emotet | 2c32227fabdf7aa09fa55509305e6d23d45fce2d45d5fd395dff2fbf2fff7545 | Triage

Sharing

General

Target

2c32227fabdf7aa09fa55509305e6d23d45fce2d45d5fd395dff2fbf2fff7545
Size

196KB
MD5

49d5526f03c506efc5ce7cbb0d50e0d3
SHA1

21bee7969fcafb54818c5e6b5c2da140eaac4f20
SHA256

2c32227fabdf7aa09fa55509305e6d23d45fce2d45d5fd395dff2fbf2fff7545
SHA512

4cbdf8989b283d2eb1ab89690fd571447f86aa58bcb6623e70b177d1858c6bf2ba5e80e8b38199a6e8d4b73a038fbc69bc321ebeeff0105f7f5c627cca8f3e20
SSDEEP

3072:8DpJoj/4bRze+hVJ96hVYja5OpA98EEXfc5ikSxAx8/LN4ucvWlsZQSGv+:cp674Ze+/LyK7AF0fY7S2KWC

Score

10^/10

trojan banker emotet

Malware Config

Signatures

Emotet family
emotet
Emotet payload 1 IoCs
Detects Emotet payload in memory.
trojan banker

Processes:

resource yara_rule

sample emotet

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
2c32227fabdf7aa09fa55509305e6d23d45fce2d45d5fd395dff2fbf2fff7545

Files

2c32227fabdf7aa09fa55509305e6d23d45fce2d45d5fd395dff2fbf2fff7545
.dll windows:6 windows x86 arch:x86

8f9a124a88878ac62589c50d13924ff4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

qsort
bsearch
wcslen

kernel32

VirtualFree
Process32Next
Process32First
CreateToolhelp32Snapshot
CloseHandle
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
ExitProcess
VirtualAlloc
VirtualProtect
VirtualQuery
FreeLibrary
GetProcAddress
LoadLibraryA
LoadLibraryW
IsBadReadPtr

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 187KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