emotet | 262e2f2f64f2e1b77a2497133a3b997f88f0b070e064f5056879881963815aa1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5c00903aa332df4946749702f39dbf9.dll
Size

758KB
MD5

b5c00903aa332df4946749702f39dbf9
SHA1

65da29325b9879a52ec851fbd900dbc79fdf4c37
SHA256

262e2f2f64f2e1b77a2497133a3b997f88f0b070e064f5056879881963815aa1
SHA512

50592b94663e4efc0333e168b8823f8c6d52d741dc4e7426f84eb90a68c2cf7688b3100fd6253f6eea86b3b4aa3c68d07f00cc4d5b4443a067b0970fc8589181
SSDEEP

12288:lBseOTwOg957PAMTEFv49thrFcmxLFwD7wGcXbtzbEOpUDlBUawsoei4:keOTwOUPnTC49LJxJwaCOpUD73oei4

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.42.57.17:8080

93.104.208.37:8080

195.154.146.35:443

62.171.178.147:8080

37.59.209.141:8080

139.196.72.155:8080

37.44.244.177:8080

191.252.103.16:80

217.182.143.207:443

128.199.192.135:8080

103.41.204.169:8080

185.148.168.15:8080

168.197.250.14:80

78.46.73.125:443

194.9.172.107:8080

185.148.168.220:8080

118.98.72.86:443

54.37.106.167:8080

78.47.204.80:443

159.69.237.188:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2372 wrote to memory of 2196	2372	regsvr32.exe	regsvr32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe
PID 2196 wrote to memory of 1048	2196	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b5c00903aa332df4946749702f39dbf9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b5c00903aa332df4946749702f39dbf9.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\b5c00903aa332df4946749702f39dbf9.dll",DllRegisterServer
3⤵
PID:1048

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-0-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download