emotet | b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91

General

Target

b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
Size

700KB
MD5

843504ebb017aa60b9bfc8a38b9b08a1
SHA1

09f4e3bf45e0f76906a00e5fac06a7c98c88c430
SHA256

b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91
SHA512

6e0afabfbc96a594cd877d7953135356f54912f5c58db446f78e5566606f9d390e45db297d90376da05ec551981beface661ca585b355c8fc4efda8e961efcf4
SSDEEP

12288:BBVbS8WpG2pxlqnBc2dtqvgqDtpGCoLpwT62qX+cs4c0:bJSjtpxlmNdtjqRpJV6/X+6p

Score

10^/10

emotet epoch3 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pdftexas.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pdftexas.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pdftexas.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pdftexas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdftexas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdftexas.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pdftexas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pdftexas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pdftexas.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4420	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4944	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
4944	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
4420	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
4420	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
336	pdftexas.exe
336	pdftexas.exe
3032	pdftexas.exe
3032	pdftexas.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4420	4944	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	83
PID 4944 wrote to memory of 4420	4944	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	83
PID 4944 wrote to memory of 4420	4944	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	83
PID 336 wrote to memory of 3032	336	pdftexas.exe	95
PID 336 wrote to memory of 3032	336	pdftexas.exe	95
PID 336 wrote to memory of 3032	336	pdftexas.exe	95

C:\Users\Admin\AppData\Local\Temp\b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
"C:\Users\Admin\AppData\Local\Temp\b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
  --c16e2b9c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:4420

C:\Windows\SysWOW64\pdftexas.exe
"C:\Windows\SysWOW64\pdftexas.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\pdftexas.exe
  --2a093cb9
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\da549a9f1af10173cb41d98b13dd6c1e_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
50B

MD5
4356a877ee36bc8bd1a2d6f5727a52ac

SHA1
fa373f353496879e3e7d51cf2c2a963aa2681b4d

SHA256
e43deeec46a3039e8f06daeeb0f9ffd3dcc4bebd614093dbcdf44b6b6ad200c7

SHA512
eeb834061dfefd56b70c959750c12f34f6eea3da59b90c62c34a6e70999a1fd631c4b67505bf405e3139db6c2c1cd3402eab87ca3577658e308f61bee442dffb

Download Submit
memory/336-13-0x00000000005C0000-0x00000000005D7000-memory.dmp

Filesize
92KB

Download
memory/3032-20-0x0000000000780000-0x0000000000797000-memory.dmp

Filesize
92KB

Download
memory/4420-7-0x00000000021D0000-0x00000000021E7000-memory.dmp

Filesize
92KB

Download
memory/4420-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4944-0-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4944-1-0x0000000002550000-0x0000000002567000-memory.dmp

Filesize
92KB

Download
memory/4944-6-0x00000000024F0000-0x0000000002501000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing