emotet | 2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938

Analysis

max time kernel
158s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
04-04-2022 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

issxtxng.dll
Size

612KB
MD5

a631883d397ad88c0744e4405a66a1ab
SHA1

a95c8dd6b8a275d3360799a632a3ab71dc4bc0f9
SHA256

2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938
SHA512

09b42a766077a14f802d7a1aee64a4e24166b3e1ea1438138e990e9508b70960b96230946cc2955e92986c93c1c12ab5bad629831592c24587abdf2ede02db83

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

70.36.102.35:443

92.240.254.110:8080

51.91.76.89:8080

217.182.25.250:8080

119.193.124.41:7080

45.142.114.231:8080

176.56.128.118:443

51.254.140.238:7080

173.212.193.249:8080

131.100.24.231:80

188.44.20.25:443

1.234.2.232:8080

153.126.146.25:7080

51.91.7.5:8080

151.106.112.196:8080

46.55.222.11:443

107.182.225.142:8080

82.165.152.127:8080

212.237.17.99:8080

195.201.151.129:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3004 regsvr32.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Tiwjzlbveodl\ioxfhqxxyuvuq.kfk regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3004 regsvr32.exe
3004 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

4992 regsvr32.exe

pid	process
3004	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Tiwjzlbveodl\ioxfhqxxyuvuq.kfk	regsvr32.exe

pid	process
3004	regsvr32.exe
3004	regsvr32.exe

pid	process
4992	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4432 wrote to memory of 4992	4432	regsvr32.exe	regsvr32.exe
PID 4432 wrote to memory of 4992	4432	regsvr32.exe	regsvr32.exe
PID 4432 wrote to memory of 4992	4432	regsvr32.exe	regsvr32.exe
PID 4992 wrote to memory of 3004	4992	regsvr32.exe	regsvr32.exe
PID 4992 wrote to memory of 3004	4992	regsvr32.exe	regsvr32.exe
PID 4992 wrote to memory of 3004	4992	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\issxtxng.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\issxtxng.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Tiwjzlbveodl\ioxfhqxxyuvuq.kfk"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Tiwjzlbveodl\ioxfhqxxyuvuq.kfk
Filesize
612KB

MD5
a631883d397ad88c0744e4405a66a1ab

SHA1
a95c8dd6b8a275d3360799a632a3ab71dc4bc0f9

SHA256
2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938

SHA512
09b42a766077a14f802d7a1aee64a4e24166b3e1ea1438138e990e9508b70960b96230946cc2955e92986c93c1c12ab5bad629831592c24587abdf2ede02db83

Download Submit
memory/3004-128-0x0000000000000000-mapping.dmp

Download
memory/3004-130-0x00000000026C0000-0x00000000026E4000-memory.dmp

Filesize
144KB

Download
memory/4992-124-0x0000000000000000-mapping.dmp

Download
memory/4992-125-0x0000000002B80000-0x0000000002BA4000-memory.dmp

Filesize
144KB

Download