emotet | 2a3b897cf137c82297222d708ca1aa02f9254253122a8caf3a2f64259dedb643

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fba4aaba360e8c54be620c4e7418e0N.exe
Size

668KB
MD5

f9fba4aaba360e8c54be620c4e7418e0
SHA1

e55caf6504792e0442b405fcec6699b1cc5e64ad
SHA256

2a3b897cf137c82297222d708ca1aa02f9254253122a8caf3a2f64259dedb643
SHA512

86d3618988898d2bf2d30a571fdb678a7a939e7cabce38e7d0ccc5e1846e00f9edd2f4fc5eda875aefdf4a08b853fff106d91ca89969d80d007c285e6aa441d7
SSDEEP

6144:gdiE4zqXVY7PfBHnzA0F3JhJx4eS58NMTy5fkLaMiLgLWL7SqaaYo5wzPLNQOIeG:gdw7hHnzAe3oe68Z6zEPaexL62

Score

10^/10

emotet epoch1 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

202.22.141.45:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

82.76.111.249:443

216.47.196.104:80

192.241.143.52:8080

192.81.38.31:80

87.106.253.248:8080

64.201.88.132:80

192.241.146.84:8080

12.162.84.2:8080

1.226.84.243:8080

177.129.17.170:443

202.134.4.210:7080

70.169.17.134:80

152.169.22.67:80

5.196.35.138:7080

138.97.60.141:7080

203.205.28.68:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral1/memory/268-4-0x00000000002B0000-0x00000000002C0000-memory.dmp	emotet
behavioral1/memory/268-0-0x0000000000290000-0x00000000002A2000-memory.dmp	emotet
behavioral1/memory/268-7-0x0000000000250000-0x000000000025F000-memory.dmp	emotet
behavioral1/memory/2488-10-0x00000000002F0000-0x0000000000302000-memory.dmp	emotet
behavioral1/memory/2488-14-0x0000000000320000-0x0000000000330000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

pid	Process
2488	KBDKAZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp\KBDKAZ.exe	f9fba4aaba360e8c54be620c4e7418e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9fba4aaba360e8c54be620c4e7418e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KBDKAZ.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2488	KBDKAZ.exe
2488	KBDKAZ.exe
2488	KBDKAZ.exe
2488	KBDKAZ.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
268	f9fba4aaba360e8c54be620c4e7418e0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
268	f9fba4aaba360e8c54be620c4e7418e0N.exe
2488	KBDKAZ.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2488	268	f9fba4aaba360e8c54be620c4e7418e0N.exe	31
PID 268 wrote to memory of 2488	268	f9fba4aaba360e8c54be620c4e7418e0N.exe	31
PID 268 wrote to memory of 2488	268	f9fba4aaba360e8c54be620c4e7418e0N.exe	31
PID 268 wrote to memory of 2488	268	f9fba4aaba360e8c54be620c4e7418e0N.exe	31

C:\Users\Admin\AppData\Local\Temp\f9fba4aaba360e8c54be620c4e7418e0N.exe
"C:\Users\Admin\AppData\Local\Temp\f9fba4aaba360e8c54be620c4e7418e0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\SysWOW64\TsWpfWrp\KBDKAZ.exe
  "C:\Windows\SysWOW64\TsWpfWrp\KBDKAZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TsWpfWrp\KBDKAZ.exe

Filesize
668KB

MD5
f9fba4aaba360e8c54be620c4e7418e0

SHA1
e55caf6504792e0442b405fcec6699b1cc5e64ad

SHA256
2a3b897cf137c82297222d708ca1aa02f9254253122a8caf3a2f64259dedb643

SHA512
86d3618988898d2bf2d30a571fdb678a7a939e7cabce38e7d0ccc5e1846e00f9edd2f4fc5eda875aefdf4a08b853fff106d91ca89969d80d007c285e6aa441d7

Download Submit
memory/268-4-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/268-0-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/268-7-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/268-9-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2488-10-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/2488-14-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download