emotet | 011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
Size

671KB
MD5

df7483be5406be695b50b1f15d83bbb8
SHA1

69de8d0c0cead028805e8ac93ac6aa1bc95850aa
SHA256

011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a
SHA512

7b73ee755af1365a32ac70b4b8658283089e35b3c967b2328b6ab2a9e36881083a87c03d072acfd47eb9fb7d010ae48c8c55a2ebf00bf30b748f4473aff0eb02
SSDEEP

12288:BhGEsm5TpQrNAosJcRl7Bflkby3SJTGfRCK8lizPpZlySdpvIWjuZ:f5v0rNAMXBflkG3BCKiizxhjuZ

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

152.170.196.157:443

103.31.232.93:443

200.123.183.137:443

201.213.100.141:8080

70.32.115.157:8080

164.77.130.222:80

203.25.159.3:8080

184.57.130.8:80

190.147.137.153:443

91.83.93.124:7080

217.199.160.224:8080

190.57.130.142:443

185.94.252.12:80

77.55.211.77:8080

111.67.12.221:8080

5.45.108.146:8080

73.155.126.84:80

212.71.237.140:8080

5.196.35.138:7080

188.129.197.149:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

CoreShellAPI.exe

pid	process
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe

pid process

3312 2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exeCoreShellAPI.exe

pid process

3312 2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
3312 2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
1040 CoreShellAPI.exe
1040 CoreShellAPI.exe

pid	process
3312	2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe

pid	process
3312	2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
3312	2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
1040	CoreShellAPI.exe
1040	CoreShellAPI.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe

description	pid	process	target process
PID 3312 wrote to memory of 1040	3312	2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe	CoreShellAPI.exe
PID 3312 wrote to memory of 1040	3312	2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe	CoreShellAPI.exe
PID 3312 wrote to memory of 1040	3312	2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe	CoreShellAPI.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\CoreShellAPI\CoreShellAPI.exe
"C:\Windows\SysWOW64\CoreShellAPI\CoreShellAPI.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\0f5007522459c86e95ffcc62f32308f1_d2547453-e731-4fdf-8f92-95f955a44aca
Filesize
1KB

MD5
dc5dcdb642ccc94f7e8bf2b17fd26c0a

SHA1
1f4b685b075b93efe04cdb2851c2bd0c5705691f

SHA256
f421b79d70194b73fb10d82a5c596fffa838b9bec226689ec972b69a13de0acb

SHA512
67b2e07a90f73262371c8ac530b636d050d108c503e383c66b8b52847cea26ada213d8dc62cd572a402b5e819683c29918d2a5945f344571ae67a2ffa7fade67

Download Submit
memory/1040-13-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/3312-0-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/3312-4-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/3312-7-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/3312-8-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download