emotet | 2a9577b9e974148ad1257b46354ae2fed7e42061286aa15f4dff91fe0a8feee3

Analysis

max time kernel
129s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 14:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe
Size

112KB
MD5

20c91b6035298f2add0c2b0a5151cf42
SHA1

502329709ea04e86a536235b128538f11bbc07ee
SHA256

2a9577b9e974148ad1257b46354ae2fed7e42061286aa15f4dff91fe0a8feee3
SHA512

d2a254d3ffd502aeac18386c94f8fa587f3abf7a43bdf7c5328bba1f8fc18a642d0fdfa071c5958de39905b16a09f68ca48f3aaf4606f981090de048c0438c32
SSDEEP

1536:mRNW04otWYPMRoUtTGCQxvEBN7KyXA3Ygi/xzmNubly7L3RhCs:17oE/RoUtyCQxvEiISi5JIL3RhD

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

190.192.39.136:80

5.189.168.53:8080

162.241.41.111:7080

190.85.46.52:7080

190.190.15.20:80

181.95.133.104:80

41.212.89.128:80

115.176.16.221:80

143.95.101.72:8080

75.127.14.170:8080

116.202.10.123:8080

74.208.173.91:8080

103.93.220.182:80

50.116.78.109:8080

67.121.104.51:20

180.26.62.115:443

139.59.12.63:8080

76.18.16.210:80

113.161.148.81:80

5.79.70.250:8080

rsa_pubkey.plain

1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral1/memory/2956-0-0x00000000001D0000-0x00000000001E2000-memory.dmp	emotet
behavioral1/memory/2956-7-0x00000000001C0000-0x00000000001CF000-memory.dmp	emotet
behavioral1/memory/2956-4-0x00000000001F0000-0x0000000000200000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2956	20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe
2956	20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe
2956	20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe
2956	20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

Network

No results found

190.192.39.136:80

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

152 B
3
190.192.39.136:80

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

152 B
3
5.189.168.53:8080

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

152 B
3
5.189.168.53:8080

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

152 B
3
162.241.41.111:7080

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

152 B
3
162.241.41.111:7080

20c91b6035298f2add0c2b0a5151cf42_JaffaCakes118.exe

152 B
3

No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2956-0-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2956-7-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2956-4-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download