Malware Analysis Report

2025-08-05 12:45

Sample ID 230308-jh1xmsec3v
Target 0A4bnyb9ltzha9k.zip
SHA256 f51c81ec5c615651109c343acc8f7a712a78801b83fabd0b0925a2abde9629ff
Tags
emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f51c81ec5c615651109c343acc8f7a712a78801b83fabd0b0925a2abde9629ff

Threat Level: Known bad

The file 0A4bnyb9ltzha9k.zip was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan

Emotet

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-08 07:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 07:40

Reported

2023-03-08 07:45

Platform

win7-20230220-en

Max time kernel

149s

Max time network

157s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d43w33NCMhh4esEWRu9shhpECdd2BAg.dll

Signatures

Emotet

trojan banker emotet

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 268 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 268 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 268 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 268 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 268 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d43w33NCMhh4esEWRu9shhpECdd2BAg.dll

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QQiixqLQLjOtSPtU\XIXSUzKhD.dll"

Network

Country Destination Domain Proto
FR 91.121.146.47:8080 91.121.146.47 tcp
US 66.228.32.31:7080 tcp
KR 182.162.143.56:443 182.162.143.56 tcp
BR 187.63.160.88:80 187.63.160.88 tcp
US 167.172.199.165:8080 167.172.199.165 tcp
DE 164.90.222.65:443 164.90.222.65 tcp
US 104.168.155.143:8080 104.168.155.143 tcp
KG 91.207.28.33:8080 91.207.28.33 tcp
US 72.15.201.15:8080 72.15.201.15 tcp
KR 183.111.227.137:8080 183.111.227.137 tcp
IN 103.132.242.26:8080 103.132.242.26 tcp
GB 159.65.88.10:8080 159.65.88.10 tcp
DE 173.212.193.249:8080 173.212.193.249 tcp
ES 82.223.21.224:8080 82.223.21.224 tcp
JP 172.105.226.75:8080 172.105.226.75 tcp
AU 103.43.75.120:443 103.43.75.120 tcp

Files

memory/1420-54-0x0000000001DC0000-0x0000000001E70000-memory.dmp

memory/1420-56-0x0000000180000000-0x000000018002D000-memory.dmp

memory/1420-59-0x0000000000130000-0x0000000000131000-memory.dmp

memory/268-60-0x0000000001E40000-0x0000000001EF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 07:40

Reported

2023-03-08 07:45

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d43w33NCMhh4esEWRu9shhpECdd2BAg.dll

Signatures

Emotet

trojan banker emotet

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 3324 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5056 wrote to memory of 3324 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d43w33NCMhh4esEWRu9shhpECdd2BAg.dll

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PasdjQmaiQgMYT\VzSFsIOhVNyt.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 120.124.109.100.in-addr.arpa udp
US 8.8.8.8:53 91.188.119.100.in-addr.arpa udp
US 8.8.8.8:53 151.185.67.100.in-addr.arpa udp
US 8.8.8.8:53 85.99.73.100.in-addr.arpa udp
US 8.8.8.8:53 8.45.85.100.in-addr.arpa udp
US 8.8.8.8:53 134.53.73.100.in-addr.arpa udp
US 8.8.8.8:53 187.154.117.100.in-addr.arpa udp
US 20.189.173.11:443 tcp
FR 91.121.146.47:8080 91.121.146.47 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp
US 66.228.32.31:7080 tcp
US 8.8.8.8:53 62.156.88.100.in-addr.arpa udp
KR 182.162.143.56:443 182.162.143.56 tcp
US 8.8.8.8:53 56.143.162.182.in-addr.arpa udp
BR 187.63.160.88:80 187.63.160.88 tcp
US 8.8.8.8:53 88.160.63.187.in-addr.arpa udp
US 167.172.199.165:8080 167.172.199.165 tcp
US 8.8.8.8:53 165.199.172.167.in-addr.arpa udp
DE 164.90.222.65:443 164.90.222.65 tcp
US 8.8.8.8:53 65.222.90.164.in-addr.arpa udp
US 104.168.155.143:8080 104.168.155.143 tcp
US 8.8.8.8:53 143.155.168.104.in-addr.arpa udp
KG 91.207.28.33:8080 91.207.28.33 tcp
US 8.8.8.8:53 33.28.207.91.in-addr.arpa udp
US 72.15.201.15:8080 72.15.201.15 tcp
US 8.8.8.8:53 15.201.15.72.in-addr.arpa udp
KR 183.111.227.137:8080 183.111.227.137 tcp
US 8.8.8.8:53 137.227.111.183.in-addr.arpa udp
IN 103.132.242.26:8080 103.132.242.26 tcp
GB 159.65.88.10:8080 159.65.88.10 tcp
US 8.8.8.8:53 10.88.65.159.in-addr.arpa udp
DE 173.212.193.249:8080 173.212.193.249 tcp
US 8.8.8.8:53 249.193.212.173.in-addr.arpa udp
ES 82.223.21.224:8080 82.223.21.224 tcp
US 8.8.8.8:53 224.21.223.82.in-addr.arpa udp
JP 172.105.226.75:8080 172.105.226.75 tcp
US 8.8.8.8:53 75.226.105.172.in-addr.arpa udp
AU 103.43.75.120:443 103.43.75.120 tcp
US 8.8.8.8:53 120.75.43.103.in-addr.arpa udp
US 167.172.253.162:8080 167.172.253.162 tcp
US 8.8.8.8:53 162.253.172.167.in-addr.arpa udp
KR 1.234.2.232:8080 1.234.2.232 tcp
US 8.8.8.8:53 232.2.234.1.in-addr.arpa udp
SG 159.89.202.34:443 159.89.202.34 tcp

Files

memory/5056-133-0x0000000180000000-0x000000018002D000-memory.dmp

memory/5056-136-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/3324-140-0x0000000000400000-0x00000000004B0000-memory.dmp