emotet au02458.exe

1. emotet banker found on URL AS16276 [51.91.236.193] 🇫🇷
2. ⚠️https://www‧air-pegasus‧com/sips/ADcnKLXD/
3.  
4.  
5.  
6. au02458.exe
7. windows7_x64
8.  
9. au02458.exe
10.  
11. 10
12. windows10_x64
13.  
14. au02458.exe
15.  
16. 10
17. MALWARE CONFIG
18. SIGNATURES
19. TTP Categories0
20. Signatures7
21. PROCESSES4
22. NETWORK
23. TCP
24. UDP
25. IGMP
26. REPLAY MONITOR
27. BACKEND
28. horse2
29.  
30. MAX TIME KERNEL
31. 144s
32.  
33. REPORTED
34. 2019-12-20T07:22:45Z
35.  
36. RESOURCE
37. win7v191014
38.  
39. SCORE
40. 10
41.  
42. SUBMITTED
43. 2019-12-20T07:20:09Z
44.  
45. TAGS
46. trojan,banker,family:emotet
47.  
48. TTP
49.  
50. Target
51. au02458.exe
52.  
53. Filesize
54. 717.1kB
55.  
56. Completed
57. 2019-12-20 09:22
58.  
59. Score
60. 10
61. /10
62. MD5
63. 8a40fd86bf18e3cacf8e71891170325a
64.  
65. SHA1
66. 0d1072ec41fbb77ca53ba36624cae6a764808a41
67.  
68. SHA256
69. 1fe9255bab8b718dcbf832be93cc321b8fd0cc432209a233b9cec6134a3869a8
70.  
71. emotet trojan banker
72. Extracted
73. Family
74. emotet
75. rsa_pubkey.plain
76. -----BEGIN PUBLIC KEY-----
77. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
78. faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
79. 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
80. -----END PUBLIC KEY-----
81. C2
82. 98.178.241.106:80
83.  
84. 98.178.241.106:80
85. 190.171.153.139:80
86.  
87. 190.171.153.139:80
88. 179.5.118.12:8080
89.  
90. 179.5.118.12:8080
91. 45.79.75.232:8080
92.  
93. 45.79.75.232:8080
94. 124.150.175.133:80
95.  
96. 124.150.175.133:80
97. 164.68.115.146:8080
98.  
99. 164.68.115.146:8080
100. 5.189.148.98:8080
101.  
102. 5.189.148.98:8080
103. 46.105.128.215:8080
104.  
105. 46.105.128.215:8080
106. 67.254.196.78:443
107.  
108. 67.254.196.78:443
109. 95.216.207.86:7080
110.  
111. 95.216.207.86:7080
112. 181.46.176.38:80
113.  
114. 181.46.176.38:80
115. 98.15.140.226:80
116.  
117. 98.15.140.226:80
118. 217.12.70.226:80
119.  
120. 217.12.70.226:80
121. 115.179.91.58:80
122.  
123. 115.179.91.58:80
124. 41.190.148.90:80
125.  
126. 41.190.148.90:80
127. 162.144.46.90:8080
128.  
129. 162.144.46.90:8080
130. 211.218.105.101:80
131.  
132. 211.218.105.101:80
133. 212.129.14.27:8080
134.  
135. 212.129.14.27:8080
136. 120.51.83.89:443
137.  
138. 120.51.83.89:443
139. 200.41.121.69:443
140.  
141. 200.41.121.69:443
142. 81.82.247.216:80
143.  
144. 81.82.247.216:80
145. 138.197.140.163:8080
146.  
147. 138.197.140.163:8080
148. 190.5.162.204:80
149.  
150. 190.5.162.204:80
151. 85.109.190.235:443
152.  
153. 85.109.190.235:443
154. 216.75.37.196:8080
155.  
156. 216.75.37.196:8080
157. 41.77.74.214:443
158.  
159. 41.77.74.214:443
160. 86.6.123.109:80
161.  
162. 86.6.123.109:80
163. 203.160.173.202:80
164.  
165. 203.160.173.202:80
166. 211.48.165.9:443
167.  
168. 211.48.165.9:443
169. 158.69.167.246:8080
170.  
171. 158.69.167.246:8080
172. 46.17.6.116:8080
173.  
174. 46.17.6.116:8080
175. 24.27.122.202:80
176.  
177. 24.27.122.202:80
178. 177.103.240.93:80
179.  
180. 177.103.240.93:80
181. 110.142.161.90:80
182.  
183. 110.142.161.90:80
184. 108.184.9.44:80
185.  
186. 108.184.9.44:80
187. 46.105.131.68:8080
188.  
