189.232.2:8080

138.197.99.250:8080

167.71.148.58:443

190.45.24.210:80

110.39.162.2:443

201.75.62.86:80

46.105.114.137:8080

190.247.139.101:80

59.148.253.194:8080

137.74.106.111:7080

202.79.24.136:443

177.85.167.10:80

80.15.100.37:80

45.16.226.117:443

190.24.243.186:80

138.97.60.141:7080

2.80.112.146:80

81.214.253.80:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

19 1012 rundll32.exe
40 1012 rundll32.exe
43 1012 rundll32.exe
49 1012 rundll32.exe
50 1012 rundll32.exe

flow	pid	process
19	1012	rundll32.exe
40	1012	rundll32.exe
43	1012	rundll32.exe
49	1012	rundll32.exe
50	1012	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4996 wrote to memory of 1012	4996	rundll32.exe	rundll32.exe
PID 4996 wrote to memory of 1012	4996	rundll32.exe	rundll32.exe
PID 4996 wrote to memory of 1012	4996	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b0a4b66456ab0811ca41dfd1a58484f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b0a4b66456ab0811ca41dfd1a58484f.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1012-0-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/1012-1-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1012-2-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1012-3-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1012-5-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download