emotet | 8064d87e14c2e9e59b7bc7ebfd59d404a9e8ffb504c763e0444988aa5b717a30

Analysis

max time kernel
68s
max time network
135s
platform
windows10_x64
resource
win10-20220414-en
submitted
23-06-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8064d87e14c2e9e59b7bc7ebfd59d404a9e8ffb504c763e0444988aa5b717a30.dll
Size

314KB
MD5

50983cd6b8fd7e984a9a29c7d14073ab
SHA1

4f9bb4c88455820177a16fd3c107a84859523741
SHA256

8064d87e14c2e9e59b7bc7ebfd59d404a9e8ffb504c763e0444988aa5b717a30
SHA512

2efda19a3dd161bb7a1dbc90c517f11d1acb49ec05cfd881ca3b786d09006d777cc5b06436b3d434586c8c239d2992cc86e130fb833e9e7662c6a3e85c986727

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

82.165.152.127:8080

51.161.73.194:443

103.75.201.2:443

5.9.116.246:8080

213.241.20.155:443

79.137.35.198:8080

119.193.124.41:7080

186.194.240.217:443

172.105.226.75:8080

150.95.66.124:8080

131.100.24.231:80

94.23.45.86:4143

209.97.163.214:443

206.189.28.199:8080

173.212.193.249:8080

153.126.146.25:7080

51.91.76.89:8080

1.234.2.232:8080

163.44.196.120:8080

149.56.131.28:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2504 regsvr32.exe
2504 regsvr32.exe
2780 regsvr32.exe
2780 regsvr32.exe
2780 regsvr32.exe
2780 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2504 regsvr32.exe

pid	process
2504	regsvr32.exe
2504	regsvr32.exe
2780	regsvr32.exe
2780	regsvr32.exe
2780	regsvr32.exe
2780	regsvr32.exe

pid	process
2504	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2504 wrote to memory of 2780	2504	regsvr32.exe	regsvr32.exe
PID 2504 wrote to memory of 2780	2504	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8064d87e14c2e9e59b7bc7ebfd59d404a9e8ffb504c763e0444988aa5b717a30.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FrbDfyJmuTqIAv\YvDIHsR.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2504-118-0x0000000180000000-0x000000018002B000-memory.dmp

Filesize
172KB

Download
memory/2780-123-0x0000000000000000-mapping.dmp

Download