emotet | 797a54dbca1f97bc5c2b21bf48bddb2a6ef149d1a1e21d3f0d1fd1e7e184a4d8

Analysis

max time kernel
43s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-06-2022 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f05ec566501e25f0a7edb125f24a35a.dll
Size

289KB
MD5

1f05ec566501e25f0a7edb125f24a35a
SHA1

1fccb30680f399863c501d8804ddc1af5e15d54b
SHA256

797a54dbca1f97bc5c2b21bf48bddb2a6ef149d1a1e21d3f0d1fd1e7e184a4d8
SHA512

e4d8c6a097b1c02a375d8d8d1d27127fcd30a4a6b47d48baec80dab5116685ecc21452860cc3725e14ed103dadb430c3b687638abaf4c69421cfe43017738ae9

Score

10^/10

emotet banker suricata trojan

Malware Config

Extracted

Family

emotet

62.171.178.147:8080

128.199.217.206:443

85.25.120.45:8080

157.230.99.206:8080

46.101.234.246:8080

196.44.98.190:8080

202.134.4.210:7080

54.37.106.167:8080

175.126.176.79:8080

104.244.79.94:443

103.71.99.57:8080

88.217.172.165:8080

104.248.225.227:8080

198.199.70.22:8080

64.227.55.231:8080

128.199.242.164:8080

195.77.239.39:8080

118.98.72.86:443

54.37.228.122:443

157.245.111.0:8080

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1652	regsvr32.exe
2028	regsvr32.exe
2028	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1652	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2028	1652	regsvr32.exe	28
PID 1652 wrote to memory of 2028	1652	regsvr32.exe	28
PID 1652 wrote to memory of 2028	1652	regsvr32.exe	28
PID 1652 wrote to memory of 2028	1652	regsvr32.exe	28
PID 1652 wrote to memory of 2028	1652	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f05ec566501e25f0a7edb125f24a35a.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TtPlGXHz\vkKCyV.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download