emotet | 20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5

General

Target

20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe
Size

275KB
MD5

06bcef81d5bed3494d2e11f755f3a147
SHA1

af3baf78e17e4604a62981351e637af7fc7ccaff
SHA256

20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5
SHA512

9263df768cb7c8044331294d83b26cdc5cfabec94fe3c4c511aa1695667189ef9296df82aff88f72a0f26e58c05e13dbe3c7ce0eddfe35541ebcaac5dc7d9aaf
SSDEEP

3072:Mlse+h1pgO08zUngVMUhUk8huW9gCC97TlC16pxIsd/6ClKDtdV7fr2yITqfPeAJ:MlseSg5g3atAlDeCx4RdV7yTqfP1B3fH

Score

10^/10

emotet epoch3 banker discovery trojan upx

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

190.117.206.153:443

203.99.187.137:443

200.55.168.82:20

70.32.94.58:8080

213.138.100.98:8080

144.76.62.10:8080

203.99.188.203:990

201.196.15.79:990

203.99.182.135:443

176.58.93.123:80

192.241.220.183:8080

94.177.253.126:80

181.47.235.26:993

216.75.37.196:8080

95.216.207.86:7080

78.109.34.178:443

113.52.135.33:7080

216.70.88.55:8080

138.197.140.163:8080

181.113.229.139:990

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	fwdrshlp.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/3012-8-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2768-10-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2768-25-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2772-26-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/3012-24-0x0000000001F30000-0x0000000001FC4000-memory.dmp	upx
behavioral1/memory/2748-22-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2772-32-0x0000000000400000-0x0000000000494000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwdrshlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwdrshlp.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fwdrshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fwdrshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecisionReason = "1"	fwdrshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecisionTime = 00ae249eb551db01	fwdrshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecision = "0"	fwdrshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecisionReason = "1"	fwdrshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	fwdrshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}	fwdrshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadNetworkName = "Network 3"	fwdrshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecisionTime = 00ae249eb551db01	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	fwdrshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fwdrshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\6e-ce-24-8a-49-7e	fwdrshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	fwdrshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fwdrshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecision = "0"	fwdrshlp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	fwdrshlp.exe
2772	fwdrshlp.exe
2772	fwdrshlp.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2768	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2768	3012	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe	30
PID 3012 wrote to memory of 2768	3012	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe	30
PID 3012 wrote to memory of 2768	3012	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe	30
PID 3012 wrote to memory of 2768	3012	20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe	30
PID 2748 wrote to memory of 2772	2748	fwdrshlp.exe	32
PID 2748 wrote to memory of 2772	2748	fwdrshlp.exe	32
PID 2748 wrote to memory of 2772	2748	fwdrshlp.exe	32
PID 2748 wrote to memory of 2772	2748	fwdrshlp.exe	32

C:\Users\Admin\AppData\Local\Temp\20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe
"C:\Users\Admin\AppData\Local\Temp\20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\20c4e87be2fe1ded162bbc84e5671758917ba08f5efe3f97a432259ecf8d7ec5.exe
  --4aabb8cb
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:2768

C:\Windows\SysWOW64\fwdrshlp.exe
"C:\Windows\SysWOW64\fwdrshlp.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\fwdrshlp.exe
  --ebd7a26a
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-22-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2768-25-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2768-11-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2768-10-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2772-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2772-27-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/2772-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3012-9-0x0000000001F30000-0x0000000001FC4000-memory.dmp

Filesize
592KB

Download
memory/3012-8-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3012-24-0x0000000001F30000-0x0000000001FC4000-memory.dmp

Filesize
592KB

Download
memory/3012-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3012-6-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/3012-1-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing