emotet | 0aae097d8d7904effeed44dcfe0d0bf1aa6675dfe5d645e271b19efe36d370e1

General

Target

script.ps1
Size

285B
MD5

8dd91f9af4b71220f2b2e28f6ac12dc1
SHA1

af75d53cdc45819058b7f5d76fc224d8ed46eb10
SHA256

0aae097d8d7904effeed44dcfe0d0bf1aa6675dfe5d645e271b19efe36d370e1
SHA512

29a4d2471a5ececbb27159b736ade805c160be670702090444e60fac749f609b6b4fe88ad5e16228619ad60c908dd54f16f8e95d9bc498ec9ff17354bca2b47e

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1392 powershell.exe
10 1392 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3196 regsvr32.exe
4508 regsvr32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 raw.githubusercontent.com
10 raw.githubusercontent.com
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeregsvr32.exeregsvr32.exe

pid process

1392 powershell.exe
1392 powershell.exe
3196 regsvr32.exe
3196 regsvr32.exe
4508 regsvr32.exe
4508 regsvr32.exe
4508 regsvr32.exe
4508 regsvr32.exe

flow	pid	process
5	1392	powershell.exe
10	1392	powershell.exe

pid	process
3196	regsvr32.exe
4508	regsvr32.exe

flow	ioc
8	raw.githubusercontent.com
10	raw.githubusercontent.com

pid	process
1392	powershell.exe
1392	powershell.exe
3196	regsvr32.exe
3196	regsvr32.exe
4508	regsvr32.exe
4508	regsvr32.exe
4508	regsvr32.exe
4508	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeRestorePrivilege	5044	7z.exe
Token: 35	5044	7z.exe
Token: SeSecurityPrivilege	5044	7z.exe
Token: SeSecurityPrivilege	5044	7z.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.execmd.exeregsvr32.exe

description	pid	process	target process
PID 1392 wrote to memory of 5044	1392	powershell.exe	7z.exe
PID 1392 wrote to memory of 5044	1392	powershell.exe	7z.exe
PID 1392 wrote to memory of 2756	1392	powershell.exe	cmd.exe
PID 1392 wrote to memory of 2756	1392	powershell.exe	cmd.exe
PID 2756 wrote to memory of 3196	2756	cmd.exe	regsvr32.exe
PID 2756 wrote to memory of 3196	2756	cmd.exe	regsvr32.exe
PID 3196 wrote to memory of 4508	3196	regsvr32.exe	regsvr32.exe
PID 3196 wrote to memory of 4508	3196	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s "%temp%\emotet.dll""
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\emotet.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WZJZQ\uJMxwtZSlqOY.dll"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjodrieq.gxk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\emotet.dll
Filesize
534KB

MD5
56bb8500d7ab6860760eddd7a55e9456

SHA1
e9b38c5fb51ce1a038f65c1620115a9bba1e383d

SHA256
b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59

SHA512
83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\emotet.zip
Filesize
289KB

MD5
ebe6bc9eab807cdd910976a341bc070d

SHA1
1052700b1945bb1754f3cadad669fc4a99f5607b

SHA256
b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7

SHA512
9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

Download Submit
memory/1392-5-0x0000028CD85C0000-0x0000028CD85E2000-memory.dmp

Filesize
136KB

Download
memory/1392-10-0x00007FFE22E80000-0x00007FFE23941000-memory.dmp

Filesize
10.8MB

Download
memory/1392-12-0x0000028CBF660000-0x0000028CBF670000-memory.dmp

Filesize
64KB

Download
memory/1392-11-0x0000028CBF660000-0x0000028CBF670000-memory.dmp

Filesize
64KB

Download
memory/1392-26-0x00007FFE22E80000-0x00007FFE23941000-memory.dmp

Filesize
10.8MB

Download
memory/3196-19-0x0000000002BD0000-0x0000000002C00000-memory.dmp

Filesize
192KB

Download
memory/3196-22-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing