emotet | 5da102cc1ff7d842e3b5c9d6f571bd3b3afdc1715d37f120b31e1859928f5837

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da102cc1ff7d842e3b5c9d6f571bd3b3afdc1715d37f120b31e1859928f5837.dll
Size

664KB
MD5

a4ecfada58560cde6fa8efb230ae7175
SHA1

25c97e473919084598779cc8faee36c23fdb8911
SHA256

5da102cc1ff7d842e3b5c9d6f571bd3b3afdc1715d37f120b31e1859928f5837
SHA512

24fc0218924c59c366d9038f878352d765a20dad35f637d917fd5d91c60d96ff256d3cb13b68a33d81df6dbb32d389e1b930078a58603897fc42970027c211da
SSDEEP

12288:DtAanana8Meee0GBGu3qI+3DNJ3vE6v5eexS332d7t5hT/hexLx:Kanana8qGBGuoNxEQxCM7o

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

165.22.61.235:443

121.78.112.42:8080

216.10.251.121:8080

195.77.239.39:8080

195.154.146.35:443

68.183.93.250:443

139.196.72.155:8080

194.9.172.107:8080

196.44.98.190:8080

128.199.192.135:8080

5.56.132.177:8080

78.46.73.125:443

87.106.97.83:7080

66.42.57.149:443

37.44.244.177:8080

190.90.233.66:443

203.153.216.46:443

207.148.81.119:8080

103.41.204.169:8080

104.131.62.48:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1756 regsvr32.exe

pid	process
1756	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1756	1280	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5da102cc1ff7d842e3b5c9d6f571bd3b3afdc1715d37f120b31e1859928f5837.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5da102cc1ff7d842e3b5c9d6f571bd3b3afdc1715d37f120b31e1859928f5837.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-0-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download