emotet | 9ec2c005130746d418ef6a5f8042c31664c660e91c7a9e495e9702225e1ef0d3

Analysis

max time kernel
4294181s
max time network
138s
platform
windows7_x64
resource
win7-20220311-en
submitted
23-03-2022 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc963f180da0d48225058e70aecfff6f.dll
Size

840KB
MD5

fc963f180da0d48225058e70aecfff6f
SHA1

d1fb274e0e45139d72248338557af64c66ffe47a
SHA256

9ec2c005130746d418ef6a5f8042c31664c660e91c7a9e495e9702225e1ef0d3
SHA512

ec5e07654319aee348dd95aa9e0730a7328c5ab9fbf809df8562f4b962ead3c70d6e9ff8dff0479cd6332daf9d9726611eddeec6466fc41b3216f115c347b179

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

202.29.239.162:443

54.38.143.246:7080

1.234.65.61:7080

202.134.4.210:7080

59.148.253.194:443

78.46.73.125:443

210.57.209.142:8080

198.199.98.78:8080

93.104.209.107:8080

116.124.128.206:8080

139.196.72.155:8080

188.166.229.148:443

119.59.125.140:8080

195.77.239.39:8080

78.47.204.80:443

196.44.98.190:8080

36.67.23.59:443

185.148.168.15:8080

37.59.209.141:8080

2.58.16.87:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
580	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27
PID 1216 wrote to memory of 580	1216	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fc963f180da0d48225058e70aecfff6f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\fc963f180da0d48225058e70aecfff6f.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-56-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/580-57-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/1216-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download