emotet | 412cfacac6a032dea81fd6e3543b0c409cebe6dd6902dca412b0128b8a54e195

Resubmissions

09-12-2021 17:56

211209-whze2aeedl 10

07-12-2021 15:17

211207-sn2wkadfb5 3

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-12-2021 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412cfacac6a032dea81fd6e3543b0c409cebe6dd6902dca412b0128b8a54e195.dll
Size

215KB
MD5

7b1362870f12d494aae22c5e0946f0c8
SHA1

6cbda7514163ea5ca6164bc3ee138e38946df1c2
SHA256

412cfacac6a032dea81fd6e3543b0c409cebe6dd6902dca412b0128b8a54e195
SHA512

ebfaf702d6402ef7536c9f9b4b1c4bc8c06eaffccb662533fe74524f5487becfa0cd21786c31d16616507644469b5723d89773d2cebdda76e1d931da2f5d5917

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

172.104.227.98:443

31.207.89.74:8080

46.55.222.11:443

41.76.108.46:8080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

203.114.109.124:443

45.118.115.99:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

192.254.71.210:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 1204	1352	regsvr32.exe	regsvr32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe
PID 1204 wrote to memory of 1660	1204	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\412cfacac6a032dea81fd6e3543b0c409cebe6dd6902dca412b0128b8a54e195.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\412cfacac6a032dea81fd6e3543b0c409cebe6dd6902dca412b0128b8a54e195.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\412cfacac6a032dea81fd6e3543b0c409cebe6dd6902dca412b0128b8a54e195.dll",DllRegisterServer
    3⤵
    PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-55-0x0000000000000000-mapping.dmp

Download
memory/1204-56-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1204-59-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/1352-54-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download
memory/1660-57-0x0000000000000000-mapping.dmp

Download