emotet | 87ba201306f7278942243210f607cbaaa54ee015f412b40c36d7177f0b126dd2

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ba201306f7278942243210f607cbaaa54ee015f412b40c36d7177f0b126dd2.dll
Size

684KB
MD5

99eb89aaa5e81d5270a5c04fbb580481
SHA1

a430b4d9067a9e0704bc13c399146a611638f612
SHA256

87ba201306f7278942243210f607cbaaa54ee015f412b40c36d7177f0b126dd2
SHA512

6ffeda782de0e91710a42209fe8904f3b5d1c893456f87e4af1070479385b41323f7bdae2ae86e09345eca00ab8cc266bb8fe38c3370365b6348b4839142f772
SSDEEP

6144:F/aZgRXcZdinj5y1baFLk5Dw2jb7t3mJXzQbaCIXilmj2cO8h35jnL/nvYwFaRVb:BamncoLAbcduxmSc/Jf/ngwFGMD0sg

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

51.75.33.122:443

186.250.48.5:80

168.119.39.118:443

207.148.81.119:8080

194.9.172.107:8080

139.196.72.155:8080

78.47.204.80:443

159.69.237.188:443

45.71.195.104:8080

54.37.106.167:8080

185.168.130.138:443

37.44.244.177:8080

185.184.25.78:8080

185.148.168.15:8080

128.199.192.135:8080

37.59.209.141:8080

103.41.204.169:8080

185.148.168.220:8080

103.42.58.120:7080

78.46.73.125:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Ajoipgxwepxq\zowbdwfutfzk.vnh regsvr32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

2392 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2028 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ajoipgxwepxq\zowbdwfutfzk.vnh	regsvr32.exe

pid	process
2392	regsvr32.exe

pid	process
2028	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2028	2252	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 2392	2028	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\87ba201306f7278942243210f607cbaaa54ee015f412b40c36d7177f0b126dd2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\87ba201306f7278942243210f607cbaaa54ee015f412b40c36d7177f0b126dd2.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ajoipgxwepxq\zowbdwfutfzk.vnh"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/2392-3-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download