emotet | 6b51aafe69a448a500b7f5a7b46b39c12eeacd2715025171e49406243c6a3bd9 | Triage

Analysis

max time kernel
53s
max time network
137s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:38

Sharing

Report Analysis Logs

General

Target

6b51aafe69a448a500b7f5a7b46b39c12eeacd2715025171e49406243c6a3bd9.dll
Size

532KB
MD5

b26bb946b12717d69ea0bccc2ca9d6c0
SHA1

4c4b9447317b8ff938957e0a1bb6b5993012ee02
SHA256

6b51aafe69a448a500b7f5a7b46b39c12eeacd2715025171e49406243c6a3bd9
SHA512

0d1a271e00234eb0c27881e001632829dd3c8f1fff492a0ae121975dd15d5b2408800d1f059578ada8f629eafd44ad05c9e26e7c757b1f513ca080a3ac25e309

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2656 regsvr32.exe
2656 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2348 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2348 wrote to memory of 2656	2348	regsvr32.exe	regsvr32.exe
PID 2348 wrote to memory of 2656	2348	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b51aafe69a448a500b7f5a7b46b39c12eeacd2715025171e49406243c6a3bd9.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QHSgsPWhGxkKXnPv\uLghSvlLf.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-114-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2656-119-0x0000000000000000-mapping.dmp

Download