Genel Bakis
Bu ornek, dosya adi EmotetPayload32-bitDL olarak etiketlenmis 333KB buyuklugunde bir Emotet 32-bit DLL Payload'dir. Emotet, 2014'ten bu yana aktif olan, dunya genelinde bankaci trojan, spam gonderici ve ikincil payload yukleyici olarak kullanilan en tehlikeli malware ailelerinden biridir. FBI ve CISA tarafindan pek cok kez kritik tehdit olarak siniflandirilmistir.
Emotet Hakkinda
- Ilk olarak 2014'te bankacilik trojan olarak ortaya cikti
- Sonraki surumler: spam botnet, dropper/loader, C2 moduler mimarisi
- 2021'de Europol operasyonuyla cokertildi; 2021 sonunda yeniden aktif
- 2022-2023: Epoch 4 ve Epoch 5 olarak iki farkli C2 altyapisinda
- Ikincil yuk: TrickBot, QakBot, Cobalt Strike, ransomware
Teknik Analiz
DLL Payload Ozellikleri
- Format: PE32 GUI Intel 80386 (32-bit DLL)
- サイズ: 333.312 bayt
- Entropi: 6.68 (normal)
- Section sayisi: 5 (.text, .data, .idata, .rsrc, .reloc)
Gizleme Teknigi
- Tum anlamli string'ler sifrelenmis/obfuske
- Gorunen stringler yalnizca Windows CRT kayit mesajlari (connection refused, not_a_socket, text file busy)
- Locale stringleri (zh-CHT, syr-SY, sr-BA-Cyrl, ti-ET, st-ZA) — locale-based obfuscation
- Export tablosu bos (cagri adresleri runtime'da cozulur)
Emotet C2 アーキテクチャsi (Genel)
- C2 adresleri sifrelenmis PE kaynaginda sakli (RSA + custom encoding)
- Moduler mimari: spam, spreader, loader, credential harvester modulleri
- HTTPS + port cesitliligi (7080, 8080, 443, 80)
- Process injection: svchost.exe veya Windows islemleri icine
Teknik Ozellikler
| Ozellik | 値 |
|---|---|
| ファミリー | Emotet |
| Tur | 32-bit DLL Payload |
| Format | PE32 GUI Intel 80386 |
| サイズ | 333.312 bayt |
| C2 | Sifrelenmis (RSA) |
| Ikincil Yukler | TrickBot, QakBot, Cobalt Strike |
IOC Ozeti
- SHA256:
ce742b7cc94a5c668116d343b6a9677523dc13b358294bba3cd248fba8b880da - ファイル: EmotetPayload32-bitDL
Emotet — マルウェアプロファイル
Emotet (Heodo/Mealybug/TA542) 32-bit DLL payload. Process enumeration via CreateToolhelp32Snapshot+Process32First/Next. VirtualAlloc+VirtualProtect shellcode staging. ntdll.dll direct calls. Low entropy 3.92 (stage-1 loader/encoded payload). Suspicious imagebase and DOS stub.
技術詳細
C dili, HTTP C2 (RSA+AES sifreleme), modular yapi (email stealer, spreader, Outlook harvester), process hollowing, living off the land (regsvr32, mshta, certutil), Epoch1/2/3/4/5 botnet
アトリビューション / 脅威アクター
TA542 (MUMMY SPIDER) - Ukrayna kokenli oldugu dusunulen organizasyon. 2021'de Europol/FBI tarafindan coguyla tutuklandi; 2022'de geri dondu.
機能と挙動
IOCリスト (1 件の指標)
# SHA256
ce742b7cc94a5c668116d343b6a9677523dc13b358294bba3cd248fba8b880da
| タイプ | 値 | メモ |
|---|---|---|
| sha256 | ce742b7cc94a5c668116d343b6a9677523dc13b358294bba3cd248fba8b880da |
C2サーバー (このファミリーで7台のサーバーを記録)
| アドレス | タイプ | ポート | プロトコル | ステータス | 国 |
|---|---|---|---|---|---|
| 41.216.188.11 | ip | 8000 | HTTP | active | — |
| 103.143.173.206 | ip | 443 | HTTPS | inactive | ID |
| 144.91.65.153 | ip | 7080 | HTTP | inactive | DE |
| 195.88.54.144 | ip | 8080 | HTTP | sinkholed | — |
| 103.43.46.149 | ip | 443 | HTTPS | sinkholed | — |
| 185.220.101.32 | ip | 80 | HTTP | sinkholed | DE |
| 5.135.183.154 | ip | 8080 | HTTP | sinkholed | FR |
C2アドレスはKEYDALチームが手動で検証したマルウェア検体のみに基づいて提供されています。商用利用は禁止です。