emotet | ce6de764748306acdfecef18882422bc786ea52c5afa447d9a278b1bea6ddd81

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 00:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f48fe1201353745f03e44acf6928f10fc400a59.dll
Size

664KB
MD5

6e7e64a0afbeb239d1217d7bee5d41a1
SHA1

2f48fe1201353745f03e44acf6928f10fc400a59
SHA256

a8506250d9a0532b403866f5d5d91298bd06dc0826cffe794fdb7f73cd19083f
SHA512

e3f8286c1419bb6aa43c6bf9cdc6cf97902eb6a4c092894ca686945f1307ac7adbc943ffd3b6db7639680b3311e5fe65e1c172a3d1f029148ea3742c8c0cce9a
SSDEEP

12288:Z6ZLutvgrwV8RQc5W1yS0ezL9J6XKue/vyzfANcN/kJhXx5y:qza8RQc5W1P0Q9sXKuLzflBkn

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

135.148.121.246:8080

213.190.4.223:7080

175.107.196.192:80

46.55.222.11:443

153.126.203.229:8080

138.185.72.26:8080

45.118.135.203:7080

107.182.225.142:8080

195.154.133.20:443

79.172.212.216:8080

129.232.188.93:443

50.30.40.196:8080

131.100.24.231:80

58.227.42.236:80

216.158.226.206:443

45.118.115.99:8080

51.254.140.238:7080

173.212.193.249:8080

110.232.117.186:8080

81.0.236.90:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Loads dropped DLL 1 IoCs

pid	Process
4552	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Deoobet\ttrdjpi.jau	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4552	regsvr32.exe
4552	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4724	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4724	2072	regsvr32.exe	84
PID 2072 wrote to memory of 4724	2072	regsvr32.exe	84
PID 2072 wrote to memory of 4724	2072	regsvr32.exe	84
PID 4724 wrote to memory of 4552	4724	regsvr32.exe	85
PID 4724 wrote to memory of 4552	4724	regsvr32.exe	85
PID 4724 wrote to memory of 4552	4724	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2f48fe1201353745f03e44acf6928f10fc400a59.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2f48fe1201353745f03e44acf6928f10fc400a59.dll
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Deoobet\ttrdjpi.jau"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deoobet\ttrdjpi.jau

Filesize
664KB

MD5
6e7e64a0afbeb239d1217d7bee5d41a1

SHA1
2f48fe1201353745f03e44acf6928f10fc400a59

SHA256
a8506250d9a0532b403866f5d5d91298bd06dc0826cffe794fdb7f73cd19083f

SHA512
e3f8286c1419bb6aa43c6bf9cdc6cf97902eb6a4c092894ca686945f1307ac7adbc943ffd3b6db7639680b3311e5fe65e1c172a3d1f029148ea3742c8c0cce9a

Download Submit
memory/4552-137-0x0000000002D90000-0x0000000002DB6000-memory.dmp

Filesize
152KB

Download
memory/4724-133-0x0000000002A20000-0x0000000002A46000-memory.dmp

Filesize
152KB

Download