emotet | cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde

Resubmissions

31-10-2024 15:15

241031-sncxfayngt 10

08-08-2020 03:17

200808-vd2qdjjmra 10

Analysis

max time kernel
141s
max time network
159s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-10-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe
Size

852KB
MD5

88e89512a55889d7431c1f53f53bed98
SHA1

5b8058e9f9b630ba53ad6b0f428e67f03080e7fe
SHA256

cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde
SHA512

b37358eb33998ba2a739e1f67f518d40ea64de8427af285139e59d071b5799465dfadecbd6df714468a93d23620fb1ee71ab28fc8fa61546f3f35d63ac78d57f
SSDEEP

12288:Sp63KfH3sS7wyEkf2vy/x2IuOR/qBdDDzs8cmS:Sl3sswyEklp2yRyBd9

Score

10^/10

emotet epoch2 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

47.146.32.175:80

212.51.142.238:8080

200.55.243.138:8080

114.146.222.200:80

153.126.210.205:7080

121.124.124.40:7080

222.214.218.37:4143

67.241.24.163:8080

180.92.239.110:8080

203.153.216.189:7080

119.198.40.179:80

70.167.215.250:8080

168.235.67.138:7080

190.55.181.54:443

139.59.60.244:8080

189.212.199.126:443

78.24.219.147:8080

61.19.246.238:443

137.59.187.107:8080

87.106.139.101:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral3/memory/3760-1-0x0000000002220000-0x000000000222C000-memory.dmp	emotet
behavioral3/memory/4688-9-0x0000000000640000-0x000000000064C000-memory.dmp	emotet
behavioral3/memory/4688-13-0x0000000000760000-0x0000000000860000-memory.dmp	emotet
behavioral3/memory/4688-14-0x0000000000640000-0x000000000064C000-memory.dmp	emotet
behavioral3/memory/4688-15-0x0000000000760000-0x0000000000860000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

pid	Process
4688	weretw.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KBDA2\weretw.exe	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weretw.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe
4688	weretw.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3760	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3760	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe
4688	weretw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 4688	3760	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe	81
PID 3760 wrote to memory of 4688	3760	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe	81
PID 3760 wrote to memory of 4688	3760	cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe	81

C:\Users\Admin\AppData\Local\Temp\cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe
"C:\Users\Admin\AppData\Local\Temp\cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\KBDA2\weretw.exe
  "C:\Windows\SysWOW64\KBDA2\weretw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KBDA2\weretw.exe

Filesize
852KB

MD5
88e89512a55889d7431c1f53f53bed98

SHA1
5b8058e9f9b630ba53ad6b0f428e67f03080e7fe

SHA256
cf253cb0546beb4fb9e65af62c7126ef15c4ec1a40f358d1962276bbb8e90bde

SHA512
b37358eb33998ba2a739e1f67f518d40ea64de8427af285139e59d071b5799465dfadecbd6df714468a93d23620fb1ee71ab28fc8fa61546f3f35d63ac78d57f

Download Submit
memory/3760-1-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/3760-5-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3760-7-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4688-9-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/4688-13-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/4688-14-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/4688-15-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download