emotet | 9c68c3b734d2ff620cf9f953743fc835f5cba74e1aebd61ef361cdaca2b98d49 | Triage

Analysis

max time kernel
50s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:23

Sharing

Report Analysis Logs

General

Target

9c68c3b734d2ff620cf9f953743fc835f5cba74e1aebd61ef361cdaca2b98d49.dll
Size

532KB
MD5

8ad66e99abaaf9b32d4ae76b81fc6d6f
SHA1

0046f401952f88e96dc7af78a51ca8f8868fd35a
SHA256

9c68c3b734d2ff620cf9f953743fc835f5cba74e1aebd61ef361cdaca2b98d49
SHA512

1bfafcd37522c9b55983c3f744c4143ac1de0ad686a8f13e9e823d12de6c6bae4589a71cb2bbf9e62fb0c54243417f504da3b26912d10a1a212da4a6603ebadb

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2808 regsvr32.exe
2808 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2484 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2484 wrote to memory of 2808	2484	regsvr32.exe	regsvr32.exe
PID 2484 wrote to memory of 2808	2484	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9c68c3b734d2ff620cf9f953743fc835f5cba74e1aebd61ef361cdaca2b98d49.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VaXikRScGSd\rvuo.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-114-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2808-119-0x0000000000000000-mapping.dmp

Download