emotet | cd54167bf79900d2875cbd985d19fe4016bbb5af517280e9d705bdb885bd2300

Analysis

max time kernel
42s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-06-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hpchmqmt.dll
Size

518KB
MD5

b38d88e3af1b47c90358f3a47f90a3db
SHA1

143478e2d859486522db651777ed6cfba1c2d5c8
SHA256

cd54167bf79900d2875cbd985d19fe4016bbb5af517280e9d705bdb885bd2300
SHA512

9ac499034d3e6211c24854bc91dc4c65976c36de0843c7e94118b153fce00c105c5c634f5c4f42d48908c7930d826f7f4d11be09fae1b96968e9722cdb81f3bc

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

149.56.131.28:8080

72.15.201.15:8080

207.148.79.14:8080

82.165.152.127:8080

46.55.222.11:443

213.241.20.155:443

163.44.196.120:8080

51.254.140.238:7080

107.170.39.149:8080

188.44.20.25:443

82.223.21.224:8080

172.104.251.154:8080

164.68.99.3:8080

101.50.0.91:8080

129.232.188.93:443

173.212.193.249:8080

103.132.242.26:8080

186.194.240.217:443

37.187.115.122:8080

91.207.28.33:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1000	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1000	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1524	1000	regsvr32.exe	27
PID 1000 wrote to memory of 1524	1000	regsvr32.exe	27
PID 1000 wrote to memory of 1524	1000	regsvr32.exe	27
PID 1000 wrote to memory of 1524	1000	regsvr32.exe	27
PID 1000 wrote to memory of 1524	1000	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\hpchmqmt.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IALhVaiYuYhCxw\mTPW.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-54-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download
memory/1000-55-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download