Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dh.net.br_...I9.dll

windows7_x64

10

dh.net.br_...I9.dll

windows10_x64

10

dh.net.br_...I9.dll

windows10-2004_x64

10

dh.net.br_...I9.dll

windows11_x64

Analysis

  • max time kernel
    86s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30/06/2022, 06:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dh.net.br_z8aaeYeueGKQNTbu5rU0VSt87t0I9.dll

  • Size

    308KB

  • MD5

    3b5f584e27398b16ba2b9e063f0c5c07

  • SHA1

    54e147ae3af87f7b4b02cf87c85f8559ca348024

  • SHA256

    c20e996d1bca9feb6e3c2a12c1036a42f12708082f0c30b9fc02c1a963b85ec4

  • SHA512

    2006ee588e3b013a28c1bb6d0217e6e57a72e8533befade8be0b9ff527ef6b0e1f9d6e288f40d65e36ce05a46de3c89c974207567306f90b288b8c18c2af4f42

Score
10/10
emotetepoch4bankersuricatatrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

82.165.152.127:8080

51.161.73.194:443

103.75.201.2:443

5.9.116.246:8080

213.241.20.155:443

79.137.35.198:8080

119.193.124.41:7080

186.194.240.217:443

172.105.226.75:8080

150.95.66.124:8080

131.100.24.231:80

94.23.45.86:4143

209.97.163.214:443

206.189.28.199:8080

173.212.193.249:8080

153.126.146.25:7080

51.91.76.89:8080

1.234.2.232:8080

163.44.196.120:8080

149.56.131.28:8080
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dh.net.br_z8aaeYeueGKQNTbu5rU0VSt87t0I9.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WeKLAjVWdzCcALNR\HFkINokrcWLwcRe.dll"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1712

Network

  • flag-jp
    GET
    https://139.162.113.169:8080/
    regsvr32.exe
    Remote address:
    139.162.113.169:8080
    Request
    GET / HTTP/1.1
    Cookie: cPtLcIQgXirc=zz0WphaGlCCTB6QrJE0UzfDNy7fuIdwFWtumcauTgcOL8BaobYp02qnRZoKSC+BV8S4AUqvz8MTar0o4qK41Kh8uemqe5i1YskgbvEy5v6C9bX+uD9U+vI/Ow5C8K9wsCe6qDA/zKB6HGoHDy4vONMto9D3eHe966qP6vw/L0+mI+BxbP3vyMMeVuEx/p4+hOA/CdrM7Ty27DEpVTzFB9pkABWSl7GgIjG/vUV3f7DFR4PVO0xFU3iIprN6pq0DE0tfqVFZ5Z1dMHF8NC1ZIX+yptJ3mzdXnXNHwAyCTHN9KpFpcfv6csejTSdzPmXG0qdTF2s+BQ0RL
    Host: 139.162.113.169:8080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 30 Jun 2022 06:53:11 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
  • flag-us
    GET
    https://135.148.6.80/
    regsvr32.exe
    Remote address:
    135.148.6.80:443
    Request
    GET / HTTP/1.1
    Cookie: eJwyj=zz0WphaGlCCTB6QrJE0UzfDNy7fuIdwFWtumcauTgcOL8BaobYp02qnRZoKSC+BV8S4AUqvz8MTar0o4qK41Kh8uemqe5i1YskgbvEy5v6C9bX+uD9U+vI/Ow5C8K9wsCe6qDA/zKB6HGoHDy4vONMto9D3eHe966qP6vw/L0+mI+BxbP3vyMMeVuEx/p4+hOA/CdrM7Ty27DEpVTzFB9ttp9dCjGwLC1QCMUyJJ8XPz3uyux3VGyx+OpcPLSqXKagh8rDd64+lErNXpzcWs
    Host: 135.148.6.80
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 30 Jun 2022 06:53:14 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 45.76.181.158:443
    regsvr32.exe
    152 B
     3
  • 45.76.181.158:443
    regsvr32.exe
    152 B
     3
  • 139.162.113.169:8080
    https://139.162.113.169:8080/
    tls, http
    regsvr32.exe
    1.4kB
     2.8kB
     13
    11

    HTTP Request

    GET https://139.162.113.169:8080/

    HTTP Response

    404
  • 135.148.6.80:443
    https://135.148.6.80/
    tls, http
    regsvr32.exe
    1.2kB
     4.1kB
     11
    11

    HTTP Request

    GET https://135.148.6.80/

    HTTP Response

    200
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1652-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1652-55-0x0000000180000000-0x000000018002B000-memory.dmp

    Filesize

    172KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.