emotet | edd0abe856a40389268258e8aaa48241fc908b67c44b5e041e1e13c9ac219aa8

Analysis

max time kernel
118s
max time network
118s
platform
windows10_x64
resource
win10-en-20211208
submitted
18-01-2022 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd0abe856a40389268258e8aaa48241fc908b67c44b5e041e1e13c9ac219aa8.dll
Size

408KB
MD5

5d9c69bda75543b532c6d9ddc8e01f3a
SHA1

2e8a29475364f3087c92973259b9ab9c16540f3d
SHA256

edd0abe856a40389268258e8aaa48241fc908b67c44b5e041e1e13c9ac219aa8
SHA512

52c2b028d52947cc9bf317c3c89977ee58b4650d5f521eca7b692bc8daf148c9c16be1971594d90b4190f75c91f23873ed61af322813dafc468083e641bf838d

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3780 wrote to memory of 4000	3780	regsvr32.exe	regsvr32.exe
PID 3780 wrote to memory of 4000	3780	regsvr32.exe	regsvr32.exe
PID 3780 wrote to memory of 4000	3780	regsvr32.exe	regsvr32.exe
PID 4000 wrote to memory of 3332	4000	regsvr32.exe	rundll32.exe
PID 4000 wrote to memory of 3332	4000	regsvr32.exe	rundll32.exe
PID 4000 wrote to memory of 3332	4000	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\edd0abe856a40389268258e8aaa48241fc908b67c44b5e041e1e13c9ac219aa8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\edd0abe856a40389268258e8aaa48241fc908b67c44b5e041e1e13c9ac219aa8.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\edd0abe856a40389268258e8aaa48241fc908b67c44b5e041e1e13c9ac219aa8.dll",DllRegisterServer
    3⤵
    PID:3332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4000-116-0x00000000033D0000-0x00000000033F8000-memory.dmp

Filesize
160KB

Download
memory/4000-115-0x00000000033D1000-0x00000000033F5000-memory.dmp

Filesize
144KB

Download