emotet | f8e1c62b7f0651b9979188d13e02ce6974d86e27412ae573acfcfb33a7489584

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2df8bf652644336ec3d59a24cfee5beb_JaffaCakes118.dll
Size

340KB
MD5

2df8bf652644336ec3d59a24cfee5beb
SHA1

c0dcec57afc03b2610324f50dbe5a339063a3716
SHA256

f8e1c62b7f0651b9979188d13e02ce6974d86e27412ae573acfcfb33a7489584
SHA512

c0207eac96a4ef683ec61d3e787be01da145b25001534442e1d3455583e6842c3654a5d9a06cc24367d045d78153145342bd5332536c9496a3b197d8168e2382
SSDEEP

3072:svA1p08RqEQAIVEd2gG/vNlo0JFx/pANyCm0PQEKR/JnXHWP:s206xWgGxLxWN40PDKR/JnX2P

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Loads dropped DLL 1 IoCs

pid	Process
752	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Rteaekuzepciefiq\qemljtjexjawjat.zlc	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1396	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1396	1128	rundll32.exe	82
PID 1128 wrote to memory of 1396	1128	rundll32.exe	82
PID 1128 wrote to memory of 1396	1128	rundll32.exe	82
PID 1396 wrote to memory of 752	1396	rundll32.exe	89
PID 1396 wrote to memory of 752	1396	rundll32.exe	89
PID 1396 wrote to memory of 752	1396	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2df8bf652644336ec3d59a24cfee5beb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2df8bf652644336ec3d59a24cfee5beb_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Rteaekuzepciefiq\qemljtjexjawjat.zlc",SLetgUFfL
    3⤵
    - Loads dropped DLL
    PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Rteaekuzepciefiq\qemljtjexjawjat.zlc

Filesize
340KB

MD5
2df8bf652644336ec3d59a24cfee5beb

SHA1
c0dcec57afc03b2610324f50dbe5a339063a3716

SHA256
f8e1c62b7f0651b9979188d13e02ce6974d86e27412ae573acfcfb33a7489584

SHA512
c0207eac96a4ef683ec61d3e787be01da145b25001534442e1d3455583e6842c3654a5d9a06cc24367d045d78153145342bd5332536c9496a3b197d8168e2382

Download Submit
memory/1396-0-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/1396-1-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1396-3-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download