Datei Kimligi
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| Datei Adi | Emotet Payload: 32-bit DLL.dll |
| Größe | 193.536 byte |
| String Sayisi | 327 (cok agir paket) |
RC4 Sifrelenmis C2 Fragment
122C2J2p2 -- RC4/AES sifrelenmis C2 config fragmenti -- 327 string tipik Emotet yuksek entropi paketi
Emotet Hakkinda
Emotet (Heodo), 2014'ten beri aktif modular botnet altyapisidir. 2021 Europol operasyonuyla yikilmis, 2022'de yeniden dogurmustir. Polimorfik imza, RC4 sifrelenmis IP listesi, Cobalt Strike/ransomware yukleme.
IOC
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| C2 | RC4 sifrelenmis IP listesi |
Emotet — Malware-Profil
Emotet (Heodo/Mealybug/TA542) 32-bit DLL payload. Process enumeration via CreateToolhelp32Snapshot+Process32First/Next. VirtualAlloc+VirtualProtect shellcode staging. ntdll.dll direct calls. Low entropy 3.92 (stage-1 loader/encoded payload). Suspicious imagebase and DOS stub.
Technische Details
C dili, HTTP C2 (RSA+AES sifreleme), modular yapi (email stealer, spreader, Outlook harvester), process hollowing, living off the land (regsvr32, mshta, certutil), Epoch1/2/3/4/5 botnet
Attribution / Bedrohungsakteur
TA542 (MUMMY SPIDER) - Ukrayna kokenli oldugu dusunulen organizasyon. 2021'de Europol/FBI tarafindan coguyla tutuklandi; 2022'de geri dondu.
Fähigkeiten & Verhalten
IOC-Liste (1 Indikatoren)
# SHA256
e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965
| Typ | Wert | Bemerkung |
|---|---|---|
| sha256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
C2-Server (7 erfasste Server für diese Familie)
| Adresse | Typ | Port | Protokoll | Status | Land |
|---|---|---|---|---|---|
| 41.216.188.11 | ip | 8000 | HTTP | active | — |
| 103.143.173.206 | ip | 443 | HTTPS | inactive | ID |
| 144.91.65.153 | ip | 7080 | HTTP | inactive | DE |
| 195.88.54.144 | ip | 8080 | HTTP | sinkholed | — |
| 103.43.46.149 | ip | 443 | HTTPS | sinkholed | — |
| 185.220.101.32 | ip | 80 | HTTP | sinkholed | DE |
| 5.135.183.154 | ip | 8080 | HTTP | sinkholed | FR |
C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.