emotet | 22cc80d26bc37a616112b9e6134ac93d3ae12ab15feaaee34efa02b1c8be98ae

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22cc80d26bc37a616112b9e6134ac93d3ae12ab15feaaee34efa02b1c8be98ae.dll
Size

658KB
MD5

2300fc9122cad2c287810508f5d07a1d
SHA1

fee30b8940005a49f4a5c9c1f445e7da7a5a454b
SHA256

22cc80d26bc37a616112b9e6134ac93d3ae12ab15feaaee34efa02b1c8be98ae
SHA512

95926a83f9358a25c377d4e1c702adc2d82cabb572a21dc0bfbd936d1f96a94be94a8e16bcf84bd109d8ce9b154d3080203f43de28f08969994a03bb7947778f
SSDEEP

12288:V4wcc2MydZgRd9aa8l85Qr0t6DZ32QcbplMyVJqhtgyXBaZe+yEltg/BQ4LJlnfp:V4wcc2WRd9aaKDhAkyVJ4taZAnJln1kI

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

175.126.176.79:8080

165.22.254.68:443

116.124.128.206:8080

202.29.239.162:443

103.71.99.57:8080

88.217.172.165:8080

93.104.209.107:8080

104.244.79.94:443

196.44.98.190:8080

85.214.67.203:8080

85.25.120.45:8080

54.37.228.122:443

103.41.204.169:8080

165.232.185.110:8080

195.77.239.39:8080

36.67.23.59:443

59.148.253.194:443

103.85.95.4:8080

157.230.99.206:8080

139.196.72.155:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2352	regsvr32.exe
2148	regsvr32.exe
2148	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2352	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2148	2352	regsvr32.exe	30
PID 2352 wrote to memory of 2148	2352	regsvr32.exe	30
PID 2352 wrote to memory of 2148	2352	regsvr32.exe	30
PID 2352 wrote to memory of 2148	2352	regsvr32.exe	30
PID 2352 wrote to memory of 2148	2352	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22cc80d26bc37a616112b9e6134ac93d3ae12ab15feaaee34efa02b1c8be98ae.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SwqFxpEZwjnXTWEO\SSwLCOFVMnHn.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-7-0x0000000001E30000-0x0000000001EDA000-memory.dmp

Filesize
680KB

Download
memory/2148-12-0x0000000001E30000-0x0000000001EDA000-memory.dmp

Filesize
680KB

Download
memory/2148-14-0x0000000001E30000-0x0000000001EDA000-memory.dmp

Filesize
680KB

Download
memory/2148-15-0x0000000001E30000-0x0000000001EDA000-memory.dmp

Filesize
680KB

Download
memory/2352-0-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2352-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2352-2-0x0000000180000000-0x000000018002B000-memory.dmp

Filesize
172KB

Download
memory/2352-6-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download