189. 46.105.131.68:8080
190. 211.42.204.154:80
191.  
192. 211.42.204.154:80
193. 37.59.24.25:8080
194.  
195. 37.59.24.25:8080
196. 89.215.225.15:80
197.  
198. 89.215.225.15:80
199. 23.253.207.142:8080
200.  
201. 23.253.207.142:8080
202. 190.38.252.45:443
203.  
204. 190.38.252.45:443
205. 50.116.78.109:8080
206.  
207. 50.116.78.109:8080
208. 94.203.236.122:80
209.  
210. 94.203.236.122:80
211. 86.70.224.211:80
212.  
213. 86.70.224.211:80
214. 174.57.150.13:8080
215.  
216. 174.57.150.13:8080
217. 37.70.131.107:80
218.  
219. 37.70.131.107:80
220. 156.155.163.232:80
221.  
222. 156.155.163.232:80
223. 212.112.113.235:80
224.  
225. 212.112.113.235:80
226. 85.235.219.74:80
227.  
228. 85.235.219.74:80
229. 51.77.113.97:8080
230.  
231. 51.77.113.97:8080
232. 78.46.87.133:8080
233.  
234. 78.46.87.133:8080
235. 200.71.112.158:53
236.  
237. 200.71.112.158:53
238. 201.196.15.79:990
239.  
240. 201.196.15.79:990
241. 190.161.67.63:80
242.  
243. 190.161.67.63:80
244. 112.186.195.176:80
245.  
246. 112.186.195.176:80
247. 82.146.55.23:7080
248.  
249. 82.146.55.23:7080
250. 78.187.204.70:80
251.  
252. 78.187.204.70:80
253. 188.230.134.205:80
254.  
255. 188.230.134.205:80
256. 189.61.200.9:443
257.  
258. 189.61.200.9:443
259. 195.250.143.182:80
260.  
261. 195.250.143.182:80
262. 37.46.129.215:8080
263.  
264. 37.46.129.215:8080
265. 185.244.167.25:443
266.  
267. 185.244.167.25:443
268. 58.93.151.148:80
269.  
270. 58.93.151.148:80
271. 66.229.161.86:443
272.  
273. 66.229.161.86:443
274. 100.38.11.243:80
275.  
276. 100.38.11.243:80
277. 92.16.222.156:80
278.  
279. 92.16.222.156:80
280. 175.127.140.68:80
281.  
282. 175.127.140.68:80
283. 201.183.251.100:80
284.  
285. 201.183.251.100:80
286. 59.158.164.66:443
287.  
288. 59.158.164.66:443
289. 175.103.239.50:80
290.  
291. 175.103.239.50:80
292. 203.153.216.178:7080
293.  
294. 203.153.216.178:7080
295. 154.120.227.190:443
296.  
297. 154.120.227.190:443
298. 124.150.175.129:8080
299.  
300. 124.150.175.129:8080
301. 51.38.134.203:8080
302.  
303. 51.38.134.203:8080
304. 72.27.212.209:8080
305.  
306. 72.27.212.209:8080
307. 210.224.65.117:80
308.  
309. 210.224.65.117:80
310. 128.92.54.20:80
311.  
312. 128.92.54.20:80
313. 91.117.31.181:80
314.  
315. 91.117.31.181:80
316. 69.30.205.162:7080
317.  
318. 69.30.205.162:7080
319. 142.93.87.198:8080
320.  
321. 142.93.87.198:8080
322. 78.186.102.195:80
323.  
324. 78.186.102.195:80
325. 210.171.146.118:80
326.  
327. 210.171.146.118:80
328. 177.144.130.105:443
329.  
330. 177.144.130.105:443
331. 178.134.1.238:80
332.  
333. 178.134.1.238:80
334. 189.225.211.171:443
335.  
336. 189.225.211.171:443
337. 190.93.210.113:80
338.  
339. 190.93.210.113:80
340. 220.78.29.88:80
341.  
342. 220.78.29.88:80
343. 165.100.148.200:8080
344.  
345. 165.100.148.200:8080
346. 72.51.153.27:80
347.  
348. 72.51.153.27:80
349. 95.216.212.157:8080
350.  
351. 95.216.212.157:8080
352. 191.100.24.201:50000
353.  
354. 191.100.24.201:50000
355. 187.250.92.82:80
356.  
357. 187.250.92.82:80
358. 58.185.224.18:80
359.  
360. 58.185.224.18:80
361. 217.181.139.237:443
362.  
363. 217.181.139.237:443
364. 83.156.88.159:80
365.  
366. 83.156.88.159:80
367. 221.154.59.110:80
368.  
