emotet | 6325e94ca59f6d33e29dabfa2cbcaf54565549bdee81b56348aab4e088e84166

Resubmissions

08-12-2022 04:23

221208-ez3qcaha33 10

29-11-2022 08:08

221129-j128esec3s 10

24-11-2022 05:07

221124-fr44waba69 10

Analysis

max time kernel
566s
max time network
612s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6325e94ca59f6d33e29dabfa2cbcaf54565549bdee81b56348aab4e088e84166.dll
Size

660KB
MD5

85178f44f970555523bc751770853851
SHA1

a6d5a6e3128ac82ff6208b2939f8a691ddaa237f
SHA256

6325e94ca59f6d33e29dabfa2cbcaf54565549bdee81b56348aab4e088e84166
SHA512

093ab82623c4747b703f584894b80ba4130e03a32fb05453e1d6dfce2125267e760bdcdc44f0158b4dbbab571bf372981316de6240f76cc4bc20b43a6338b1b6
SSDEEP

12288:H6NFi+qz19gtAgY2tiZl4G/aukg78I8v4lSRi4gu2CTRD:aNY19gigZtiZypukmQAlQEG

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1120 regsvr32.exe
760 regsvr32.exe
760 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1120 regsvr32.exe

pid	process
1120	regsvr32.exe
760	regsvr32.exe
760	regsvr32.exe

pid	process
1120	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1120 wrote to memory of 760	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 760	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 760	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 760	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 760	1120	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6325e94ca59f6d33e29dabfa2cbcaf54565549bdee81b56348aab4e088e84166.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TdjjpNdTZEdVueWq\OVdMmRmHCeGt.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-58-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1120-55-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download