emotet | 57426a9fb01050bcf0efd0e91aebd9c44080921d1435964fcea793a6decb8cc1

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57426a9fb01050bcf0efd0e91aebd9c44080921d1435964fcea793a6decb8cc1.dll
Size

600KB
MD5

24125ab10fe778289a5ff85ee471264b
SHA1

f5598d2d45ef02db0b692d2e15e8695cee20a858
SHA256

57426a9fb01050bcf0efd0e91aebd9c44080921d1435964fcea793a6decb8cc1
SHA512

5827976951cc3101134a6fc31c0deff2d23a653ecfba98bf236ac7d09b174d11f2a691e6a50540812b0e7677126dbd100bf215b1fee79fee9fe1dbf88ad37694
SSDEEP

12288:l4WjRiEKWKhqyuYzqtN2H2AyKK6cl788IO/:9KWKh/Zqtk2AJuQBO

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.42.57.17:8080

93.104.208.37:8080

195.154.146.35:443

62.171.178.147:8080

37.59.209.141:8080

139.196.72.155:8080

37.44.244.177:8080

191.252.103.16:80

217.182.143.207:443

128.199.192.135:8080

103.41.204.169:8080

185.148.168.15:8080

168.197.250.14:80

78.46.73.125:443

194.9.172.107:8080

185.148.168.220:8080

118.98.72.86:443

54.37.106.167:8080

78.47.204.80:443

159.69.237.188:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 280	2328	regsvr32.exe	regsvr32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe
PID 280 wrote to memory of 2164	280	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\57426a9fb01050bcf0efd0e91aebd9c44080921d1435964fcea793a6decb8cc1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\57426a9fb01050bcf0efd0e91aebd9c44080921d1435964fcea793a6decb8cc1.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\57426a9fb01050bcf0efd0e91aebd9c44080921d1435964fcea793a6decb8cc1.dll",DllRegisterServer
3⤵
PID:2164

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-0-0x00000000002F0000-0x0000000000315000-memory.dmp

Filesize
148KB

Download