Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10
General
Target

dc6a2af3f9d7567ef1dbbdaa68b27b5456f291d0a70f47c60c5a51e46dc8d5a7.dll

Filesize

356KB

Completed

21-05-2022 19:21

Task

behavioral1

Score
10/10
MD5

264495d75635de3bfc28366a19ff8fee

SHA1

edeaa33cbbc051cfcfac7708ba6d26278b090bc0

SHA256

dc6a2af3f9d7567ef1dbbdaa68b27b5456f291d0a70f47c60c5a51e46dc8d5a7

SHA256

8e9629cf179784d0742bd15d4f363b5ba38ceced0e3d1298e3c727a7e28f3c72b0b62dc5c375aad331ca8d2237d6fe3a99851a45821b9611d7747df821fcd4e6

Malware Config

Extracted

Family

emotet
Botnet

Epoch4
C2

212.24.98.99:8080

51.91.76.89:8080

94.23.45.86:4143

101.50.0.91:8080

103.43.75.120:443

212.237.17.99:8080

158.69.222.101:443

51.254.140.238:7080

1.234.2.232:8080

91.207.28.33:8080

167.172.253.162:8080

45.235.8.30:8080

115.68.227.76:8080

134.122.66.193:8080

89.29.244.7:443

197.242.150.244:8080

164.68.99.3:8080

5.9.116.246:8080

1.234.21.73:7080

131.100.24.231:80

185.4.135.165:8080

72.15.201.15:8080

206.189.28.199:8080

203.114.109.124:443

149.56.131.28:8080

45.176.232.124:443

103.75.201.2:443

58.227.42.236:80

53.61.228.110:19290

172.104.251.154:8080

82.165.152.127:8080

45.118.115.99:8080

201.94.166.162:443

103.70.28.102:8080

213.241.20.155:443

129.232.188.93:443

146.59.226.45:443

173.82.82.196:8080

209.97.163.214:443

159.65.88.10:8080

159.65.140.115:443

160.16.142.56:8080

151.106.112.196:8080

107.170.39.149:8080

77.81.247.144:8080

173.239.37.178:8080

173.212.193.249:8080

163.44.196.120:8080

150.95.66.124:8080

152.136.229.39:8080
eck1.plain
eck1.plain
Signatures 5

Filter: none

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    1316regsvr32.exe
    1316regsvr32.exe
  • Suspicious behavior: RenamesItself
    regsvr32.exe

    Reported IOCs

    pidprocess
    2100regsvr32.exe
  • Suspicious use of WriteProcessMemory
    regsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2100 wrote to memory of 13162100regsvr32.exeregsvr32.exe
    PID 2100 wrote to memory of 13162100regsvr32.exeregsvr32.exe
Processes 2
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dc6a2af3f9d7567ef1dbbdaa68b27b5456f291d0a70f47c60c5a51e46dc8d5a7.dll
    Suspicious behavior: RenamesItself
    Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EvVdGdJRA\NFarHvlCuOqw.dll"
      Suspicious behavior: EnumeratesProcesses
      PID:1316
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/1316-122-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2100-117-0x0000000180000000-0x000000018002F000-memory.dmp

                            Download