emotet | a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll
Size

380KB
MD5

7d553192201f0f9500ebbe24ee0ff1a5
SHA1

8d653752409bac25759183ce9a5032f87f637525
SHA256

a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6
SHA512

24271cba7b7718819e5fbe77e5c65aa1f87fa73db73203072b7bf40377b2a73fb409b9a44ad638562ab8e0f35d8475e8abe8afbb4d7e17a1d8ca107b7c41a10a
SSDEEP

6144:wcvynX8aBmTd9m6qH4YCfPvogjav1iP/I4y8OQLZxUHfy11:/vynLkTbm2og7HHZ6y

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

189.232.46.161:443

51.91.76.89:8080

103.43.46.182:443

206.189.28.199:8080

45.176.232.124:443

107.182.225.142:8080

72.15.201.15:8080

209.250.246.206:443

164.68.99.3:8080

160.16.142.56:8080

134.122.66.193:8080

45.118.115.99:8080

183.111.227.137:8080

209.126.98.206:8080

1.234.2.232:8080

159.65.88.10:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Ujobeofss\tjjgbite.zyo regsvr32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1312 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2216 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ujobeofss\tjjgbite.zyo	regsvr32.exe

pid	process
1312	regsvr32.exe

pid	process
2216	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 2216	1736	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1312	2216	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ujobeofss\tjjgbite.zyo"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-3-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/2216-0-0x00000000008F0000-0x0000000000914000-memory.dmp

Filesize
144KB

Download