emotet | 357ad7e9ed00a1f3c189bfb7c941aa775ab7131025235c738cc861784867f557

General

Target

target.ps1
Size

288B
MD5

240b3d19fe8b41090a24d146c4dbd1e9
SHA1

d3add97f31a225d73202cbdfa9105fb39a07a47c
SHA256

357ad7e9ed00a1f3c189bfb7c941aa775ab7131025235c738cc861784867f557
SHA512

03a722e5608bb814f66c15e95d6e3cab7426f5b17075290b81f5df9a1efb37dea1fe6b60b1914ccee3202c4bf5575212ba9400989a8db6ffcb14d5167b8de9c4

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2872	powershell.exe
4	2872	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	regsvr32.exe
5096	regsvr32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
5096	regsvr32.exe
5096	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
4336	regsvr32.exe
4336	regsvr32.exe
4336	regsvr32.exe
4336	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeRestorePrivilege	916	7z.exe
Token: 35	916	7z.exe
Token: SeSecurityPrivilege	916	7z.exe
Token: SeSecurityPrivilege	916	7z.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 916	2872	powershell.exe	74
PID 2872 wrote to memory of 916	2872	powershell.exe	74
PID 2872 wrote to memory of 872	2872	powershell.exe	75
PID 2872 wrote to memory of 872	2872	powershell.exe	75
PID 872 wrote to memory of 64	872	cmd.exe	76
PID 872 wrote to memory of 64	872	cmd.exe	76
PID 1404 wrote to memory of 1500	1404	cmd.exe	84
PID 1404 wrote to memory of 1500	1404	cmd.exe	84
PID 1404 wrote to memory of 5096	1404	cmd.exe	85
PID 1404 wrote to memory of 5096	1404	cmd.exe	85
PID 5096 wrote to memory of 4336	5096	regsvr32.exe	86
PID 5096 wrote to memory of 4336	5096	regsvr32.exe	86
PID 1500 wrote to memory of 2880	1500	regsvr32.exe	87
PID 1500 wrote to memory of 2880	1500	regsvr32.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'
    3⤵
    PID:64

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\emotet.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QqGPbkfUmF\foJTczYqLRZt.dll"
    3⤵
    PID:2880
- C:\Windows\system32\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\emotet.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GOKeydZnlSOsy\ibDyQrs.dll"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bf0vfgz.hgd.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\emotet.dll

Filesize
534KB

MD5
56bb8500d7ab6860760eddd7a55e9456

SHA1
e9b38c5fb51ce1a038f65c1620115a9bba1e383d

SHA256
b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59

SHA512
83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\emotet.zip

Filesize
289KB

MD5
ebe6bc9eab807cdd910976a341bc070d

SHA1
1052700b1945bb1754f3cadad669fc4a99f5607b

SHA256
b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7

SHA512
9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

Download Submit
memory/1500-41-0x00000000014A0000-0x00000000014D0000-memory.dmp

Filesize
192KB

Download
memory/1500-43-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2872-4-0x000001F64B480000-0x000001F64B4A2000-memory.dmp

Filesize
136KB

Download
memory/2872-5-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-7-0x000001F64B540000-0x000001F64B550000-memory.dmp

Filesize
64KB

Download
memory/2872-8-0x000001F64B540000-0x000001F64B550000-memory.dmp

Filesize
64KB

Download
memory/2872-10-0x000001F663AA0000-0x000001F663B16000-memory.dmp

Filesize
472KB

Download
memory/2872-26-0x000001F64B540000-0x000001F64B550000-memory.dmp

Filesize
64KB

Download
memory/2872-37-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing