emotet | 2c32af20df67b9cab5b5debbdbcc283edb0b50db641763833465cbee1553fd83

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5606f22b9eaf1690e284355551c0ed514b27d18216be1afd2aa372b28317003d.dll
Size

805KB
MD5

4b5b064eedb7a52b11a947439643359c
SHA1

6f9882c8180e2d04f95466ad56f90aae4e6dc060
SHA256

5606f22b9eaf1690e284355551c0ed514b27d18216be1afd2aa372b28317003d
SHA512

7a785e9aac036eb7f60a6d761813f7ddc1e12f03dfa764bb8f7c0fa6180d9377802ca7bdc7102111f92cbff8955b46e4da7b189ff8fa15ec3d4df81227fc46f8
SSDEEP

12288:zuZ0VaBZTXdQfRTBZP0SBK6DjNN6+Yyd9gHg8zUXv31K5poRoMJUHUjPbs:wdKsxejNNZbug8o+2

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

186.250.48.5:80

168.119.39.118:443

185.168.130.138:443

190.90.233.66:443

159.69.237.188:443

54.37.228.122:443

93.104.209.107:8080

185.148.168.15:8080

198.199.98.78:8080

87.106.97.83:7080

195.77.239.39:8080

37.44.244.177:8080

54.38.242.185:443

185.184.25.78:8080

116.124.128.206:8080

139.196.72.155:8080

128.199.192.135:8080

103.41.204.169:8080

78.47.204.80:443

68.183.93.250:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4288 regsvr32.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Hgusjhpnna\dggjwz.yns regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4288 regsvr32.exe
4288 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

4616 regsvr32.exe

pid	process
4288	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Hgusjhpnna\dggjwz.yns	regsvr32.exe

pid	process
4288	regsvr32.exe
4288	regsvr32.exe

pid	process
4616	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 372 wrote to memory of 4616	372	regsvr32.exe	regsvr32.exe
PID 372 wrote to memory of 4616	372	regsvr32.exe	regsvr32.exe
PID 372 wrote to memory of 4616	372	regsvr32.exe	regsvr32.exe
PID 4616 wrote to memory of 4288	4616	regsvr32.exe	regsvr32.exe
PID 4616 wrote to memory of 4288	4616	regsvr32.exe	regsvr32.exe
PID 4616 wrote to memory of 4288	4616	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5606f22b9eaf1690e284355551c0ed514b27d18216be1afd2aa372b28317003d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\5606f22b9eaf1690e284355551c0ed514b27d18216be1afd2aa372b28317003d.dll
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Hgusjhpnna\dggjwz.yns"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hgusjhpnna\dggjwz.yns

Filesize
805KB

MD5
4b5b064eedb7a52b11a947439643359c

SHA1
6f9882c8180e2d04f95466ad56f90aae4e6dc060

SHA256
5606f22b9eaf1690e284355551c0ed514b27d18216be1afd2aa372b28317003d

SHA512
7a785e9aac036eb7f60a6d761813f7ddc1e12f03dfa764bb8f7c0fa6180d9377802ca7bdc7102111f92cbff8955b46e4da7b189ff8fa15ec3d4df81227fc46f8

Download Submit
memory/4288-136-0x0000000000000000-mapping.dmp

Download
memory/4288-138-0x0000000002CE0000-0x0000000002D07000-memory.dmp

Filesize
156KB

Download
memory/4616-132-0x0000000000000000-mapping.dmp

Download
memory/4616-133-0x0000000002380000-0x00000000023A7000-memory.dmp

Filesize
156KB

Download