emotet | 998feda73b3991eb7520c035ac43c4e7 | Triage

Sharing

General

Target

998feda73b3991eb7520c035ac43c4e7
Size

57KB
MD5

998feda73b3991eb7520c035ac43c4e7
SHA1

499b9cba8094fe737dc7c62e4cc5526972c9a2c2
SHA256

f4db1859a3d9edccc34205e56082762bcc18f6eada78b93a644a89df7fc02b75
SHA512

a1c13f49040c731b45b3cdd2299e34fb1b1dd1eca6985a00584ed58345c2b8a54b01b3df31732a2a6e06c54456b1a5351caca88115678faeac87eb8e2258c3be
SSDEEP

768:bLo2dWDsCwSWJf70j1GEANY56B8Bcw5Mm9VbKIxYhuSgbJeItssFznhtaqNMIfW0:XnW7GerYh6NDjmulgmeQGN3fzRZ+Avl

Score

10^/10

trojan banker emotet

Malware Config

Signatures

Emotet family
emotet

Emotet payload 1 IoCs

Detects Emotet payload in memory.

resource	yara_rule
sample	emotet

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
998feda73b3991eb7520c035ac43c4e7

Files

998feda73b3991eb7520c035ac43c4e7
.dll windows:6 windows x86 arch:x86

8f9a124a88878ac62589c50d13924ff4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

qsort
bsearch
wcslen

kernel32

VirtualFree
Process32Next
Process32First
CreateToolhelp32Snapshot
CloseHandle
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
ExitProcess
VirtualAlloc
VirtualProtect
VirtualQuery
FreeLibrary
GetProcAddress
LoadLibraryA
LoadLibraryW
IsBadReadPtr

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