文件 Kimligi
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| 文件 Adi | Emotet Payload: 32-bit DLL.dll |
| 大小 | 193.536 byte |
| String Sayisi | 327 (cok agir paket) |
RC4 Sifrelenmis C2 Fragment
122C2J2p2 -- RC4/AES sifrelenmis C2 config fragmenti -- 327 string tipik Emotet yuksek entropi paketi
Emotet Hakkinda
Emotet (Heodo), 2014'ten beri aktif modular botnet altyapisidir. 2021 Europol operasyonuyla yikilmis, 2022'de yeniden dogurmustir. Polimorfik imza, RC4 sifrelenmis IP listesi, Cobalt Strike/ransomware yukleme.
IOC
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| C2 | RC4 sifrelenmis IP listesi |
Emotet — 恶意软件档案
Emotet (Heodo/Mealybug/TA542) 32-bit DLL payload. Process enumeration via CreateToolhelp32Snapshot+Process32First/Next. VirtualAlloc+VirtualProtect shellcode staging. ntdll.dll direct calls. Low entropy 3.92 (stage-1 loader/encoded payload). Suspicious imagebase and DOS stub.
技术细节
C dili, HTTP C2 (RSA+AES sifreleme), modular yapi (email stealer, spreader, Outlook harvester), process hollowing, living off the land (regsvr32, mshta, certutil), Epoch1/2/3/4/5 botnet
归因 / 威胁行为者
TA542 (MUMMY SPIDER) - Ukrayna kokenli oldugu dusunulen organizasyon. 2021'de Europol/FBI tarafindan coguyla tutuklandi; 2022'de geri dondu.
能力与行为
IOC列表 (1 个指标)
# SHA256
e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965
| 类型 | 值 | 备注 |
|---|---|---|
| sha256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
C2服务器 (该家族共有 7 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| 41.216.188.11 | ip | 8000 | HTTP | active | — |
| 103.143.173.206 | ip | 443 | HTTPS | inactive | ID |
| 144.91.65.153 | ip | 7080 | HTTP | inactive | DE |
| 195.88.54.144 | ip | 8080 | HTTP | sinkholed | — |
| 103.43.46.149 | ip | 443 | HTTPS | sinkholed | — |
| 185.220.101.32 | ip | 80 | HTTP | sinkholed | DE |
| 5.135.183.154 | ip | 8080 | HTTP | sinkholed | FR |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。