emotet | 23fc6a9871c42e327fcb54002dc2cbf2d605d24bb3a667814d387a9c26c3c11b

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005da7f2918e789d6e80eb813e7cc697fd48d5391ecd7478b12e6f849267a323.dll
Size

600KB
MD5

5eca85bf938914e7892004f2c96f135f
SHA1

ed293f83c284328fb02b013209c3e56ae1eeede4
SHA256

005da7f2918e789d6e80eb813e7cc697fd48d5391ecd7478b12e6f849267a323
SHA512

0b642693e6090e7d7fa573cf0f905879d5bc0183ff0cf3b7dde155c6bef3b85d12fd3521737a3d75265135893187d257c436e5a55676c0d60e1e580f1bf88552
SSDEEP

12288:l4WjRiEKWKhqyuYzqtN+H2AyKK6cl788IO/:9KWKh/Zqts2AJuQBO

Score

10^/10

emotet epoch5 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.42.57.17:8080

93.104.208.37:8080

195.154.146.35:443

62.171.178.147:8080

37.59.209.141:8080

139.196.72.155:8080

37.44.244.177:8080

191.252.103.16:80

217.182.143.207:443

128.199.192.135:8080

103.41.204.169:8080

185.148.168.15:8080

168.197.250.14:80

78.46.73.125:443

194.9.172.107:8080

185.148.168.220:8080

118.98.72.86:443

54.37.106.167:8080

78.47.204.80:443

159.69.237.188:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 1868	1620	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe
PID 1868 wrote to memory of 2692	1868	regsvr32.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\005da7f2918e789d6e80eb813e7cc697fd48d5391ecd7478b12e6f849267a323.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\005da7f2918e789d6e80eb813e7cc697fd48d5391ecd7478b12e6f849267a323.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\005da7f2918e789d6e80eb813e7cc697fd48d5391ecd7478b12e6f849267a323.dll",DllRegisterServer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-0-0x0000000000190000-0x00000000001B5000-memory.dmp

Filesize
148KB

Download