Fichier Kimligi
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| Fichier Adi | Emotet Payload: 32-bit DLL.dll |
| Taille | 193.536 byte |
| String Sayisi | 327 (cok agir paket) |
RC4 Sifrelenmis C2 Fragment
122C2J2p2 -- RC4/AES sifrelenmis C2 config fragmenti -- 327 string tipik Emotet yuksek entropi paketi
Emotet Hakkinda
Emotet (Heodo), 2014'ten beri aktif modular botnet altyapisidir. 2021 Europol operasyonuyla yikilmis, 2022'de yeniden dogurmustir. Polimorfik imza, RC4 sifrelenmis IP listesi, Cobalt Strike/ransomware yukleme.
IOC
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| C2 | RC4 sifrelenmis IP listesi |
Emotet — Profil du malware
Emotet (Heodo/Mealybug/TA542) 32-bit DLL payload. Process enumeration via CreateToolhelp32Snapshot+Process32First/Next. VirtualAlloc+VirtualProtect shellcode staging. ntdll.dll direct calls. Low entropy 3.92 (stage-1 loader/encoded payload). Suspicious imagebase and DOS stub.
Détails techniques
C dili, HTTP C2 (RSA+AES sifreleme), modular yapi (email stealer, spreader, Outlook harvester), process hollowing, living off the land (regsvr32, mshta, certutil), Epoch1/2/3/4/5 botnet
Attribution / Acteur de la menace
TA542 (MUMMY SPIDER) - Ukrayna kokenli oldugu dusunulen organizasyon. 2021'de Europol/FBI tarafindan coguyla tutuklandi; 2022'de geri dondu.
Capacités et comportement
Liste IOC (1 indicateurs)
# SHA256
e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965
| Type | Valeur | Note |
|---|---|---|
| sha256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
Serveurs C2 (7 serveurs enregistrés pour cette famille)
| Adresse | Type | Port | Protocole | Statut | Pays |
|---|---|---|---|---|---|
| 41.216.188.11 | ip | 8000 | HTTP | active | — |
| 103.143.173.206 | ip | 443 | HTTPS | inactive | ID |
| 144.91.65.153 | ip | 7080 | HTTP | inactive | DE |
| 195.88.54.144 | ip | 8080 | HTTP | sinkholed | — |
| 103.43.46.149 | ip | 443 | HTTPS | sinkholed | — |
| 185.220.101.32 | ip | 80 | HTTP | sinkholed | DE |
| 5.135.183.154 | ip | 8080 | HTTP | sinkholed | FR |
Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.