emotet | 45a71f475b855fe65a1001d116ee57cc70ad9c3d95de7d3162a27c65d8033ebe

Resubmissions

14-06-2022 12:05

220614-n9gejadgar 10

07-06-2022 12:43

220607-px4vqsaffm 10

Analysis

max time kernel
81s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-06-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45a71f475b855fe65a1001d116ee57cc70ad9c3d95de7d3162a27c65d8033ebe.dll
Size

649KB
MD5

85dce7dad1d6d93cab5e8485861a1916
SHA1

c1e409584c0f6e997aa0d11f5853f2c97eb14a01
SHA256

45a71f475b855fe65a1001d116ee57cc70ad9c3d95de7d3162a27c65d8033ebe
SHA512

eeac8d23d1b6cce8cce43f1e6715cb7789a3244e612bb2ca255d82a1dadb93e59e174743133e6fa177f2c286eb20bf9aeaa399b1c95b47f1a7e721de6b36acf6

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

94.23.45.86:4143

129.232.188.93:443

213.241.20.155:443

197.242.150.244:8080

172.104.251.154:8080

46.55.222.11:443

82.223.21.224:8080

5.9.116.246:8080

1.234.2.232:8080

146.59.226.45:443

160.16.142.56:8080

115.68.227.76:8080

72.15.201.15:8080

188.44.20.25:443

185.4.135.165:8080

103.132.242.26:8080

173.212.193.249:8080

163.44.196.120:8080

183.111.227.137:8080

149.56.131.28:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1600	regsvr32.exe
1236	regsvr32.exe
1236	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1600	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1236	1600	regsvr32.exe	27
PID 1600 wrote to memory of 1236	1600	regsvr32.exe	27
PID 1600 wrote to memory of 1236	1600	regsvr32.exe	27
PID 1600 wrote to memory of 1236	1600	regsvr32.exe	27
PID 1600 wrote to memory of 1236	1600	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45a71f475b855fe65a1001d116ee57cc70ad9c3d95de7d3162a27c65d8033ebe.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IntwdXE\PRUMnlWv.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-62-0x0000000001DD0000-0x0000000001E79000-memory.dmp

Filesize
676KB

Download
memory/1600-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000001D80000-0x0000000001E29000-memory.dmp

Filesize
676KB

Download
memory/1600-57-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download