Overview

overview

10

Static

static

1

emotet_v6

windows10-1703-x64

8

emotet_doc

windows10-1703-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    79s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-03-2023 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file_1.vbs

  • Size

    89KB

  • MD5

    7559f0ff4f7e58ed031fe0b4438f4c57

  • SHA1

    e2225573a8877c057319e10029fd85b0a51375a8

  • SHA256

    73527befbcc1ec6716003fc875d578c40e3dfe619349ff288008bab33c90e5d2

  • SHA512

    252d0a52c3b7bca5ea56a14c7ad1e27967b03e3dccfc3b8d79b8e1c474ed625937719af314e74f62583c708b45b937091e8fae7f1e40e56bf261d0f839f94e4a

  • SSDEEP

    384:6/EHPbchpdLrwUkRI8K5mAX3E53EnoUyd4989GgFWfYyLxgaHxixxOD/n3FiSf+y:6/EKr9ka8yZrgGayLpbng5s6n96

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Blocklisted process makes network request 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file_1.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\rad2C67509D6darradE33979389dar.txt
      2⤵
      • Blocklisted process makes network request
      PID:4048
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\radC9A2CBF19dar\m6A4G4mav3qAukWqvhxcGCsmjysFYbEeM.dll"
        3⤵
          PID:4340
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QsJSFTkhiej\vPbrZ.dll"
            4⤵
              PID:4136

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\rad123E4.tmp.zip
        Filesize

        946KB

        MD5

        7ca680ec35e07dd962b8c96b4545463f

        SHA1

        19b4eb46bd9ba53c21fbfc87480693a2d7c05a8c

        SHA256

        c6b793d39f46f12aa90792b3d494c7b275dee962101f42d9096d7b2daf64e1e5

        SHA512

        628f74c8f109dbe40977b1b40a65b6a47f8bf6f95bfa3dbae4626c33b9c57cb8ebc8c4534275c304ec91f988f7f27ccc84c953d61f55291a61ab555c10997ead

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\rad2C67509D6darradE33979389dar.txt
        Filesize

        61KB

        MD5

        958eb4fa0bfca295216cd6027977fcb8

        SHA1

        0bc88fb4229a73152b2c33750dd5b5be52fcf287

        SHA256

        9b32ca5d8a34ae2351bc68500fb6929468c42d0ddda53fba5676410beab6d498

        SHA512

        4e4e2d84ce82eaa222180e86a2feaa7fdb19108d227ca922c69d30e30ef1ed463c41d540c25f604edd04be86f8490ae8570d2b67a97e0f9f45d048954d32787f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\radC9A2CBF19dar\m6A4G4mav3qAukWqvhxcGCsmjysFYbEeM.dll
        Filesize

        501.7MB

        MD5

        1c019e68db71c477f1e4a56b67dac7f7

        SHA1

        23e2ab5049700ab89a2cca482983e0c029ee95cf

        SHA256

        e202745c18ab4dfa3bbbef398f3fd418ae3607ac6e6c7ad447340d230709bdbc

        SHA512

        ac51733050b83621b8904aec34fad25fb0144b208eae58956e981e6588fd87b40b6a97b2cb46642fb388a41b33141501dcce3fb58dba4b99749ac823b897edcd

        Download Submit
      • \Users\Admin\AppData\Local\Temp\radC9A2CBF19dar\m6A4G4mav3qAukWqvhxcGCsmjysFYbEeM.dll
        Filesize

        502.1MB

        MD5

        c93a7d9276f2d5b2b17a10245e1bd960

        SHA1

        0e6cd74636db9a136006a4df93140fc7f95f27bf

        SHA256

        7431455afafb22a5451f7b5734dfb1b08c9b794bd8bb45a5afe9a304f05e5800

        SHA512

        e83b37e9c54a2832575260315e38b2f6390a43d9a7cdf777eb13784728a7bbfb3a5a4d31b63aba19417042eb32fdb88307520ee0728252e33ff84e32412a5754

        Download Submit
      • memory/4340-143-0x0000000002A10000-0x0000000002A6A000-memory.dmp
        Filesize

        360KB

        Download
      • memory/4340-149-0x0000000002940000-0x0000000002941000-memory.dmp
        Filesize

        4KB

        Download