emotet | 7805d250b3c1d74219350badee9231fadbfc591bc43d55b96f7a25723067b74f

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MQIXGPw9ejl.dll
Size

640KB
MD5

aad06e4245330f9ee7c0e4c67c46c686
SHA1

930ef00f646b571bfd4dee6abbcc3ba6b664461c
SHA256

7805d250b3c1d74219350badee9231fadbfc591bc43d55b96f7a25723067b74f
SHA512

afbd0f7b2252f4ebe837c7c4013db02ec1287ef35c24cc2e93803a92520d2c307c034976e67648097764066c25462f59cd7f89a77a5bc076cd17c81206e6c346
SSDEEP

6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7JcuVqrWLWN7Ypsi6Ih9vH0/oUHahE:/8MFX47ivcQMNsrD+KJjO69cI

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

70.36.102.35:443

92.240.254.110:8080

51.91.76.89:8080

217.182.25.250:8080

119.193.124.41:7080

45.142.114.231:8080

176.56.128.118:443

51.254.140.238:7080

173.212.193.249:8080

131.100.24.231:80

188.44.20.25:443

1.234.2.232:8080

153.126.146.25:7080

51.91.7.5:8080

151.106.112.196:8080

46.55.222.11:443

107.182.225.142:8080

82.165.152.127:8080

212.237.17.99:8080

195.201.151.129:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1028 regsvr32.exe

pid	process
1028	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1028	1720	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MQIXGPw9ejl.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\MQIXGPw9ejl.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-54-0x00000000002A0000-0x00000000002C4000-memory.dmp

Filesize
144KB

Download