emotet | 907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f

Analysis

max time kernel
144s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
04/11/2022, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll
Size

887KB
MD5

d9a07944f3ea275a3eda4d345d110a56
SHA1

3b847bb8106fbdefad65449810b2b897bda7b163
SHA256

907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f
SHA512

a4f24dc3c8847800be2ba1971287ee2df8b813a3ce9ee5c2703b2ec78335904ef6da7b57c9a58aa99ce0831bcefc4c740105a242ecc6950dd6b6c6fcc4b9df8e
SSDEEP

12288:A0BQgtzAxM8q6BkmkxisTsxwJzCQ6TZ56lu4Vp4y1F9SFXCwQ7bk:Ar6zAxVq6Bkm7saIzCXTZxUJFcK

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YjZGmkrHITl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\YRTRgdIIt\\YjZGmkrHITl.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2016	regsvr32.exe
2016	regsvr32.exe
2240	regsvr32.exe
2240	regsvr32.exe
2240	regsvr32.exe
2240	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2016	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2240	2016	regsvr32.exe	66
PID 2016 wrote to memory of 2240	2016	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YRTRgdIIt\YjZGmkrHITl.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-120-0x00000000025F0000-0x0000000002620000-memory.dmp

Filesize
192KB

Download