emotet | b6ab713b17c6de4a9ce4f31b245ba3c231dff01589b32f411e8f1b45d6cf4217

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ab713b17c6de4a9ce4f31b245ba3c231dff01589b32f411e8f1b45d6cf4217.dll
Size

696KB
MD5

ac8ad2b50e78b0629a5043a0bce9297d
SHA1

02f16a6267a0ccf8771f0aa262392b99cfe6d708
SHA256

b6ab713b17c6de4a9ce4f31b245ba3c231dff01589b32f411e8f1b45d6cf4217
SHA512

d3a81ed412102262fe405a1e9e1004edb1ddb57029989c5b8b853963f5079118a0e2203353e7ec3f7cdfc6094f862a961d5562f50ad3215280681b87ca4e1ee2
SSDEEP

12288:FqQlvIOH0GCTBHmPt4eBQhXico09cDlB4Vx/ID:0uH0GCNeQ5i7H0

Score

10^/10

emotet epoch4 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

91.200.186.228:443

41.76.108.46:8080

188.165.214.166:7080

191.252.196.221:8080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

212.237.56.116:7080

216.158.226.206:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Blocklisted process makes network request 11 IoCs

Processes:

rundll32.exe

flow	pid	Process
14	2392	rundll32.exe
20	2392	rundll32.exe
33	2392	rundll32.exe
34	2392	rundll32.exe
35	2392	rundll32.exe
36	2392	rundll32.exe
40	2392	rundll32.exe
41	2392	rundll32.exe
48	2392	rundll32.exe
49	2392	rundll32.exe
50	2392	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exerundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
2392	rundll32.exe
2392	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 2932 wrote to memory of 4184	2932	rundll32.exe	83
PID 2932 wrote to memory of 4184	2932	rundll32.exe	83
PID 2932 wrote to memory of 4184	2932	rundll32.exe	83
PID 4184 wrote to memory of 2392	4184	rundll32.exe	84
PID 4184 wrote to memory of 2392	4184	rundll32.exe	84
PID 4184 wrote to memory of 2392	4184	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b6ab713b17c6de4a9ce4f31b245ba3c231dff01589b32f411e8f1b45d6cf4217.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b6ab713b17c6de4a9ce4f31b245ba3c231dff01589b32f411e8f1b45d6cf4217.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b6ab713b17c6de4a9ce4f31b245ba3c231dff01589b32f411e8f1b45d6cf4217.dll",Control_RunDLL
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2392-18-0x0000000002FF0000-0x0000000003018000-memory.dmp

Filesize
160KB

Download
memory/2392-26-0x00000000031E0000-0x0000000003208000-memory.dmp

Filesize
160KB

Download
memory/2392-5-0x0000000001120000-0x0000000001148000-memory.dmp

Filesize
160KB

Download
memory/2392-9-0x0000000001120000-0x0000000001148000-memory.dmp

Filesize
160KB

Download
memory/2392-10-0x00000000028B0000-0x00000000028D8000-memory.dmp

Filesize
160KB

Download
memory/2392-14-0x0000000002F90000-0x0000000002FB8000-memory.dmp

Filesize
160KB

Download
memory/2392-46-0x00000000027D0000-0x00000000027F8000-memory.dmp

Filesize
160KB

Download
memory/2392-42-0x0000000000C30000-0x0000000000C58000-memory.dmp

Filesize
160KB

Download
memory/2392-34-0x00000000033E0000-0x0000000003408000-memory.dmp

Filesize
160KB

Download
memory/2392-30-0x00000000032F0000-0x0000000003318000-memory.dmp

Filesize
160KB

Download
memory/2392-22-0x00000000030D0000-0x00000000030F8000-memory.dmp

Filesize
160KB

Download
memory/2392-38-0x0000000000980000-0x00000000009A8000-memory.dmp

Filesize
160KB

Download
memory/4184-0-0x00000000021A0000-0x00000000021C8000-memory.dmp

Filesize
160KB

Download
memory/4184-4-0x0000000000A40000-0x0000000000A51000-memory.dmp

Filesize
68KB

Download