emotet | 30b2392656573d4fc71a198bea4eb089047a6f21c2db7b163bcab3b1c686be3f

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wurod.dll
Size

764KB
MD5

b9047a916a40b1c4e0033bba961f90e5
SHA1

557c945813815eb7b0a74b3bdbfa53a20139838a
SHA256

30b2392656573d4fc71a198bea4eb089047a6f21c2db7b163bcab3b1c686be3f
SHA512

54762cf3769b4149cea1a495a59b1c51d3db77d1d67b51249bc79806b49808335ce9a5274370ad785d17979ef97cb58cd2024fdc2e2453a260f5eeafa0f0ddc2
SSDEEP

12288:e1NKDzZKRpnBlD7MGVrdjF3hRcTsApSvHQdOzyK7zjwOjmSrjNwgraKRT61cKGNx:S4DzZKnH4GRGY61WN+

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

209.250.246.206:443

110.232.117.186:8080

164.68.99.3:8080

119.193.124.41:7080

212.237.17.99:8080

107.182.225.142:8080

185.8.212.130:7080

153.126.146.25:7080

77.81.247.144:8080

209.126.98.206:8080

201.94.166.162:443

131.100.24.231:80

45.235.8.30:8080

213.241.20.155:443

103.43.46.182:443

129.232.188.93:443

103.132.242.26:8080

151.106.112.196:8080

45.118.115.99:8080

185.4.135.165:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2700	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2916	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2700	2916	regsvr32.exe	30
PID 2916 wrote to memory of 2700	2916	regsvr32.exe	30
PID 2916 wrote to memory of 2700	2916	regsvr32.exe	30
PID 2916 wrote to memory of 2700	2916	regsvr32.exe	30
PID 2916 wrote to memory of 2700	2916	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\wurod.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TwEGriwmqiNVVS\wqCHWviClm.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-8-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download
memory/2916-1-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/2916-0-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2916-4-0x0000000180000000-0x00000001800C6000-memory.dmp

Filesize
792KB

Download