emotet | 435362e33c25d8d49a1f0fe40f13cb85a614c5a1872898f0875e010b455d57db

Analysis

max time kernel
131s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4110790fd0ea52f6fa6ceb1335ef0831_JaffaCakes118.dll
Size

340KB
MD5

4110790fd0ea52f6fa6ceb1335ef0831
SHA1

0e6c725c754f99da03e32e91745efc75b30719ea
SHA256

435362e33c25d8d49a1f0fe40f13cb85a614c5a1872898f0875e010b455d57db
SHA512

c214fee4afb94db014ce81472b37fa60299157e722477185ddf11bf10762e3142212d11398c4fdea5842665641034b56f83dc216eec7cbcce16cf9902f812c97
SSDEEP

3072:tvA1p08RqEQAIVEd2gG/vNlo0JFx/pANyCm0PQEKR/J+XCtT:t206xWgGxLxWN40PDKR/J+XaT

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

108.53.88.101:443

195.159.28.230:8080

162.241.204.233:8080

74.40.205.197:443

93.146.48.84:80

78.189.148.42:80

139.99.158.11:443

61.19.246.238:443

37.139.21.175:8080

118.83.154.64:443

85.105.205.77:8080

176.111.60.55:8080

50.116.111.59:8080

75.109.111.18:80

181.165.68.127:80

78.182.254.231:80

110.145.101.66:443

24.179.13.119:80

121.124.124.40:7080

115.21.224.117:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Loads dropped DLL 1 IoCs

pid	Process
516	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hsknpziepekx\xstfzidnzlx.lud	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4376	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4376	4504	rundll32.exe	83
PID 4504 wrote to memory of 4376	4504	rundll32.exe	83
PID 4504 wrote to memory of 4376	4504	rundll32.exe	83
PID 4376 wrote to memory of 516	4376	rundll32.exe	90
PID 4376 wrote to memory of 516	4376	rundll32.exe	90
PID 4376 wrote to memory of 516	4376	rundll32.exe	90

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4110790fd0ea52f6fa6ceb1335ef0831_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4110790fd0ea52f6fa6ceb1335ef0831_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsknpziepekx\xstfzidnzlx.lud",kQiskKp
    3⤵
    - Loads dropped DLL
    PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hsknpziepekx\xstfzidnzlx.lud

Filesize
340KB

MD5
4110790fd0ea52f6fa6ceb1335ef0831

SHA1
0e6c725c754f99da03e32e91745efc75b30719ea

SHA256
435362e33c25d8d49a1f0fe40f13cb85a614c5a1872898f0875e010b455d57db

SHA512
c214fee4afb94db014ce81472b37fa60299157e722477185ddf11bf10762e3142212d11398c4fdea5842665641034b56f83dc216eec7cbcce16cf9902f812c97

Download Submit
memory/4376-1-0x0000000001480000-0x00000000014A0000-memory.dmp

Filesize
128KB

Download
memory/4376-2-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4376-4-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download