emotet | f083df7faff4c5263bc4575a013eea1502438b088953ab07502372ac9762f66d

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d546f41806769ee8a9f832c72dd68976.dll
Size

988KB
MD5

d546f41806769ee8a9f832c72dd68976
SHA1

d19996be34be1ba7370f587f7aa606416d4ba006
SHA256

f083df7faff4c5263bc4575a013eea1502438b088953ab07502372ac9762f66d
SHA512

891a0c9d131a665ddedd9e270b13f3c4d077ff0a82c8d36eaa3b88618c0e7f2c3f9a746048df9cedf4ad14b535e9445c90d1229b0d31418348f9faed76ad6f46

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

23.246.204.126:443

149.56.163.161:8080

212.237.5.209:443

159.89.230.105:443

178.63.25.185:443

104.251.214.46:8080

195.154.133.20:443

217.182.143.207:443

103.75.201.4:443

162.243.175.63:443

173.212.193.249:8080

138.185.72.26:8080

107.182.225.142:8080

45.118.115.99:8080

46.55.222.11:443

212.237.56.116:7080

178.79.147.66:8080

160.16.102.168:80

212.237.17.99:8080

51.38.71.0:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1080 wrote to memory of 1252	1080	regsvr32.exe	27
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28
PID 1252 wrote to memory of 1616	1252	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d546f41806769ee8a9f832c72dd68976.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\d546f41806769ee8a9f832c72dd68976.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\d546f41806769ee8a9f832c72dd68976.dll",DllRegisterServer
    3⤵
    PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download
memory/1252-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1252-56-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download