emotet | 4cef71e09ec11af63607214b7a6b7a2f4a870fd663864701b40c2d200d031f47

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
26-02-2022 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cef71e09ec11af63607214b7a6b7a2f4a870fd663864701b40c2d200d031f47.dll
Size

1024KB
MD5

811544e525fe14495f951b63d5ab3126
SHA1

39ac1fe230f72a42cc4a1202aa87483112fa837c
SHA256

4cef71e09ec11af63607214b7a6b7a2f4a870fd663864701b40c2d200d031f47
SHA512

ee7fa01aa128033562200ce6426532b61721ae5230f81efb667d855eb56ced0647c6af71ad53fd8413c10684c1f594def551a7c0b8ec51868fb9c04566be8bc5

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

169.197.131.16:8080

195.154.253.60:8080

152.89.239.34:443

216.158.226.206:443

159.65.88.10:8080

209.126.98.206:8080

158.69.222.101:443

173.212.193.249:8080

185.157.82.211:8080

81.0.236.90:443

103.75.201.2:443

46.55.222.11:443

159.8.59.82:8080

207.38.84.195:8080

50.116.54.215:443

79.172.212.216:8080

212.237.17.99:8080

212.24.98.99:8080

178.79.147.66:8080

51.254.140.238:7080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1420 regsvr32.exe
1420 regsvr32.exe

pid	process
1420	regsvr32.exe
1420	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1660 wrote to memory of 1420	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1420	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1420	1660	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4cef71e09ec11af63607214b7a6b7a2f4a870fd663864701b40c2d200d031f47.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4cef71e09ec11af63607214b7a6b7a2f4a870fd663864701b40c2d200d031f47.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-130-0x0000000002EB0000-0x0000000002ED8000-memory.dmp

Filesize
160KB

Download