emotet | 77e62951ac45a31868dc82c2beb99ee4ebca2a47bd78d5d52525779ad9f6b6c5

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4953a33b76dc46769246579f6d165426_JaffaCakes118.dll
Size

340KB
MD5

4953a33b76dc46769246579f6d165426
SHA1

0bb599a9059da27fa58dd9053bbcdf2bb782bd65
SHA256

77e62951ac45a31868dc82c2beb99ee4ebca2a47bd78d5d52525779ad9f6b6c5
SHA512

16b05813538c878d372cada42b30eb77ae661c6ecfeeec71e309d7767b71747516349eb811f46246a54d8f17f50898c470908d111077ca1d476e57cc514f037a
SSDEEP

3072:7vA1p08RqEQAIVEd2gG/vNlo0JFx/pANyCm0PQEKR/JnXHWP:7206xWgGxLxWN40PDKR/JnX2P

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Loads dropped DLL 1 IoCs

pid	Process
2616	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bdebaynozwqlxmp\tltrlmvgadelvg.lti	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
816	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 816	1252	rundll32.exe	83
PID 1252 wrote to memory of 816	1252	rundll32.exe	83
PID 1252 wrote to memory of 816	1252	rundll32.exe	83
PID 816 wrote to memory of 2616	816	rundll32.exe	90
PID 816 wrote to memory of 2616	816	rundll32.exe	90
PID 816 wrote to memory of 2616	816	rundll32.exe	90

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4953a33b76dc46769246579f6d165426_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4953a33b76dc46769246579f6d165426_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bdebaynozwqlxmp\tltrlmvgadelvg.lti",UvjEl
    3⤵
    - Loads dropped DLL
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdebaynozwqlxmp\tltrlmvgadelvg.lti

Filesize
340KB

MD5
4953a33b76dc46769246579f6d165426

SHA1
0bb599a9059da27fa58dd9053bbcdf2bb782bd65

SHA256
77e62951ac45a31868dc82c2beb99ee4ebca2a47bd78d5d52525779ad9f6b6c5

SHA512
16b05813538c878d372cada42b30eb77ae661c6ecfeeec71e309d7767b71747516349eb811f46246a54d8f17f50898c470908d111077ca1d476e57cc514f037a

Download Submit
memory/816-1-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/816-0-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download
memory/816-3-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download