emotet | 115ce5ade03aacb30acd4ef41310458319de344baea352d1f9c66f13f1312f4d

Analysis

max time kernel
122s
max time network
127s
platform
windows10_x64
resource
win10-en-20211208
submitted
18-01-2022 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115ce5ade03aacb30acd4ef41310458319de344baea352d1f9c66f13f1312f4d.dll
Size

408KB
MD5

824b0a36569f29ddba181c6a169ef632
SHA1

8f578e8dcf1e1946eb5e31e1136507cb6cce8a10
SHA256

115ce5ade03aacb30acd4ef41310458319de344baea352d1f9c66f13f1312f4d
SHA512

107444494e8fa10ae494a9d5d64e6cdab930f0432ace258ea47650a3d211e036d5f760bed90d77c8e2d0876ecc48627230361491a3f3c4dbb33e54d5c2971040

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2764 wrote to memory of 2812	2764	regsvr32.exe	regsvr32.exe
PID 2764 wrote to memory of 2812	2764	regsvr32.exe	regsvr32.exe
PID 2764 wrote to memory of 2812	2764	regsvr32.exe	regsvr32.exe
PID 2812 wrote to memory of 3716	2812	regsvr32.exe	rundll32.exe
PID 2812 wrote to memory of 3716	2812	regsvr32.exe	rundll32.exe
PID 2812 wrote to memory of 3716	2812	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\115ce5ade03aacb30acd4ef41310458319de344baea352d1f9c66f13f1312f4d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\115ce5ade03aacb30acd4ef41310458319de344baea352d1f9c66f13f1312f4d.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\115ce5ade03aacb30acd4ef41310458319de344baea352d1f9c66f13f1312f4d.dll",DllRegisterServer
3⤵
PID:3716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-118-0x0000000003140000-0x0000000003168000-memory.dmp

Filesize
160KB

Download