emotet | 7a2a02bb9b3690ebe9f89d845c510075854f69cbc02608db416305e9e48b524f

Analysis

max time kernel
131s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

652d0ea3d43ee4c6fb7f65e1e757e2b5.exe
Size

339KB
MD5

652d0ea3d43ee4c6fb7f65e1e757e2b5
SHA1

55ea15cdcf721750582060155e613aeebf43f1eb
SHA256

25aba3ca6fa578be93b2c34a2b85457390bbddc901de49001aaf2fabd68fbfed
SHA512

12c39120f022204f060595c2498eed3e293b8c56b20decbbd7440d03ff4b86ad3e93e4bf9b96dbc4d2e4dd04b387db232551f6cced4f20cb5a9c88390a5b99b6
SSDEEP

6144:6nrRBHo9fqy39CN0tavtFvUh6zS/VvPDIWE3F3HY0:6wqy46aRzKV3DIB3F3HY

Score

10^/10

emotet epoch1 banker dave discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

190.96.15.50:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

200.127.14.97:80

190.188.245.242:80

51.15.7.145:80

138.97.60.140:8080

98.13.75.196:80

213.52.74.198:80

74.58.215.226:80

192.81.38.31:80

191.182.6.118:80

212.71.237.140:8080

209.236.123.42:8080

60.93.23.51:80

178.211.45.66:8080

190.24.243.186:80

62.84.75.50:80

50.121.220.50:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral21/memory/1624-4-0x00000000003D0000-0x00000000003EF000-memory.dmp	emotet
behavioral21/memory/1624-0-0x00000000002B0000-0x00000000002D0000-memory.dmp	emotet
behavioral21/memory/1624-8-0x0000000000290000-0x00000000002AE000-memory.dmp	emotet
behavioral21/memory/2340-15-0x00000000003E0000-0x00000000003FF000-memory.dmp	emotet
behavioral21/memory/2340-11-0x00000000003C0000-0x00000000003E0000-memory.dmp	emotet

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral21/memory/1624-8-0x0000000000290000-0x00000000002AE000-memory.dmp	dave

Executes dropped EXE 1 IoCs

pid	Process
2340	jscript9.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated\jscript9.exe	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jscript9.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2340	jscript9.exe
2340	jscript9.exe
2340	jscript9.exe
2340	jscript9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe
2340	jscript9.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31
PID 1624 wrote to memory of 2340	1624	652d0ea3d43ee4c6fb7f65e1e757e2b5.exe	31

C:\Users\Admin\AppData\Local\Temp\652d0ea3d43ee4c6fb7f65e1e757e2b5.exe
"C:\Users\Admin\AppData\Local\Temp\652d0ea3d43ee4c6fb7f65e1e757e2b5.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\RunLegacyCPLElevated\jscript9.exe
  "C:\Windows\SysWOW64\RunLegacyCPLElevated\jscript9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RunLegacyCPLElevated\jscript9.exe

Filesize
339KB

MD5
652d0ea3d43ee4c6fb7f65e1e757e2b5

SHA1
55ea15cdcf721750582060155e613aeebf43f1eb

SHA256
25aba3ca6fa578be93b2c34a2b85457390bbddc901de49001aaf2fabd68fbfed

SHA512
12c39120f022204f060595c2498eed3e293b8c56b20decbbd7440d03ff4b86ad3e93e4bf9b96dbc4d2e4dd04b387db232551f6cced4f20cb5a9c88390a5b99b6

Download Submit
memory/1624-4-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/1624-0-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/1624-8-0x0000000000290000-0x00000000002AE000-memory.dmp

Filesize
120KB

Download
memory/1624-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2340-15-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2340-11-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download