369. 221.154.59.110:80
370. 82.79.244.92:80
371.  
372. 82.79.244.92:80
373. 197.94.32.129:8080
374.  
375. 197.94.32.129:8080
376. 181.167.35.84:80
377.  
378. 181.167.35.84:80
379. 42.51.192.231:8080
380.  
381. 42.51.192.231:8080
382. 113.52.135.33:7080
383.  
384. 113.52.135.33:7080
385. 190.17.94.108:443
386.  
387. 190.17.94.108:443
388. 192.210.217.94:8080
389.  
390. 192.210.217.94:8080
391. 190.47.236.83:80
392.  
393. 190.47.236.83:80
394. 176.58.93.123:80
395.  
396. 176.58.93.123:80
397. 95.9.217.200:8080
398.  
399. 95.9.217.200:8080
400. 139.59.12.63:8080
401.  
402. 139.59.12.63:8080
403. 96.234.38.186:8080
404.  
405. 96.234.38.186:8080
406. 82.165.15.188:8080
407.  
408. 82.165.15.188:8080
409. 193.33.38.208:443
410.  
411. 193.33.38.208:443
412. 88.247.26.78:80
413.  
414. 88.247.26.78:80
415. 87.9.181.247:80
416.  
417. 87.9.181.247:80
418. 86.98.157.3:80
419.  
420. 86.98.157.3:80
421. 192.161.190.171:8080
422.  
423. 192.161.190.171:8080
424. 110.2.118.164:80
425.  
426. 110.2.118.164:80
427. 95.255.140.89:443
428.  
429. 95.255.140.89:443
430. 41.111.190.94:80
431.  
432. 41.111.190.94:80
433. 163.172.97.112:8080
434.  
435. 163.172.97.112:8080
436. 186.84.173.136:8080
437.  
438. 186.84.173.136:8080
439. 210.111.160.220:80
440.  
441. 210.111.160.220:80
442. 182.176.116.139:995
443.  
444. 182.176.116.139:995
445. 172.104.70.207:8080
446.  
447. 172.104.70.207:8080
448. 24.28.178.71:80
449.  
450. 24.28.178.71:80
451. 190.101.87.170:80
452.  
453. 190.101.87.170:80
454. 192.241.220.183:8080
455.  
456. 192.241.220.183:8080
457. 91.117.131.122:80
458.  
459. 91.117.131.122:80
460. 69.14.208.221:80
461.  
462. 69.14.208.221:80
463. Emotet
464. Drops file in System32 directory
465. au02458.exe
466. texascors.exe
467. Reported IOC
468. au02458.exe
469. C:\Users\Admin\AppData\Local\Temp\au02458.exe => C:\Windows\SysWOW64\texascors.exe File renamed
470. Reported IOC
471. texascors.exe
472. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat File opened for modification
473. Suspicious use of SetWindowsHookEx
474. au02458.exe
475. au02458.exe
476. texascors.exe
477. texascors.exe
478. Suspicious use of WriteProcessMemory
479. au02458.exe
480. texascors.exe
481. Reported IOC
482. au02458.exe
483. PID 1424 wrote to memory of 1112
484. Reported IOC
485. texascors.exe
486. PID 1992 wrote to memory of 2016
487. Suspicious behavior: EmotetMutantsSpam
488. au02458.exe
489. texascors.exe
490. Suspicious behavior: RenamesItself
491. au02458.exe
492. Suspicious behavior: EnumeratesProcesses
493. texascors.exe
494. C:\Users\Admin\AppData\Local\Temp\au02458.exe
495. "C:\Users\Admin\AppData\Local\Temp\au02458.exe"
496. Suspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
497. PID: 1424
498. C:\Users\Admin\AppData\Local\Temp\au02458.exe
499. --10321ba5
500. Suspicious use of SetWindowsHookExSuspicious behavior: EmotetMutantsSpamSuspicious behavior: RenamesItself
501. PID: 1112
502. C:\Windows\SysWOW64\texascors.exe
503. "C:\Windows\SysWOW64\texascors.exe"
504. Suspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
505. PID: 1992
506. C:\Windows\SysWOW64\texascors.exe
507. --f3211a9c
508. Suspicious use of SetWindowsHookExSuspicious behavior: EmotetMutantsSpamSuspicious behavior: EnumeratesProcesses
509. PID: 2016
510. 98.178.241.106:80
511. texascors.exe
512. 98.178.241.106:80
513. texascors.exe
514. 190.171.153.139:80
515. texascors.exe
516. 190.171.153.139:80
517. texascors.exe
518. 179.5.118.12:8080
519. texascors.exe
520. 179.5.118.12:8080
521. texascors.exe