Overview

overview

10

Static

static

3

ipbw9gVKrQBf.dll

windows7-x64

10

ipbw9gVKrQBf.dll

windows10-2004-x64

10

Resubmissions

30-04-2023 22:49

230430-2rwcmahd2z 10

30-04-2023 22:44

230430-2n5rwsfd26 10

Analysis

  • max time kernel
    151s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2023 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ipbw9gVKrQBf.dll

  • Size

    519.7MB

  • MD5

    e0567c43a73eff1865dae0129f9a8f67

  • SHA1

    a8b3b7e379fadfa72e6407cb04dffa82d1a86945

  • SHA256

    950bd31800b59e930cff57449e3a4f27271415dfdb2d40b6d5510ce536d09659

  • SHA512

    a31dd27891dfcd64d68d8c6eb2f02a159d18d97dfc6e552e43ee6fb4c17919fb07b294b722b1a096f4855260e793b2e9679ab9a5ba83ed80f64d8e34ea5ce8cc

  • SSDEEP

    24576:abHoJMjx4c3wcFZSSpyNlciIcld0ITZkU8jG:MoJMjyc3w4WR

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

206.189.28.199:8080

103.43.75.120:443

110.232.117.186:8080

139.59.126.41:443

213.239.212.5:443

169.57.156.166:8080

119.59.103.152:8080

164.90.222.65:443

107.170.39.149:8080

188.44.20.25:443

185.4.135.165:8080

186.194.240.217:443

163.44.196.120:8080

173.212.193.249:8080

91.121.146.47:8080

94.23.45.86:4143

164.68.99.3:8080

147.139.166.154:8080

104.168.155.143:8080

197.242.150.244:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ipbw9gVKrQBf.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UTfshOg\YewMWD.dll"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-60-0x0000000001E30000-0x0000000001EE6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/1984-54-0x0000000001DC0000-0x0000000001E76000-memory.dmp

    Filesize

    728KB

    Download

  • memory/1984-56-0x0000000180000000-0x000000018002F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1984-59-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download