Malware Analysis Report

2025-08-10 17:57

Sample ID 230215-yphrzadd71
Target b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c
SHA256 b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c
Tags
emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c

Threat Level: Known bad

The file b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan

Emotet

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-15 19:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-15 19:57

Reported

2023-02-15 20:00

Platform

win7-20221111-en

Max time kernel

31s

Max time network

33s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\WerFault.exe
PID 2028 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\WerFault.exe
PID 2028 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c.dll

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2028 -s 220

Network

N/A

Files

memory/2028-54-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

memory/1624-55-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-15 19:57

Reported

2023-02-15 19:59

Platform

win10v2004-20221111-en

Max time kernel

89s

Max time network

96s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c.dll

Signatures

Emotet

trojan banker emotet

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b481ac05ea9a59eedf6233166327057279babef26c913a8e89536472b192e86c.dll

Network

Country Destination Domain Proto
US 52.109.13.63:443 tcp
US 72.21.81.240:80 tcp
FR 176.31.73.90:443 tcp
SG 45.76.159.214:8080 tcp
CA 138.197.147.101:443 tcp
NL 104.80.225.205:443 tcp
US 52.242.97.97:443 tcp
US 104.168.154.79:8080 tcp
CA 149.56.131.28:8080 tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
DE 5.9.116.246:8080 tcp
NL 77.81.247.144:8080 tcp
DE 172.104.251.154:8080 172.104.251.154 tcp

Files

memory/4916-132-0x0000000180000000-0x000000018002B000-memory.dmp