emotet | 6c2d30d206284342a81908ab8fc7f8f5eab3c12ba26e6e58852bad79717facce

Analysis

max time kernel
122s
max time network
122s
platform
windows10_x64
resource
win10-en-20211104
submitted
02-12-2021 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c2d30d206284342a81908ab8fc7f8f5eab3c12ba26e6e58852bad79717facce.dll
Size

810KB
MD5

1a6fbd30b3a7b2b5d23fe9f02b3fd729
SHA1

c219670176f0ce001370396fa193c6c1db8a8b96
SHA256

6c2d30d206284342a81908ab8fc7f8f5eab3c12ba26e6e58852bad79717facce
SHA512

7a1b9b9982f07a122f7b941500324908797eadb084f2f510d5a2bc90ef2a982fbfe802d0fbfad32cece34f5f4fcaab3bcc8089f968ac00d51672dc4cf51d7f6d

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

172.104.227.98:443

31.207.89.74:8080

46.55.222.11:443

41.76.108.46:8080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

203.114.109.124:443

45.118.115.99:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

192.254.71.210:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3576 wrote to memory of 3584	3576	regsvr32.exe	regsvr32.exe
PID 3576 wrote to memory of 3584	3576	regsvr32.exe	regsvr32.exe
PID 3576 wrote to memory of 3584	3576	regsvr32.exe	regsvr32.exe
PID 3584 wrote to memory of 2996	3584	regsvr32.exe	rundll32.exe
PID 3584 wrote to memory of 2996	3584	regsvr32.exe	rundll32.exe
PID 3584 wrote to memory of 2996	3584	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c2d30d206284342a81908ab8fc7f8f5eab3c12ba26e6e58852bad79717facce.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6c2d30d206284342a81908ab8fc7f8f5eab3c12ba26e6e58852bad79717facce.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\6c2d30d206284342a81908ab8fc7f8f5eab3c12ba26e6e58852bad79717facce.dll",DllRegisterServer
3⤵
PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2996-119-0x0000000000000000-mapping.dmp

Download
memory/3584-118-0x0000000000000000-mapping.dmp

Download
memory/3584-120-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download