Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 10:24

General

  • Target

    2025-01-11_01a257d782eaf3c8ed377a4348b18b30_icedid.exe

  • Size

    448KB

  • MD5

    01a257d782eaf3c8ed377a4348b18b30

  • SHA1

    511d53d5481c25a12c197ed86fbf2a4356fcba2d

  • SHA256

    161a956d046adcdd6a33019403d529367a4f6c782b284bd4fb564661fc9e63c3

  • SHA512

    0e868d7aca2658054394ef4a3e6bd7eb73a78920d6c15edc86351e76f7159cc9b67befd8465d461447826debc8b2fc91cffd273ed942037ab49a223a5de9874a

  • SSDEEP

    6144:1oRPSh8ci4yzgAnoEt7kJTrxkQ2qKib+PiDnVEPAlvsASuwbiyc4sSE5Zi:EPSCciiAnoEt7Cr9rbBhEPAyD5BH

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

126.126.139.26:443

192.175.111.217:7080

195.181.215.65:4143

75.127.14.170:8080

37.205.9.252:7080

41.185.29.128:8080

190.194.12.132:80

192.210.217.94:8080

79.133.6.236:8080

24.231.51.190:80

203.153.216.178:7080

128.106.187.110:80

172.96.190.154:8080

113.161.148.81:80

139.59.12.63:8080

116.91.240.96:80

73.55.128.120:80

37.46.129.215:8080

109.13.179.195:80

118.243.83.70:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet family
  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-11_01a257d782eaf3c8ed377a4348b18b30_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-11_01a257d782eaf3c8ed377a4348b18b30_icedid.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2936-0-0x0000000000610000-0x000000000063A000-memory.dmp

    Filesize

    168KB

  • memory/2936-5-0x0000000000640000-0x0000000000669000-memory.dmp

    Filesize

    164KB

  • memory/2936-2-0x00000000003D0000-0x00000000003F8000-memory.dmp

    Filesize

    160KB