emotet | 16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757

Analysis

max time kernel
131s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe
Size

418KB
MD5

0937e5822094bc35518ab403909ed12d
SHA1

7e7640aae90766144f095d1ebfc85bbaf67d684a
SHA256

16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757
SHA512

f86737f723b4448c0ca959299f415f3765b64a9ba39edd3d567cef2fde404f86ab7d26f073a9e2e720bbfd22123a1f40eb9f301db914ba56a3203f5aaa222574
SSDEEP

12288:zXsObAC+H3bd40FM1OpzFt4t/tltJt004m6E0p:zzMC+HTFM1OpzhnF

Score

10^/10

emotet epoch1 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

78.206.229.130:80

104.131.92.244:8080

70.39.251.94:8080

87.230.25.43:8080

79.118.74.90:80

82.76.111.249:443

82.76.52.155:80

212.71.237.140:8080

188.251.213.180:80

103.236.179.162:80

1.226.84.243:8080

70.32.84.74:8080

2.84.12.98:80

201.213.177.139:80

177.73.0.98:443

170.81.48.2:80

129.232.220.11:8080

177.144.130.105:8080

213.52.74.198:80

120.72.18.91:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/1172-1-0x00000000003E0000-0x00000000003F0000-memory.dmp	emotet
behavioral1/memory/1172-2-0x0000000000590000-0x00000000005A2000-memory.dmp	emotet
behavioral1/memory/1172-6-0x00000000003F0000-0x0000000000400000-memory.dmp	emotet

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe

pid	Process
1172	16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe
1172	16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe
1172	16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe
1172	16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe

pid	Process
1172	16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe

C:\Users\Admin\AppData\Local\Temp\16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe
"C:\Users\Admin\AppData\Local\Temp\16e391d37f130c67d8f6dec477dc89828f42548a2a185a12898d469f7e6bf757.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-1-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1172-2-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1172-6-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download