emotet | 6c63674b35217033b8f3482cdc3b753917d123a2e9e1e581afffee608cb04552

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c63674b35217033b8f3482cdc3b753917d123a2e9e1e581afffee608cb04552.dll
Size

751KB
MD5

ad3be02b840d38d43424d7e9193899cb
SHA1

cc3251e7f708bf87c7bf462481d9d8c0e61cb299
SHA256

6c63674b35217033b8f3482cdc3b753917d123a2e9e1e581afffee608cb04552
SHA512

273405cca6d2fd5cede11499baa4e6476af87348500bc84a66b35578a575fdbf93bb6a495b22aa90275a15b8872b5b6a398c53af480cea0f0abf044260fbff71
SSDEEP

12288:8iW4+vsmQhWi6zQCXbPlvyqOMSRZuH/sAvvszVIf:8iWHhECXbPlvyqOMUMJvszVIf

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	Process
2216	regsvr32.exe
2124	regsvr32.exe
2124	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid	Process
2216	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 2216 wrote to memory of 2124	2216	regsvr32.exe	31
PID 2216 wrote to memory of 2124	2216	regsvr32.exe	31
PID 2216 wrote to memory of 2124	2216	regsvr32.exe	31
PID 2216 wrote to memory of 2124	2216	regsvr32.exe	31
PID 2216 wrote to memory of 2124	2216	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c63674b35217033b8f3482cdc3b753917d123a2e9e1e581afffee608cb04552.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JIuSQDzRWlKKHbStx\QERzcRv.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-8-0x0000000010000000-0x00000000100C6000-memory.dmp

Filesize
792KB

Download
memory/2124-11-0x0000000010000000-0x00000000100C6000-memory.dmp

Filesize
792KB

Download
memory/2124-18-0x0000000010000000-0x00000000100C6000-memory.dmp

Filesize
792KB

Download
memory/2216-0-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2216-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2216-7-0x0000000010000000-0x00000000100C6000-memory.dmp

Filesize
792KB

Download