Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10
General
Target

5a013567a2cfaa03c5e43d335743663994bdef06e83c1acee92d0cae513c1e05.dll

Filesize

362KB

Completed

21-05-2022 19:26

Task

behavioral1

Score
10/10
MD5

bac109ced37a6ab300be55619b1034da

SHA1

4a9e4fc8a7aeb70c12af2f97abf3f7875c171824

SHA256

5a013567a2cfaa03c5e43d335743663994bdef06e83c1acee92d0cae513c1e05

SHA256

e716c55c2696d8dc7e174f8e3ccb7eba7afbf2140b0be34013a3bcb00f62ec99ea48ba488097b9b0b20d447dd89739b7d08a96ab2c6370869385a62ddaade610

Malware Config

Extracted

Family

emotet
Botnet

Epoch5
C2

194.9.172.107:8080

66.42.57.149:443

165.22.73.229:8080

202.29.239.162:443

76.189.152.228:1645

59.185.164.123:8382

115.19.43.159:30377

104.248.225.227:8080

54.38.242.185:443

103.133.214.242:8080

78.47.204.80:443

210.57.209.142:8080

103.41.204.169:8080

118.98.72.86:443

88.217.172.165:8080

87.106.97.83:7080

85.25.120.45:8080

195.77.239.39:8080

37.44.244.177:8080

36.67.23.59:443

93.41.142.108:30345

42.6.66.255:39545

160.16.143.191:7080

38.217.125.207:49663

54.38.143.246:7080

159.69.237.188:443

68.183.93.250:443

54.37.228.122:443

190.90.233.66:443

37.59.209.141:8080

29.146.139.51:30005

18.37.240.161:6409

178.62.112.199:8080

59.148.253.194:443

196.44.98.190:8080

79.235.8.209:58224

202.28.34.99:8080

78.46.73.125:443

51.68.141.164:8080

207.148.81.119:8080

93.104.209.107:8080

185.148.168.220:8080

100.21.231.107:63582

103.85.95.4:8080

62.171.178.147:8080

175.126.176.79:8080

134.122.119.23:8080

202.134.4.210:7080

116.124.128.206:8080

45.71.195.104:8080
eck1.plain
eck1.plain
Signatures 5

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    2320regsvr32.exe
    2320regsvr32.exe
  • Suspicious behavior: RenamesItself
    regsvr32.exe

    Reported IOCs

    pidprocess
    3036regsvr32.exe
  • Suspicious use of WriteProcessMemory
    regsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3036 wrote to memory of 23203036regsvr32.exeregsvr32.exe
    PID 3036 wrote to memory of 23203036regsvr32.exeregsvr32.exe
Processes 2
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5a013567a2cfaa03c5e43d335743663994bdef06e83c1acee92d0cae513c1e05.dll
    Suspicious behavior: RenamesItself
    Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XnHeJ\gOgvFjfJHSbFjpJ.dll"
      Suspicious behavior: EnumeratesProcesses
      PID:2320
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/2320-124-0x0000000000000000-mapping.dmp

                            Download

                          • memory/3036-119-0x0000000180000000-0x0000000180031000-memory.dmp

                            Download