Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10
General
Target

bc1579d2e43f07b843f2a67179661adf92e7a00a9244977403c3e5fe6d8c73c5.dll

Filesize

362KB

Completed

21-05-2022 18:59

Task

behavioral1

Score
10/10
MD5

ee276bc731b3c22eed456fc00950fdab

SHA1

ed1abb336ba83b844498345cf6baacdeed8af8d6

SHA256

bc1579d2e43f07b843f2a67179661adf92e7a00a9244977403c3e5fe6d8c73c5

SHA256

52d59c3a8392a9641550e041940c85c363cf41c8f0441ee0037671eabb3a31339e99fe45cdea4e729d6549ecbd3a9fa634adb70b1f84e9f180e5a11116716e7d

Malware Config

Extracted

Family

emotet
Botnet

Epoch5
C2

194.9.172.107:8080

66.42.57.149:443

165.22.73.229:8080

202.29.239.162:443

76.189.152.228:1645

59.185.164.123:8382

115.19.43.159:30377

104.248.225.227:8080

54.38.242.185:443

103.133.214.242:8080

78.47.204.80:443

210.57.209.142:8080

103.41.204.169:8080

118.98.72.86:443

88.217.172.165:8080

87.106.97.83:7080

85.25.120.45:8080

195.77.239.39:8080

37.44.244.177:8080

36.67.23.59:443

93.41.142.108:30345

42.6.66.255:39545

160.16.143.191:7080

38.217.125.207:49663

54.38.143.246:7080

159.69.237.188:443

68.183.93.250:443

54.37.228.122:443

190.90.233.66:443

37.59.209.141:8080

29.146.139.51:30005

18.37.240.161:6409

178.62.112.199:8080

59.148.253.194:443

196.44.98.190:8080

79.235.8.209:58224

202.28.34.99:8080

78.46.73.125:443

51.68.141.164:8080

207.148.81.119:8080

93.104.209.107:8080

185.148.168.220:8080

100.21.231.107:63582

103.85.95.4:8080

62.171.178.147:8080

175.126.176.79:8080

134.122.119.23:8080

202.134.4.210:7080

116.124.128.206:8080

45.71.195.104:8080
eck1.plain
eck1.plain
Signatures 5

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    64regsvr32.exe
    64regsvr32.exe
  • Suspicious behavior: RenamesItself
    regsvr32.exe

    Reported IOCs

    pidprocess
    2264regsvr32.exe
  • Suspicious use of WriteProcessMemory
    regsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2264 wrote to memory of 642264regsvr32.exeregsvr32.exe
    PID 2264 wrote to memory of 642264regsvr32.exeregsvr32.exe
Processes 2
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bc1579d2e43f07b843f2a67179661adf92e7a00a9244977403c3e5fe6d8c73c5.dll
    Suspicious behavior: RenamesItself
    Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SBqyIz\imSXRqxfOkF.dll"
      Suspicious behavior: EnumeratesProcesses
      PID:64
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/64-122-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2264-117-0x0000000180000000-0x0000000180031000-memory.dmp

                            Download