emotet | 5cf5fffcedad7b31530dab3beae6a9c5f8e6d0c3791d5495023bf9b329471095

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crGw6bNNNweuGlL07he.dll
Size

523.5MB
MD5

0650c03256eeaaa94e3c34546c35ad51
SHA1

a34a1e8ccd87c1a7c4b5c2941438fe8691cbe6d9
SHA256

7edb4423d8deb5a9ed72bf6977a31f1cbeb6bdde8512b3650cfcea96ee5b7a53
SHA512

d1217c4b26ff372072366a3ddbee9fa77c762d7a852e6a913ec1b214701708f72170bb68015f4ebca283530a6dc562eb327b3d7883041b6b72a60c4183abfab5
SSDEEP

6144:ZS+strpYZOLnN6zBiWmLcipbxTV5bEgWrhTmi3ve2vof2PPMIf39yeuLcLwdi:ZbapYTiDcidxTJUdpe2vofQMIfUb

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
996	regsvr32.exe
1380	regsvr32.exe
1380	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
996	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1380	996	regsvr32.exe	28
PID 996 wrote to memory of 1380	996	regsvr32.exe	28
PID 996 wrote to memory of 1380	996	regsvr32.exe	28
PID 996 wrote to memory of 1380	996	regsvr32.exe	28
PID 996 wrote to memory of 1380	996	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\crGw6bNNNweuGlL07he.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UtcRshAffs\fqukyWP.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-54-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/996-57-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download