emotet | fbc115dc9e79343856fc647ffd9c86b089d81fa33c6ecb607dfcd9b362bab2b2

Analysis

max time kernel
4294182s
max time network
129s
platform
windows7_x64
resource
win7-20220223-en
submitted
25-02-2022 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc115dc9e79343856fc647ffd9c86b089d81fa33c6ecb607dfcd9b362bab2b2.dll
Size

932KB
MD5

07d1857a8e92333779599fe55dc18ffe
SHA1

96336381d75bd9699fc54d18918b57041c3ff033
SHA256

fbc115dc9e79343856fc647ffd9c86b089d81fa33c6ecb607dfcd9b362bab2b2
SHA512

e5638f5c69041bc8141d6f3ac71fa141ed2620c060932fafbfadd617e3b99a4d7d375122e56da12a8fdb2215c629670910bf07841d3765177eecbbfedc5ec71a

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

169.197.131.16:8080

195.154.253.60:8080

152.89.239.34:443

216.158.226.206:443

159.65.88.10:8080

209.126.98.206:8080

158.69.222.101:443

173.212.193.249:8080

185.157.82.211:8080

81.0.236.90:443

103.75.201.2:443

46.55.222.11:443

159.8.59.82:8080

207.38.84.195:8080

50.116.54.215:443

79.172.212.216:8080

212.237.17.99:8080

212.24.98.99:8080

178.79.147.66:8080

51.254.140.238:7080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Aqqttkvap\omyurg.wpc regsvr32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

588 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1852 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Aqqttkvap\omyurg.wpc	regsvr32.exe

pid	process
588	regsvr32.exe

pid	process
1852	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1852	1828	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 588	1852	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fbc115dc9e79343856fc647ffd9c86b089d81fa33c6ecb607dfcd9b362bab2b2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\fbc115dc9e79343856fc647ffd9c86b089d81fa33c6ecb607dfcd9b362bab2b2.dll
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Aqqttkvap\omyurg.wpc"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-59-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1828-54-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1852-55-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/1852-56-0x0000000000240000-0x0000000000268000-memory.dmp

Filesize
160KB

Download