Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10
General
Target

bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll

Filesize

362KB

Completed

21-05-2022 18:43

Task

behavioral1

Score
10/10
MD5

369df1a17132b39825ed5692d0fbf1dd

SHA1

ae4727f7c5c3fc1a16403b6e297dce954d9c3a6a

SHA256

bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d

SHA256

46ef6f7c0e5d0796d72a03a0aa2c8a4e3f288551ba498750170cb35b1366d0a39d1969599af4b90cb8c7153c5fe1ceed22c448c721bcc0f8ae56ee119f33ed96

Malware Config

Extracted

Family

emotet
Botnet

Epoch5
C2

194.9.172.107:8080

66.42.57.149:443

165.22.73.229:8080

202.29.239.162:443

76.189.152.228:1645

59.185.164.123:8382

115.19.43.159:30377

104.248.225.227:8080

54.38.242.185:443

103.133.214.242:8080

78.47.204.80:443

210.57.209.142:8080

103.41.204.169:8080

118.98.72.86:443

88.217.172.165:8080

87.106.97.83:7080

85.25.120.45:8080

195.77.239.39:8080

37.44.244.177:8080

36.67.23.59:443

93.41.142.108:30345

42.6.66.255:39545

160.16.143.191:7080

38.217.125.207:49663

54.38.143.246:7080

159.69.237.188:443

68.183.93.250:443

54.37.228.122:443

190.90.233.66:443

37.59.209.141:8080

29.146.139.51:30005

18.37.240.161:6409

178.62.112.199:8080

59.148.253.194:443

196.44.98.190:8080

79.235.8.209:58224

202.28.34.99:8080

78.46.73.125:443

51.68.141.164:8080

207.148.81.119:8080

93.104.209.107:8080

185.148.168.220:8080

100.21.231.107:63582

103.85.95.4:8080

62.171.178.147:8080

175.126.176.79:8080

134.122.119.23:8080

202.134.4.210:7080

116.124.128.206:8080

45.71.195.104:8080
eck1.plain
eck1.plain
Signatures 5

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    4088regsvr32.exe
    4088regsvr32.exe
  • Suspicious behavior: RenamesItself
    regsvr32.exe

    Reported IOCs

    pidprocess
    3212regsvr32.exe
  • Suspicious use of WriteProcessMemory
    regsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3212 wrote to memory of 40883212regsvr32.exeregsvr32.exe
    PID 3212 wrote to memory of 40883212regsvr32.exeregsvr32.exe
Processes 2
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll
    Suspicious behavior: RenamesItself
    Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BubvLUJPRrCXoh\eSUMqbTThnS.dll"
      Suspicious behavior: EnumeratesProcesses
      PID:4088
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/3212-116-0x0000000180000000-0x0000000180031000-memory.dmp

                            Download

                          • memory/4088-121-0x0000000000000000-mapping.dmp

                            Download