emotet | 2cb25bf931f08086cdf6159f356c17fa67d51ac7ed088a2aed84e59be6fae6e4

Analysis

max time kernel
4294180s
max time network
129s
platform
windows7_x64
resource
win7-20220311-en
submitted
15-03-2022 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

emotet_epoch5.dll
Size

1004KB
MD5

6b8ff194d6546e3d3f719917d467941a
SHA1

d2ebb27795ca385c4aa4466bca2fa7ed2fce349e
SHA256

2cb25bf931f08086cdf6159f356c17fa67d51ac7ed088a2aed84e59be6fae6e4
SHA512

6bd52f217aedcb3a62fda1cad889c4841f1b7173c3dd735c7f347d589c82b1d98c6b980b5e43b40b7b735ddeac739df8e0e346c277155dcaf68c7384963dd5c9

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

165.22.61.235:443

121.78.112.42:8080

216.10.251.121:8080

195.77.239.39:8080

195.154.146.35:443

68.183.93.250:443

139.196.72.155:8080

194.9.172.107:8080

196.44.98.190:8080

128.199.192.135:8080

5.56.132.177:8080

78.46.73.125:443

87.106.97.83:7080

66.42.57.149:443

37.44.244.177:8080

190.90.233.66:443

203.153.216.46:443

207.148.81.119:8080

103.41.204.169:8080

104.131.62.48:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Nesomnr\bpeiehhwjkybals.lrk regsvr32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1628 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1520 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Nesomnr\bpeiehhwjkybals.lrk	regsvr32.exe

pid	process
1628	regsvr32.exe

pid	process
1520	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1520	1636	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1628	1520	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_epoch5.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\emotet_epoch5.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nesomnr\bpeiehhwjkybals.lrk"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-55-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1520-56-0x0000000000490000-0x00000000004B7000-memory.dmp

Filesize
156KB

Download
memory/1628-60-0x00000000007B0000-0x00000000007D7000-memory.dmp

Filesize
156KB

Download
memory/1636-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download