emotet | 8582757782e4048ba84898de0953c7c9710d84c2e764d1fca8b1d393c436dbc8

Analysis

max time kernel
148s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tPuBVdK7di.dll
Size

527.5MB
MD5

d4d306a6d9d1ae637e0cfacf04f7431a
SHA1

68b7fb0aa0d65569aa62937620f58a50bd3e9fdd
SHA256

a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2
SHA512

d473a2c746eba2b0add8252f5d44eca39b5a862978de80bc8e0d83f3adfee4601f21bcba3f63caa4fda02fc4c79cae704ac0905f4c938af8abbc2381332f682c
SSDEEP

6144:ZS+strpYZOLnN6zBiWmLcipbxTV5bEgWrhTmi3ve2vof2PPMIf39yeuLcLwdi:ZbapYTiDcidxTJUdpe2vofQMIfUb

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1700 regsvr32.exe
1388 regsvr32.exe
1388 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1700 regsvr32.exe

pid	process
1700	regsvr32.exe
1388	regsvr32.exe
1388	regsvr32.exe

pid	process
1700	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1700 wrote to memory of 1388	1700	regsvr32.exe	regsvr32.exe
PID 1700 wrote to memory of 1388	1700	regsvr32.exe	regsvr32.exe
PID 1700 wrote to memory of 1388	1700	regsvr32.exe	regsvr32.exe
PID 1700 wrote to memory of 1388	1700	regsvr32.exe	regsvr32.exe
PID 1700 wrote to memory of 1388	1700	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tPuBVdK7di.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FGgveow\vdGEYBGA.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-54-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/1700-57-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download