emotet | 59e05e4558ac3f55b43539e32d12f0ed3e75987b5a0dfddf766ecc0360181812

Analysis

max time kernel
132s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll
Size

197KB
MD5

19b0124f2e4f223113bb11a84765a6c3
SHA1

d27bfe2481c74fe0c213456ad3906e96097ab4c6
SHA256

bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59
SHA512

c9bd86474c8500d948d7c1af660f60af00cffee8f6525785ad916a669c87386ad23c5955dc8e2dbe666cbdc57b46c4d1e813ced09a61920aeb4f17bc520cd602
SSDEEP

3072:7zrlNwFBuQ+i2ro9Ux4huw/mY2EeTyDcqsAX8QaCQ5IS39mLSnwKl:7zPkBvoroGIRe+7sAXMCQL3ImwK

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

125.0.215.60:80

163.53.204.180:443

89.163.210.141:8080

203.157.152.9:7080

157.245.145.87:443

82.78.179.117:443

85.247.144.202:80

37.46.129.215:8080

110.37.224.243:80

192.210.217.94:8080

2.82.75.215:80

69.159.11.38:443

188.166.220.180:7080

103.93.220.182:80

198.20.228.9:8080

91.75.75.46:80

88.247.30.64:80

189.211.214.19:443

203.160.167.243:80

178.33.167.120:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

3 3040 rundll32.exe
7 3040 rundll32.exe
8 3040 rundll32.exe
11 3040 rundll32.exe
12 3040 rundll32.exe
15 3040 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Owsfsdl\fgfvbb.xwe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3040 rundll32.exe
3040 rundll32.exe
3040 rundll32.exe
3040 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2652 rundll32.exe

flow	pid	process
3	3040	rundll32.exe
7	3040	rundll32.exe
8	3040	rundll32.exe
11	3040	rundll32.exe
12	3040	rundll32.exe
15	3040	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Owsfsdl\fgfvbb.xwe	rundll32.exe

pid	process
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe

pid	process
2652	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 2652	1220	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 3040	2652	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Owsfsdl\fgfvbb.xwe",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2652-0-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/3040-3-0x00000000001F0000-0x0000000000212000-memory.dmp

Filesize
136KB

Download