emotet | 0e5364f7a2966cf455d9de3f7b8c300450f37b336401c48ae69237b89af1f8e1

Analysis

max time kernel
123s
max time network
122s
platform
windows10_x64
resource
win10-en-20211104
submitted
07-12-2021 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e5364f7a2966cf455d9de3f7b8c300450f37b336401c48ae69237b89af1f8e1.dll
Size

749KB
MD5

2a6133396fc9599675ad15d62fe76873
SHA1

94bc908a391f6a14e8dde5a4fd33c376f41ad54a
SHA256

0e5364f7a2966cf455d9de3f7b8c300450f37b336401c48ae69237b89af1f8e1
SHA512

09f0ccd694e2729f96c2fd8dd8e6408a557b37d25998da3630fda1ba305d07010cb2b629782b034762350bb26646c6015d5690846493e66df78b21dd0b5bfa1d

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

209.239.112.82:8080

116.124.128.206:8080

45.63.5.129:443

128.199.192.135:8080

51.178.61.60:443

168.197.250.14:80

177.72.80.14:7080

51.210.242.234:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

104.131.62.48:8080

190.90.233.66:443

185.148.168.220:8080

185.148.168.15:8080

62.171.178.147:8080

191.252.103.16:80

54.38.242.185:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2824 wrote to memory of 3120	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 3120	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 3120	2824	regsvr32.exe	regsvr32.exe
PID 3120 wrote to memory of 2360	3120	regsvr32.exe	rundll32.exe
PID 3120 wrote to memory of 2360	3120	regsvr32.exe	rundll32.exe
PID 3120 wrote to memory of 2360	3120	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0e5364f7a2966cf455d9de3f7b8c300450f37b336401c48ae69237b89af1f8e1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0e5364f7a2966cf455d9de3f7b8c300450f37b336401c48ae69237b89af1f8e1.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\0e5364f7a2966cf455d9de3f7b8c300450f37b336401c48ae69237b89af1f8e1.dll",DllRegisterServer
3⤵
PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-119-0x0000000000000000-mapping.dmp

Download
memory/3120-118-0x0000000000000000-mapping.dmp

Download
memory/3120-120-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download