emotet | 7c6169995fbc6d4958973a427c9f205e287fcd079047d771d607697553c9b603

Analysis

max time kernel
89s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19-03-2023 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c6169995fbc6d4958973a427c9f205e287fcd079047d771d607697553c9b603.dll
Size

416KB
MD5

da5baf94542aeb62a5f13de9be236238
SHA1

16bd03272d6a8c2e60dddfe8a9f6195707d2f932
SHA256

7c6169995fbc6d4958973a427c9f205e287fcd079047d771d607697553c9b603
SHA512

d0ccd4383684709bf9a0fa97a969a4f8f46dccd4610cb9ee447cf64f7615c85cb5fc930e14640839c0c48ccb29afac27db1fb8f42c6d862b41e0b2a1ac6bf66a
SSDEEP

6144:SPfL3IhB7K9ejouX3ULYTqnE5AEJhSoRphbDGbvWkCTyQ5GZalsGCIpbjGs3:S779ejdnUL5dAb6qk4yHZY/

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

175.126.176.79:8080

188.225.32.231:4143

64.227.55.231:8080

87.106.97.83:7080

167.86.75.145:443

103.41.204.169:8080

88.217.172.165:8080

178.62.112.199:8080

165.232.185.110:8080

54.37.228.122:443

202.29.239.162:443

37.44.244.177:8080

139.196.72.155:8080

157.245.111.0:8080

36.67.23.59:443

190.145.8.4:443

103.254.12.236:7080

202.134.4.210:7080

190.107.19.179:443

165.22.254.236:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3648 regsvr32.exe
3648 regsvr32.exe
3476 regsvr32.exe
3476 regsvr32.exe
3476 regsvr32.exe
3476 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3648 regsvr32.exe

pid	process
3648	regsvr32.exe
3648	regsvr32.exe
3476	regsvr32.exe
3476	regsvr32.exe
3476	regsvr32.exe
3476	regsvr32.exe

pid	process
3648	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3648 wrote to memory of 3476	3648	regsvr32.exe	regsvr32.exe
PID 3648 wrote to memory of 3476	3648	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6169995fbc6d4958973a427c9f205e287fcd079047d771d607697553c9b603.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UAExOaNSrgGXFa\EzDO.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3648-119-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download
memory/3648-124-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download