emotet | reswnop_dump_SCY[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

reswnop_dump_SCY.zip
Size

38KB
MD5

f954b6a72f44dc77fa6d62c71bded318
SHA1

dcad578fb9a8fc924e40ca784024cc5e4087490b
SHA256

182983b99f9a61312f313386c70c87aac4819aefa1370c1aee8d12fcbc4254e4
SHA512

6b0c4f1107e3a1ab95cd289c0f644327e1706f36a1f8d3ed2eaa4ea47d236c5193aa2bbdcf5681c719cb48b7452567a676a9b3ccdad1d304938fe4c8e6328531
SSDEEP

768:J2sA+4GtWHThzoz9Keid3xJmBK/xVx3x1w/6joBbuWb2dibQoIqY0kC:wwWHKKxm8/fJruBbd2dib5Bx

Score

10^/10

epoch2 emotet

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

201.184.105.242:443

24.45.195.162:7080

24.45.195.162:8443

94.192.225.46:80

80.11.163.139:443

133.167.80.63:7080

198.199.114.69:8080

80.79.23.144:443

192.254.173.31:8080

67.225.229.55:8080

190.108.228.48:990

62.75.187.192:8080

185.94.252.13:443

94.205.247.10:80

211.63.71.72:8080

59.103.164.174:80

192.81.213.192:8080

27.4.80.183:443

190.145.67.134:8090

115.78.95.230:443

rsa_pubkey.plain

Signatures

Emotet family
emotet

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/reswnop_dump_SCY.exe

Files

reswnop_dump_SCY.zip
.zip
reswnop_dump_SCY.exe
.exe windows:6 windows x86 arch:x86

ac4acd35e24c9e86db25e3a741fa5986

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

IsProcessorFeaturePresent
SetFilePointer
Wow64RevertWow64FsRedirection
VirtualFree
GetProcessHeap
CreateMutexW
SetFileAttributesW
Sleep
SignalObjectAndWait
ResumeThread
MapViewOfFile
GetCurrentProcess
CreateToolhelp32Snapshot
lstrlenW
SetErrorMode
VirtualAllocEx
VirtualProtectEx
GetCommandLineW
GetCurrentProcessId
HeapReAlloc
CloseHandle
LockFileEx
Wow64DisableWow64FsRedirection
ProcessIdToSessionId
GetLocalTime
GetFileSize
GetTempPathW
SetEvent
WaitForSingleObject
GetModuleHandleW
GetProcAddress
DeleteFileW
GetModuleFileNameW
ExitProcess
CreateFileMappingW
HeapAlloc
UnmapViewOfFile
CreateEventW
CreateFileW
WTSGetActiveConsoleSessionId
lstrcpynW
lstrcmpiW
FreeLibrary
GetCurrentThreadId
Process32NextW
LocalFree
CopyFileW
CreateProcessW
lstrcpyW
ReleaseMutex
WideCharToMultiByte
UnlockFileEx
GetWindowsDirectoryW
GetTickCount
GetComputerNameW
Process32FirstW
ResetEvent
LoadLibraryA
lstrcatW
WriteProcessMemory
VirtualQueryEx
GetFileAttributesW
GetNativeSystemInfo
MoveFileExW
FlushFileBuffers
GetLastError
lstrlenA
TerminateProcess
CreateThread
GetVolumeInformationW
MultiByteToWideChar
SetLastError
CreateDirectoryW
LoadLibraryW
WriteFile
HeapFree
GetThreadContext
GetTempFileNameW
SetThreadContext
VirtualAlloc
IsWow64Process

?

?
?
?
?
?
?
?
?
?
?
?
?
?
?

ntdll

_snprintf
_snwprintf
RtlGetVersion
_vsnwprintf
memcpy
RtlComputeCrc32
memset

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 8KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.SCY
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

ac4acd35e24c9e86db25e3a741fa5986

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

?

ntdll

Sections

.text Size: 48KB - Virtual size: 48KB

.rdata Size: 3KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 16KB

.CRT Size: 512B - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 4KB

.SCY Size: 4KB - Virtual size: 8KB

.text
Size: 48KB - Virtual size: 48KB

.rdata
Size: 3KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 16KB

.CRT
Size: 512B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 4KB

.SCY
Size: 4KB - Virtual size: 8KB