Behavioral Report

General

Target

bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll
Size

362KB
MD5

369df1a17132b39825ed5692d0fbf1dd
SHA1

ae4727f7c5c3fc1a16403b6e297dce954d9c3a6a
SHA256

bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d
SHA512

46ef6f7c0e5d0796d72a03a0aa2c8a4e3f288551ba498750170cb35b1366d0a39d1969599af4b90cb8c7153c5fe1ceed22c448c721bcc0f8ae56ee119f33ed96

Score

10^/10

Malware Config

Extracted

Family	emotet
Botnet	Epoch5
C2	194.9.172.107:8080 66.42.57.149:443 165.22.73.229:8080 202.29.239.162:443 76.189.152.228:1645 59.185.164.123:8382 115.19.43.159:30377 104.248.225.227:8080 54.38.242.185:443 103.133.214.242:8080 78.47.204.80:443 210.57.209.142:8080 103.41.204.169:8080 118.98.72.86:443 88.217.172.165:8080 87.106.97.83:7080 85.25.120.45:8080 195.77.239.39:8080 37.44.244.177:8080 36.67.23.59:443 93.41.142.108:30345 42.6.66.255:39545 160.16.143.191:7080 38.217.125.207:49663 54.38.143.246:7080 159.69.237.188:443 68.183.93.250:443 54.37.228.122:443 190.90.233.66:443 37.59.209.141:8080 29.146.139.51:30005 18.37.240.161:6409 178.62.112.199:8080 59.148.253.194:443 196.44.98.190:8080 79.235.8.209:58224 202.28.34.99:8080 78.46.73.125:443 51.68.141.164:8080 207.148.81.119:8080 93.104.209.107:8080 185.148.168.220:8080 100.21.231.107:63582 103.85.95.4:8080 62.171.178.147:8080 175.126.176.79:8080 134.122.119.23:8080 202.134.4.210:7080 116.124.128.206:8080 45.71.195.104:8080 110.235.83.107:7080 103.56.149.105:8080 68.183.91.111:8080 119.44.217.160:39748 5.56.132.177:8080 195.154.146.35:443 217.182.143.207:443 54.37.106.167:8080 85.214.67.203:8080 90.63.125.244:30283 188.225.32.231:4143 103.42.58.120:7080 139.196.72.155:8080 194.9.172.107:8080 66.42.57.149:443 165.22.73.229:8080 202.29.239.162:443 76.189.152.228:1645 59.185.164.123:8382 115.19.43.159:30377 104.248.225.227:8080 54.38.242.185:443 103.133.214.242:8080 78.47.204.80:443 210.57.209.142:8080 103.41.204.169:8080 118.98.72.86:443 88.217.172.165:8080 87.106.97.83:7080 85.25.120.45:8080 195.77.239.39:8080 37.44.244.177:8080 36.67.23.59:443 93.41.142.108:30345 42.6.66.255:39545 160.16.143.191:7080 38.217.125.207:49663 54.38.143.246:7080 159.69.237.188:443 68.183.93.250:443 54.37.228.122:443 190.90.233.66:443 37.59.209.141:8080 29.146.139.51:30005 18.37.240.161:6409 178.62.112.199:8080 59.148.253.194:443 196.44.98.190:8080 79.235.8.209:58224 202.28.34.99:8080 78.46.73.125:443 51.68.141.164:8080 207.148.81.119:8080 93.104.209.107:8080 185.148.168.220:8080 100.21.231.107:63582 103.85.95.4:8080 62.171.178.147:8080 175.126.176.79:8080 134.122.119.23:8080 202.134.4.210:7080 116.124.128.206:8080 45.71.195.104:8080 110.235.83.107:7080 103.56.149.105:8080 68.183.91.111:8080 119.44.217.160:39748 5.56.132.177:8080 195.154.146.35:443 217.182.143.207:443 54.37.106.167:8080 85.214.67.203:8080 90.63.125.244:30283 188.225.32.231:4143 103.42.58.120:7080 139.196.72.155:8080
eck1.plain
eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes:

regsvr32.exe

pid process

4088 regsvr32.exe
4088 regsvr32.exe
Suspicious behavior: RenamesItself ⋅ 1 IoCs

Processes:

regsvr32.exe

pid process

3212 regsvr32.exe

pid	process
4088	regsvr32.exe
4088	regsvr32.exe

pid	process
3212	regsvr32.exe

Suspicious use of WriteProcessMemory ⋅ 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3212 wrote to memory of 4088	3212	regsvr32.exe	regsvr32.exe
PID 3212 wrote to memory of 4088	3212	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll

Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory

PID:3212

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BubvLUJPRrCXoh\eSUMqbTThnS.dll"

Suspicious behavior: EnumeratesProcesses

PID:4088

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/3212-116-0x0000000180000000-0x0000000180031000-memory.dmp

Download
memory/4088-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing