emotet | 13cfd306936b3cb7470eb5c5ac209437d267c3ff2875235ebc31d4d146239e4b

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4uoSOec70ypNOT1wMHzQXgn.dll
Size

796KB
MD5

874b811ba8aca19ecb2c17b1fdad88b0
SHA1

b1af2af2bad3bb2ee6e4fbf11e50965a60f0e400
SHA256

13cfd306936b3cb7470eb5c5ac209437d267c3ff2875235ebc31d4d146239e4b
SHA512

302330b83615df66652a3974eb42a84b51a281beb0f23db49024f551e414e6ab8bd4d22275d49a22c744183b7d525dc539e5c111b934d49342726704d8d3a295
SSDEEP

12288:KVHML2QJe6XxhqCW4QHR5f/jsVL6TwEHJlTeRNV52:GML2QJNxhqgQHXj1p0RN

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

45.76.1.145:443

217.182.25.250:8080

119.193.124.41:7080

192.99.251.50:443

146.59.226.45:443

173.212.193.249:8080

207.38.84.195:8080

45.118.135.203:7080

31.24.158.56:8080

209.126.98.206:8080

212.237.17.99:8080

216.158.226.206:443

50.30.40.196:8080

82.165.152.127:8080

159.8.59.82:8080

107.182.225.142:8080

110.232.117.186:8080

72.15.201.15:8080

5.9.116.246:8080

79.172.212.216:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2420 regsvr32.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Yzmrvmywz\ojjiyuzieime.xrk regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2420 regsvr32.exe
2420 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1228 regsvr32.exe

pid	process
2420	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Yzmrvmywz\ojjiyuzieime.xrk	regsvr32.exe

pid	process
2420	regsvr32.exe
2420	regsvr32.exe

pid	process
1228	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2300 wrote to memory of 1228	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 1228	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 1228	2300	regsvr32.exe	regsvr32.exe
PID 1228 wrote to memory of 2420	1228	regsvr32.exe	regsvr32.exe
PID 1228 wrote to memory of 2420	1228	regsvr32.exe	regsvr32.exe
PID 1228 wrote to memory of 2420	1228	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3a4uoSOec70ypNOT1wMHzQXgn.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3a4uoSOec70ypNOT1wMHzQXgn.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yzmrvmywz\ojjiyuzieime.xrk"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Yzmrvmywz\ojjiyuzieime.xrk
Filesize
796KB

MD5
874b811ba8aca19ecb2c17b1fdad88b0

SHA1
b1af2af2bad3bb2ee6e4fbf11e50965a60f0e400

SHA256
13cfd306936b3cb7470eb5c5ac209437d267c3ff2875235ebc31d4d146239e4b

SHA512
302330b83615df66652a3974eb42a84b51a281beb0f23db49024f551e414e6ab8bd4d22275d49a22c744183b7d525dc539e5c111b934d49342726704d8d3a295

Download Submit
memory/1228-133-0x0000000002660000-0x00000000026AD000-memory.dmp

Filesize
308KB

Download
memory/2420-138-0x0000000002DB0000-0x0000000002DFD000-memory.dmp

Filesize
308KB

Download