emotet | 0f3d9263125a5e337d7670716e8f7c2ad18f6aa1a37080e22bc8cd46c75e572b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3d9263125a5e337d7670716e8f7c2ad18f6aa1a37080e22bc8cd46c75e572b.dll
Size

1004KB
MD5

31d04f70988064cceebad46d8690c899
SHA1

77bf25cfd098ce447b542334a7a9b4d6c947267a
SHA256

0f3d9263125a5e337d7670716e8f7c2ad18f6aa1a37080e22bc8cd46c75e572b
SHA512

e0e806da1b9744a21ded3903136c150ab284501df561ee827d79bffe23dfe3ad43107bc8746090615aeb6bf6e5dc9ff861e77115a6687646d81e35bae5e378c1
SSDEEP

12288:+LDlVD0Fj+g1dEJgcIzQHBKeWZlQN5tFjNRLU:Ci6fgcIcHB8ZObLU

Score

10^/10

emotet epoch5 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

168.119.39.118:443

185.168.130.138:443

168.197.250.14:80

195.77.239.39:8080

68.183.93.250:443

185.184.25.78:8080

118.98.72.86:443

78.47.204.80:443

159.69.237.188:443

61.7.231.226:443

103.41.204.169:8080

207.148.81.119:8080

85.214.67.203:8080

190.90.233.66:443

191.252.103.16:80

93.104.209.107:8080

194.9.172.107:8080

66.42.57.149:443

59.148.253.194:443

62.171.178.147:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4016	regsvr32.exe
4016	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4016	2112	regsvr32.exe	83
PID 2112 wrote to memory of 4016	2112	regsvr32.exe	83
PID 2112 wrote to memory of 4016	2112	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0f3d9263125a5e337d7670716e8f7c2ad18f6aa1a37080e22bc8cd46c75e572b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\0f3d9263125a5e337d7670716e8f7c2ad18f6aa1a37080e22bc8cd46c75e572b.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4016-0-0x0000000002C30000-0x0000000002C57000-memory.dmp

Filesize
156KB

Download