emotet | 011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df7483be5406be695b50b1f15d83bbb8.exe
Size

671KB
MD5

df7483be5406be695b50b1f15d83bbb8
SHA1

69de8d0c0cead028805e8ac93ac6aa1bc95850aa
SHA256

011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a
SHA512

7b73ee755af1365a32ac70b4b8658283089e35b3c967b2328b6ab2a9e36881083a87c03d072acfd47eb9fb7d010ae48c8c55a2ebf00bf30b748f4473aff0eb02
SSDEEP

12288:BhGEsm5TpQrNAosJcRl7Bflkby3SJTGfRCK8lizPpZlySdpvIWjuZ:f5v0rNAMXBflkG3BCKiizxhjuZ

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

152.170.196.157:443

103.31.232.93:443

200.123.183.137:443

201.213.100.141:8080

70.32.115.157:8080

164.77.130.222:80

203.25.159.3:8080

184.57.130.8:80

190.147.137.153:443

91.83.93.124:7080

217.199.160.224:8080

190.57.130.142:443

185.94.252.12:80

77.55.211.77:8080

111.67.12.221:8080

5.45.108.146:8080

73.155.126.84:80

212.71.237.140:8080

5.196.35.138:7080

188.129.197.149:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

relog.exe

pid process

1776 relog.exe
1776 relog.exe
1776 relog.exe
1776 relog.exe
1776 relog.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

df7483be5406be695b50b1f15d83bbb8.exe

pid process

2976 df7483be5406be695b50b1f15d83bbb8.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

df7483be5406be695b50b1f15d83bbb8.exerelog.exe

pid process

2976 df7483be5406be695b50b1f15d83bbb8.exe
2976 df7483be5406be695b50b1f15d83bbb8.exe
1776 relog.exe
1776 relog.exe

pid	process
1776	relog.exe
1776	relog.exe
1776	relog.exe
1776	relog.exe
1776	relog.exe

pid	process
2976	df7483be5406be695b50b1f15d83bbb8.exe

pid	process
2976	df7483be5406be695b50b1f15d83bbb8.exe
2976	df7483be5406be695b50b1f15d83bbb8.exe
1776	relog.exe
1776	relog.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

df7483be5406be695b50b1f15d83bbb8.exe

description	pid	process	target process
PID 2976 wrote to memory of 1776	2976	df7483be5406be695b50b1f15d83bbb8.exe	relog.exe
PID 2976 wrote to memory of 1776	2976	df7483be5406be695b50b1f15d83bbb8.exe	relog.exe
PID 2976 wrote to memory of 1776	2976	df7483be5406be695b50b1f15d83bbb8.exe	relog.exe
PID 2976 wrote to memory of 1776	2976	df7483be5406be695b50b1f15d83bbb8.exe	relog.exe

C:\Users\Admin\AppData\Local\Temp\df7483be5406be695b50b1f15d83bbb8.exe
"C:\Users\Admin\AppData\Local\Temp\df7483be5406be695b50b1f15d83bbb8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\relog\relog.exe
"C:\Windows\SysWOW64\relog\relog.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37c
Filesize
1KB

MD5
1d793222a442bbb9bda26e899810b868

SHA1
4177c37130f2295407898c0198f4d4dda3802749

SHA256
c41053595b27c8ac5388b3003bda5abc653f9ca271b424b43b13baecb6af427e

SHA512
0c8dbd5bf7dbd95db6c6a99d3cbde2065f0a8f8240badd52a04a710da5c1e44db547efdfb5cd3c60f1236f1eacb634910f54cbf7b88d3fe24f82d104570f7794

Download Submit
memory/1776-13-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2976-7-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2976-4-0x0000000001C20000-0x0000000001C2C000-memory.dmp

Filesize
48KB

Download
memory/2976-0-0x0000000001BD0000-0x0000000001BD2000-memory.dmp

Filesize
8KB

Download
memory/2976-8-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download