emotet | dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243 | Triage

Analysis

max time kernel
54s
max time network
136s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 15:12

Sharing

Report Analysis Logs

General

Target

dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243.dll
Size

532KB
MD5

0d2b2d79b9ef5a3c48a0b2ad38d9ee85
SHA1

a7d40ff2a40388e5d16e7891e275aaf7cdf26baf
SHA256

dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243
SHA512

f794ccd4d891f5d95e5b45cc87c63163b43cd81c7f91a3d31e8e82715cf06f44ebf9c95cd639bba22cd979d0c1b289e9b24eabeb9a3dc302ca4be40afc07a4a3

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2064 regsvr32.exe
2064 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3696 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3696 wrote to memory of 2064	3696	regsvr32.exe	regsvr32.exe
PID 3696 wrote to memory of 2064	3696	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WSQeGznUsSbLGQis\wIHqeOXzsU.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-124-0x0000000000000000-mapping.dmp

Download
memory/3696-119-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download