Overview

overview

10

Static

static

VEuIqlISMa.vbs

windows7_x64

10

VEuIqlISMa.vbs

windows10-2004_x64

10

Resubmissions

22-04-2022 21:47

220422-1nnmyagdf2 10

Analysis

  • max time kernel
    39s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-04-2022 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VEuIqlISMa.vbs

  • Size

    2KB

  • MD5

    e759c57fef989e9230cf121b31e077ec

  • SHA1

    434f3d7d49a06606c0fb73e1a2378836f2018338

  • SHA256

    bc84d7201f37b0c02ff742f4b8c5d78412796676724fc0af530975dac2fff063

  • SHA512

    552b94d3950641f62bcd5be46308fb3e2ab1014b3235c2b4a74d6c4f222fbe71d6991c4cb7325aa5b57f20edbd112c6b89320362ca87ee8c3a24c7f8a605e736

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

138.201.142.73:8080

138.197.147.101:443

134.195.212.50:7080

104.168.154.79:8080

149.56.131.28:8080

129.232.188.93:443

212.24.98.99:8080

119.193.124.41:7080

45.118.115.99:8080

188.44.20.25:443

103.132.242.26:8080

201.94.166.162:443

1.234.21.73:7080

206.189.28.199:8080

185.8.212.130:7080

82.165.152.127:8080

176.104.106.96:8080

173.212.193.249:8080

167.99.115.35:8080

209.126.98.206:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"
    1⤵
    • Blocklisted process makes network request
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SYstem32\regsvR32.ExE
      C:\Windows\SYstem32\regsvR32.ExE C:\Users\Admin\AppData\Local\Temp\vmTbfGSBOW.qsj
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Esbpo\tmgde.ehy"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\vmTbfGSBOW.qsj
    Filesize

    626KB

    MD5

    e533a38e9c536cdaada20562d5fdca95

    SHA1

    cc698330d55694d96989eae7e85b4a261b2b51a1

    SHA256

    cd49d1a44084add2f38189da4460d8b5733353fc0f31e99ea36e7e8ca0de5496

    SHA512

    7f15e6bfd65f7248d460bca8e2d5732c5ff39fb6c3392293ec5b27908f5c166cfd66931ad3ad09e7d235444091157f3259428a954305c485a93db1ad6eb99290

    Download Submit
  • \Users\Admin\AppData\Local\Temp\VMtbfGSBow.QsJ
    Filesize

    626KB

    MD5

    e533a38e9c536cdaada20562d5fdca95

    SHA1

    cc698330d55694d96989eae7e85b4a261b2b51a1

    SHA256

    cd49d1a44084add2f38189da4460d8b5733353fc0f31e99ea36e7e8ca0de5496

    SHA512

    7f15e6bfd65f7248d460bca8e2d5732c5ff39fb6c3392293ec5b27908f5c166cfd66931ad3ad09e7d235444091157f3259428a954305c485a93db1ad6eb99290

    Download Submit
  • memory/588-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1348-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1348-55-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1348-58-0x0000000180000000-0x000000018002A000-memory.dmp
    Filesize

    168KB

    Download