emotet | d8cca538ecd91252ed5294bd8bbbb5772245e8b1315fd9723e1f08ee4ef6958d

Analysis

max time kernel
63s
max time network
126s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-03-2023 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8cca538ecd91252ed5294bd8bbbb5772245e8b1315fd9723e1f08ee4ef6958d.js
Size

116KB
MD5

ad0358aa96105ca02607a7605f3a1e80
SHA1

d64a68d180d675170062ce13014a479ebe1de5d8
SHA256

d8cca538ecd91252ed5294bd8bbbb5772245e8b1315fd9723e1f08ee4ef6958d
SHA512

5fe4924d1dd39cde2899e8937d8271c3f9394d4a149818d6e1e4fc83b35b30c810fe6b68dfcdd49a77d0cb9de1b996903213b92bbba64ecde8bc9341f55a5342
SSDEEP

1536:Fb0e89MxTP6Pwp8R2ql1uFCijDfshsxEA5S6ZR5lLXG6OBrmEoBqkZYK8ApTz:FbJDDO7UckjjwQz

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 12 IoCs

Processes:

wscript.exe

flow	pid	process
2	2484	wscript.exe
3	2484	wscript.exe
6	2484	wscript.exe
9	2484	wscript.exe
12	2484	wscript.exe
15	2484	wscript.exe
18	2484	wscript.exe
20	2484	wscript.exe
23	2484	wscript.exe
25	2484	wscript.exe
28	2484	wscript.exe
30	2484	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3664 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3664 regsvr32.exe
3664 regsvr32.exe

pid	process
3664	regsvr32.exe

pid	process
3664	regsvr32.exe
3664	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exeregsvr32.exe

description	pid	process	target process
PID 2484 wrote to memory of 3664	2484	wscript.exe	regsvr32.exe
PID 2484 wrote to memory of 3664	2484	wscript.exe	regsvr32.exe
PID 3664 wrote to memory of 4156	3664	regsvr32.exe	regsvr32.exe
PID 3664 wrote to memory of 4156	3664	regsvr32.exe	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d8cca538ecd91252ed5294bd8bbbb5772245e8b1315fd9723e1f08ee4ef6958d.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\x8hejvhul\Dg86BueaNSrCPGYpNDElDrJcBTii0ET.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BFbxFdGRqKXeVU\fRplb.dll"
    3⤵
    PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bxxhfhr5u.zip

Filesize
973KB

MD5
8c6c51e0cad3ddfca048bb85fa5553e6

SHA1
d2e1024fbdfdf9cd1beb80417c25198c635cb853

SHA256
b899c4832f58de9e51a3897847fafa97f3fe1dc1d713fe20e529750437324a73

SHA512
e3be9d4289dac64fde940ef8adf1c08417982a9e31b3d80d98c8058bcc8c3a709c258dc96c2469180181eedf9f81da05b7f0e1b4763ca7c1d9cb3e7b38ec1176

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8hejvhul\Dg86BueaNSrCPGYpNDElDrJcBTii0ET.dll

Filesize
533.9MB

MD5
6c442d3235f3e60f7a9ea3efca0289ab

SHA1
98a3e3afbac75a582ffbc6d67c39a67fa7c97f63

SHA256
9dd2387b18930f0dc67917b2b14c9146bfc6f395fe917d8decc3263011797efa

SHA512
0a40b46ecde2142f60aaa406ddc06d912c8deb4fee14716de31e23b74718531c003ee6adebb10e47325c3fd67a1f7ef5ff51c72e9abddc7d18ed4bbb8ce9ab24

Download Submit
\Users\Admin\AppData\Local\Temp\x8hejvhul\Dg86BueaNSrCPGYpNDElDrJcBTii0ET.dll

Filesize
533.9MB

MD5
6c442d3235f3e60f7a9ea3efca0289ab

SHA1
98a3e3afbac75a582ffbc6d67c39a67fa7c97f63

SHA256
9dd2387b18930f0dc67917b2b14c9146bfc6f395fe917d8decc3263011797efa

SHA512
0a40b46ecde2142f60aaa406ddc06d912c8deb4fee14716de31e23b74718531c003ee6adebb10e47325c3fd67a1f7ef5ff51c72e9abddc7d18ed4bbb8ce9ab24

Download Submit
memory/3664-171-0x00000000024C0000-0x000000000251A000-memory.dmp

Filesize
360KB

Download
memory/3664-177-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download