emotet | 52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b

Analysis

max time kernel
29s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-04-2023 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll
Size

216KB
MD5

b0be1a8f052808add496c879ad361fec
SHA1

72326bac487e5d2c9e5b12abacb84d0213f9c27c
SHA256

52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b
SHA512

8fa61c1e199dcaba0dfe0559e5eda62a547fc289ccf0ee357c36e7768f30e7ee16a3175c8d8924ed96d144b1af485efd3754aa419ac36415e775c01dc67e85e3
SSDEEP

3072:lZ6B8Yv529XVNWfb3ClcrIzp9SWXeA3f4jfsun6C7jtom6Xaplwz:lG8j7Wz3vrIiWOAvUfsun6Cycwz

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

174.136.15.27:8080

185.122.58.89:443

66.42.57.149:443

159.69.237.188:443

78.47.204.80:443

54.38.242.185:443

37.44.244.177:8080

185.148.168.220:8080

217.182.143.207:443

198.199.98.78:8080

139.196.72.155:8080

59.148.253.194:443

195.77.239.39:8080

210.57.209.142:8080

128.199.192.135:8080

173.203.78.138:443

62.171.178.147:8080

85.214.67.203:8080

185.148.168.15:8080

191.252.103.16:80

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1136	1208	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe
PID 1136 wrote to memory of 2020	1136	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll",DllRegisterServer
3⤵
PID:2020

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-54-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download