Overview

overview

10

Static

static

3

94cb33c581...3b.dll

windows7-x64

10

94cb33c581...3b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94cb33c581406c5a447c94aaf55f01a5d527b4633703bf6de436bc5abe624d3b.dll

  • Size

    258KB

  • MD5

    8fea2d45f003fe37eaa2821b54c3305b

  • SHA1

    a57967cc13517b460ea5d2ad630367b7bce4dab9

  • SHA256

    94cb33c581406c5a447c94aaf55f01a5d527b4633703bf6de436bc5abe624d3b

  • SHA512

    25a2781dc0f5a34179f12f7eb2f369d46505184a52b5030c3f29f17bd8e539e6fb48de9936b56702ad9962bd640144a24d46bbd9b8ccdfd50060ad14d7e0df60

  • SSDEEP

    6144:6jpuMD/HpzhetkHmYZU9dbJ8K3WGsceBKCUvqHR2JP9WTBk2ypv:6jIG/pjjuLbJLmGshoCUnWTEpv

Score
10/10
emotetepoch5bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

209.239.112.82:8080

116.124.128.206:8080

45.63.5.129:443

128.199.192.135:8080

51.178.61.60:443

168.197.250.14:80

177.72.80.14:7080

51.210.242.234:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

104.131.62.48:8080

190.90.233.66:443

185.148.168.220:8080

185.148.168.15:8080

62.171.178.147:8080

191.252.103.16:80

54.38.242.185:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\94cb33c581406c5a447c94aaf55f01a5d527b4633703bf6de436bc5abe624d3b.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\94cb33c581406c5a447c94aaf55f01a5d527b4633703bf6de436bc5abe624d3b.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\94cb33c581406c5a447c94aaf55f01a5d527b4633703bf6de436bc5abe624d3b.dll",DllRegisterServer
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3564-0-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3564-1-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download