emotet | c469a6adbc4b2be36b0fa7b33691702b6520fdcad231213808f2f938787a60e0

Analysis

max time kernel
144s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
07/11/2022, 14:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c469a6adbc4b2be36b0fa7b33691702b6520fdcad231213808f2f938787a60e0.dll
Size

790KB
MD5

c198ddfb72cff6bedb2d90e79a9254d9
SHA1

4c561ca14d518468ddd3163600b13fee696930c7
SHA256

c469a6adbc4b2be36b0fa7b33691702b6520fdcad231213808f2f938787a60e0
SHA512

3af386b6701530c9eeb4ceef9d56d21fafd5ada0af98ac2e0759fc0f5a9d50cb5b83a3eab6e636b6ee3e78f3a824f3e21d7a52e3275069ab99e32bf73bd392ee
SSDEEP

12288:D6fFQC4RqiE2zbTgqOUaUXjRMsHIPsoqupt9UlHv8Wr:D6fFQC4RpiqOUaUXjRMsHspUhvVr

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----

eck1.plain

1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUpXbMcYT.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\IzyrHVkstUJD\\BUpXbMcYT.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4944	regsvr32.exe
4944	regsvr32.exe
380	regsvr32.exe
380	regsvr32.exe
380	regsvr32.exe
380	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4944	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 380	4944	regsvr32.exe	66
PID 4944 wrote to memory of 380	4944	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c469a6adbc4b2be36b0fa7b33691702b6520fdcad231213808f2f938787a60e0.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzyrHVkstUJD\BUpXbMcYT.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:380

Network

GET

https://218.38.121.17/

regsvr32.exe

Remote address:

218.38.121.17:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Cookie: zruVAROKVlNVRm=oOKiqStiIxW1Xd6Bh7J258I9F0MMcyiXzagrVM58J7tH97Dp9Y5FWCka8xbPW2VoqvOc1nuQSwS6UFp0vgkRJgA7Uk/bdKIrOfeXVotETy9qc2iivXs585MlbAh8QC2Ss8rhTLivesEYlW9OdQ7S92e+AS6iYx7PpCb5wOR3nN/YCb8xPMiGb76ry8MgvXc1OvwtxEC50xhNOq4AoPnT21nt2ujoMnDsGmL32+nOckdsa6Z+XjXJZozMjhF/W3PKyivDbUm8QM36PPH6wmSCEmKJbOkg7xszzFhmVhM7WqLetV36/4k+YkrTQMfdEEtH
Host: 218.38.121.17

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 07 Nov 2022 14:35:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

218.38.121.17:443

https://218.38.121.17/

tls, http

regsvr32.exe

1.2kB
2.6kB
11
11

HTTP Request

GET https://218.38.121.17/

HTTP Response

200
13.89.179.8:443

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4944-120-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download