emotet | 396709d639484e6d5c673a5102a6623fb5ae21a0cf6b1aafead144cfd1be28dc

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 06:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

396709d639484e6d5c673a5102a6623fb5ae21a0cf6b1aafead144cfd1be28dc.dll
Size

684KB
MD5

e933b0aa9c2f5e6f18cb0718d0e064ff
SHA1

81de5e8aea0448bc75b540f1c530517c550a1883
SHA256

396709d639484e6d5c673a5102a6623fb5ae21a0cf6b1aafead144cfd1be28dc
SHA512

f0d5db89ac71a4836398ba9968c1b7faa09bb5fd0651af6b32cc7c870f543fef3773cb618591f0e73bf09b8fb177a933b079121b87ee882f4759f9fd418da2fb
SSDEEP

6144:jpvac/hrq/4wi/fRBe06Av38/giQEjSdLZJ8iqOqnPoypSlwDmL0TX9zZ7cuQUa6:y4wwRBe01P8/giQE8zsnS9W7PQUaIF

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

149.202.179.100:443

103.75.201.4:443

129.232.188.93:443

50.116.54.215:443

203.114.109.124:443

217.182.143.207:443

212.237.5.209:443

79.172.212.216:8080

144.76.186.49:8080

159.8.59.82:8080

131.100.24.231:80

212.237.17.99:8080

81.0.236.90:443

159.89.230.105:443

164.68.99.3:8080

212.237.56.116:7080

162.243.175.63:443

195.154.133.20:443

110.232.117.186:8080

45.142.114.231:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2920	4840	regsvr32.exe	86
PID 4840 wrote to memory of 2920	4840	regsvr32.exe	86
PID 4840 wrote to memory of 2920	4840	regsvr32.exe	86
PID 2920 wrote to memory of 4372	2920	regsvr32.exe	92
PID 2920 wrote to memory of 4372	2920	regsvr32.exe	92
PID 2920 wrote to memory of 4372	2920	regsvr32.exe	92

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\396709d639484e6d5c673a5102a6623fb5ae21a0cf6b1aafead144cfd1be28dc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\396709d639484e6d5c673a5102a6623fb5ae21a0cf6b1aafead144cfd1be28dc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\396709d639484e6d5c673a5102a6623fb5ae21a0cf6b1aafead144cfd1be28dc.dll",DllRegisterServer
    3⤵
    PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2920-0-0x0000000002B50000-0x0000000002B75000-memory.dmp

Filesize
148KB

Download