Overview

overview

10

Static

static

3

899280445d...f2.dll

windows7-x64

10

899280445d...f2.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 22:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    899280445df00737c6c091ccbcc2ddb97e2d1214d4cb8b23e914a45bdcd84cf2.dll

  • Size

    190KB

  • MD5

    58e907ea467a45ebcc32b3f197d21da9

  • SHA1

    e4282a4b9478654f1882cbd9027a1086fb578fa1

  • SHA256

    899280445df00737c6c091ccbcc2ddb97e2d1214d4cb8b23e914a45bdcd84cf2

  • SHA512

    3d416f73f1cbbfeb498da2b1a58e0c98a50ccb904b6d1b06010b0c2c570a49d416a64436c58ac6e8c169d55859009326b52c56d9917c5aa6e970f91f37c0a3c8

  • SSDEEP

    3072:difRZP/MoiW9/e5eix8l2UmeYIQqpAFsndgdNiEhILSx3r:IfvMoF9FixiYbqpiYgNiEhI2r

Score
10/10
emotetepoch3bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

113.161.176.235:80

88.247.30.64:80

89.163.210.141:8080

139.162.10.249:8080

203.157.152.9:7080

109.99.146.210:8080

78.90.78.210:80

172.193.14.201:80

157.7.164.178:8081

189.211.214.19:443

157.245.145.87:443

180.148.4.130:8080

46.32.229.152:8080

24.245.65.66:80

82.78.179.117:443

177.130.51.198:80

121.117.147.153:443

203.160.167.243:80

172.104.46.84:8080

202.29.237.113:8080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Blocklisted process makes network request 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\899280445df00737c6c091ccbcc2ddb97e2d1214d4cb8b23e914a45bdcd84cf2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\899280445df00737c6c091ccbcc2ddb97e2d1214d4cb8b23e914a45bdcd84cf2.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2504

Network

    No results found
  • 113.161.176.235:80
    rundll32.exe
    152 B
     3
  • 113.161.176.235:80
    rundll32.exe
    152 B
     3
  • 88.247.30.64:80
    rundll32.exe
    152 B
     3
  • 88.247.30.64:80
    rundll32.exe
    152 B
     3
  • 89.163.210.141:8080
    rundll32.exe
    152 B
     3
  • 89.163.210.141:8080
    rundll32.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2504-0-0x0000000000360000-0x0000000000382000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.