Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
MALICIOUS | SUSPICIOUS | INFO |
---|---|---|
EMOTET was detected
|
Application launched itself
|
Dropped object may contain Bitcoin addresses
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000654B | 0x00006600 | IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ | 1.95226 |
.rdata | 0x00008000 | 0x0000CF94 | 0x0000D000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ | 1.96213 |
.data | 0x00015000 | 0x00023454 | 0x00023400 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 4.84829 |
.rsrc | 0x00039000 | 0x00023C58 | 0x00023E00 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ | 6.67529 |
No exports.
Click at the process to see the details.
Image |
---|
c:\users\admin\desktop\50671025a0f5b546ea7f3ee6e0e7545d.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\apphelp.dll |
Image |
---|
c:\users\admin\desktop\50671025a0f5b546ea7f3ee6e0e7545d.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\propsys.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\apphelp.dll |
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exed.exe |
c:\windows\system32\rsaenh.dll |
Image |
---|
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\apphelp.dll |
Image |
---|
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\iertutil.dll |
c:\windows\system32\userenv.dll |
c:\windows\system32\profapi.dll |
c:\windows\system32\wtsapi32.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\sspicli.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\dnsapi.dll |
c:\windows\system32\iphlpapi.dll |
c:\windows\system32\winnsi.dll |
c:\windows\system32\normaliz.dll |
c:\windows\system32\rasapi32.dll |
c:\windows\system32\rasman.dll |
c:\windows\system32\rtutils.dll |
c:\windows\system32\sensapi.dll |
c:\windows\system32\nlaapi.dll |
c:\windows\system32\rasadhlp.dll |
c:\windows\system32\mswsock.dll |
c:\windows\system32\wshqos.dll |
c:\windows\system32\wshtcpip.dll |
c:\windows\system32\wship6.dll |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | wabmetagen.exe | POST | –– | 105.185.141.205:80 | http://105.185.141.205/raster/ | ZA |
binary
––
|
––
|
malicious |
2804 | wabmetagen.exe | POST | –– | 207.255.210.196:80 | http://207.255.210.196/xian/ | US |
binary
––
|
––
|
malicious |
2804 | wabmetagen.exe | POST | –– | 190.211.207.11:443 | http://190.211.207.11:443/entries/enable/ringin/merge/ | AR |
binary
––
|
––
|
malicious |
2804 | wabmetagen.exe | POST | –– | 187.233.152.78:443 | http://187.233.152.78:443/odbc/ | MX |
binary
––
|
––
|
malicious |
PID | Process | IP | ASN | CN | Reputation |
---|---|---|---|---|---|
2804 | wabmetagen.exe | 212.122.71.196:995 | Penkiu kontinentu komunikaciju centras, Ltd. | LT | malicious |
2804 | wabmetagen.exe | 58.9.168.7:990 | True Internet Co.,Ltd. | TH | malicious |
2804 | wabmetagen.exe | 73.183.131.231:990 | Comcast Cable Communications, LLC | US | malicious |
2804 | wabmetagen.exe | 173.3.29.123:7080 | Cablevision Systems Corp. | US | unknown |
2804 | wabmetagen.exe | 105.185.141.205:80 | Telkom-Internet | ZA | malicious |
2804 | wabmetagen.exe | 207.255.210.196:80 | Atlantic Broadband Finance, LLC | US | malicious |
2804 | wabmetagen.exe | 190.211.207.11:443 | BVNET S.A. | AR | malicious |
2804 | wabmetagen.exe | 85.104.59.244:20 | Turk Telekom | TR | malicious |
2804 | wabmetagen.exe | 67.209.208.130:8443 | Plateau Telecommunications Incorporated | US | malicious |
2804 | wabmetagen.exe | 187.233.152.78:443 | Uninet S.A. de C.V. | MX | malicious |
PID | Process | Class | Message |
---|---|---|---|
2804 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] EMOTET/Feodo |
2804 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] EMOTET/Feodo |
2804 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] EMOTET/Feodo |
2804 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2804 | wabmetagen.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 21 |
No debug info.