emotet | 13cfd306936b3cb7470eb5c5ac209437d267c3ff2875235ebc31d4d146239e4b

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4uoSOec70ypNOT1wMHzQXgn.dll
Size

796KB
MD5

874b811ba8aca19ecb2c17b1fdad88b0
SHA1

b1af2af2bad3bb2ee6e4fbf11e50965a60f0e400
SHA256

13cfd306936b3cb7470eb5c5ac209437d267c3ff2875235ebc31d4d146239e4b
SHA512

302330b83615df66652a3974eb42a84b51a281beb0f23db49024f551e414e6ab8bd4d22275d49a22c744183b7d525dc539e5c111b934d49342726704d8d3a295
SSDEEP

12288:KVHML2QJe6XxhqCW4QHR5f/jsVL6TwEHJlTeRNV52:GML2QJNxhqgQHXj1p0RN

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

45.76.1.145:443

217.182.25.250:8080

119.193.124.41:7080

192.99.251.50:443

146.59.226.45:443

173.212.193.249:8080

207.38.84.195:8080

45.118.135.203:7080

31.24.158.56:8080

209.126.98.206:8080

212.237.17.99:8080

216.158.226.206:443

50.30.40.196:8080

82.165.152.127:8080

159.8.59.82:8080

107.182.225.142:8080

110.232.117.186:8080

72.15.201.15:8080

5.9.116.246:8080

79.172.212.216:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1228 regsvr32.exe

pid	process
1228	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 1228	1556	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3a4uoSOec70ypNOT1wMHzQXgn.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3a4uoSOec70ypNOT1wMHzQXgn.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-54-0x00000000006B0000-0x00000000006FD000-memory.dmp

Filesize
308KB

Download