emotet | 21f94d0e611799fbcb7c633a3e902d85d5939ddb7ea05bc26d9f15e271eef4e2

Analysis

max time kernel
4294183s
max time network
162s
platform
windows7_x64
resource
win7-20220310-en
submitted
15-03-2022 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

emotet_epoch4.dll
Size

1016KB
MD5

44360ac910a34cc7f68659385e90a692
SHA1

940dc0179de83b614bf23ff27b1fba24a702f137
SHA256

21f94d0e611799fbcb7c633a3e902d85d5939ddb7ea05bc26d9f15e271eef4e2
SHA512

c7c6d5856588f099c3b5c4e25d0c3297250eb46478b252883aa0a719e59f165e950ed5ab8268b183aed572954a5e072e44240149cf06cb0ec2a806571c9dc3c6

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

45.76.1.145:443

217.182.25.250:8080

119.193.124.41:7080

192.99.251.50:443

146.59.226.45:443

173.212.193.249:8080

207.38.84.195:8080

45.118.135.203:7080

31.24.158.56:8080

209.126.98.206:8080

212.237.17.99:8080

216.158.226.206:443

50.30.40.196:8080

82.165.152.127:8080

159.8.59.82:8080

107.182.225.142:8080

110.232.117.186:8080

72.15.201.15:8080

5.9.116.246:8080

79.172.212.216:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Erbbkgcla\ejmpptdzrxni.ahl regsvr32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

768 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1992 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Erbbkgcla\ejmpptdzrxni.ahl	regsvr32.exe

pid	process
768	regsvr32.exe

pid	process
1992	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1992	1656	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 768	1992	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_epoch4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\emotet_epoch4.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Erbbkgcla\ejmpptdzrxni.ahl"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-60-0x00000000004B0000-0x00000000004D8000-memory.dmp

Filesize
160KB

Download
memory/1656-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x00000000001F0000-0x0000000000218000-memory.dmp

Filesize
160KB

Download