emotet | 31fb4bf411dcd7fcb860bdb1db26859290b047b39b94638a7d4fd2a46d323e98

General

Target

vbn540.vbs
Size

88KB
MD5

9eae6f49a02d6eb9f75af7bbf4349808
SHA1

2caf7ddeb9fc1d6076558661ef69b9638cfd2e7b
SHA256

31fb4bf411dcd7fcb860bdb1db26859290b047b39b94638a7d4fd2a46d323e98
SHA512

37b45c58efd8c2bee66c30bca4a3777d5b6ba39e97d34baa8e7bc27fb083397d818a2708cbcf7d4704398fdfff4cbc17abff68b33294292413527702c1ad7eef
SSDEEP

768:vvQxmTUdOGFf77IlCpfj2d7gtD/uqDX4l8EE1:vvQxxOGV77Fj2sDRX4lG1

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	2656	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
4216	regsvr32.exe
944	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eZkGmZN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LHNZlmymDj\\eZkGmZN.dll\""	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4216	regsvr32.exe
4216	regsvr32.exe
944	regsvr32.exe
944	regsvr32.exe
944	regsvr32.exe
944	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2656	1420	WScript.exe	92
PID 1420 wrote to memory of 2656	1420	WScript.exe	92
PID 2656 wrote to memory of 4216	2656	wscript.exe	100
PID 2656 wrote to memory of 4216	2656	wscript.exe	100
PID 4216 wrote to memory of 944	4216	regsvr32.exe	101
PID 4216 wrote to memory of 944	4216	regsvr32.exe	101

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbn540.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\radD354ABEA0darrad1FF4637DFdar.txt
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\radC924C71E2dar\3Gw91Oh.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LHNZlmymDj\eZkGmZN.dll"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad3A62E.tmp.zip

Filesize
978KB

MD5
732cbd16f6f3384f94eb7855707cbdfe

SHA1
0cc9b61ed379d2aa62b3453796732b0bc7b2005d

SHA256
ab6dbb617473d38420f0593186c596fcce85ee838e169c0cba269ba8f5cf4539

SHA512
2cc43d9a26daf1780f2c8c23b94f771714a3c85c62672f9ff9f2c4a820869725a057b6dc7914173b19e9b324ab7b660cd240a4df4351c21cc4acfc740451351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\radC924C71E2dar\3Gw91Oh.dll

Filesize
437.1MB

MD5
c40650a35b560f5eb4918b17eea79e33

SHA1
26981ce2ca440698935f58e5fc4870ff0a087e54

SHA256
cc0447fcdee24473a387dc642aa9a734ecd4d3b82ac039275dc3a29bb7c5c450

SHA512
335a30fc70d90a7fbf634a6a47fc492531a8fca289ba10503a73311f056d9266fb7b28ce90e78dc8c1ffae3d549ebffa07d6e95607f31d9125ef216c15ce9877

Download Submit
C:\Users\Admin\AppData\Local\Temp\radC924C71E2dar\3Gw91Oh.dll

Filesize
413.1MB

MD5
93c5c26eedce59fd9b47fe9feb37720e

SHA1
60fc3078a1f5d414bc9e7a8d37963ea1575dd787

SHA256
e966d134282116a30c14f698906668637500b0ef98069d00b92f7d9e5db5773d

SHA512
adb0a066a25f94dd0eb9a1572b0d1626d6eac62d10317b7c6a625f280f1c3b8e615dd472c2d74d6bde6702b4ca76ff0213da53fb21071165aca6b69226cd5c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\radD354ABEA0darrad1FF4637DFdar.txt

Filesize
61KB

MD5
1aa67b0b904cd763bc3818467b021b3c

SHA1
687946e6661f96d332b8e57cab5ab2e84ca17071

SHA256
0fc30c263b4e947d2b4f7ca5e1ee57e2aa4a4e885796f15cd3e16fb03f255716

SHA512
9f8d53567998c8beb7977c470e09d4ad1a41da2555d6b7ca0b7525f70f6bba5f818aaf9a5dcbb57c7b9842e937eb5a7a64f45394f42afb2a78b09dee1493a7be

Download Submit
C:\Windows\System32\LHNZlmymDj\eZkGmZN.dll

Filesize
414.3MB

MD5
b64c7ff1f58587da6bcbb6f85cf72cdd

SHA1
3c83bf69467b94ce6897ad94c54ab2d296991896

SHA256
7bc7ad69a6e72441fb81ba05048cfca53627346648f95218739eb89f008ac7dd

SHA512
044cfff061ecc927eed85275db2576119f41fcae981321b6b69aeb9b69d649b19d943206083b0756b46e2c6a0c549f1bb00f0552cdc7afb09949c14517d46dec

Download Submit
memory/4216-157-0x0000000002180000-0x00000000021DA000-memory.dmp

Filesize
360KB

Download
memory/4216-161-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing