emotet | 0a20ea18ad3b2f8eac5a16a06be08593ee0c568a4c85fa793c2e0aeb1f82cd26

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5adb5c8a3d2d6e2d0ab59ac6edfbcd09835aa5f27c5e7a98603cf0b62e86f79d.dll
Size

600KB
MD5

67daa4c2c39a3700188e4dea1f8a271c
SHA1

b6042f0648dfcb28814230a54c2b04e875bd204e
SHA256

5adb5c8a3d2d6e2d0ab59ac6edfbcd09835aa5f27c5e7a98603cf0b62e86f79d
SHA512

fb4f95654aa525861254cb8d5298d2d6f55449097680ca9619436ae4633f779154dc0f3dadd829b4d2fe0310af1fc7becc257477834bdf7d0bd5e148acadcbe6
SSDEEP

12288:l4WjRiEKWKhqyuYzqtN0H2AyKK6cl788IO/:9KWKh/ZqtW2AJuQBO

Score

10^/10

emotet epoch5 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.42.57.17:8080

93.104.208.37:8080

195.154.146.35:443

62.171.178.147:8080

37.59.209.141:8080

139.196.72.155:8080

37.44.244.177:8080

191.252.103.16:80

217.182.143.207:443

128.199.192.135:8080

103.41.204.169:8080

185.148.168.15:8080

168.197.250.14:80

78.46.73.125:443

194.9.172.107:8080

185.148.168.220:8080

118.98.72.86:443

54.37.106.167:8080

78.47.204.80:443

159.69.237.188:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 2368	3100	regsvr32.exe	82
PID 3100 wrote to memory of 2368	3100	regsvr32.exe	82
PID 3100 wrote to memory of 2368	3100	regsvr32.exe	82
PID 2368 wrote to memory of 1096	2368	regsvr32.exe	83
PID 2368 wrote to memory of 1096	2368	regsvr32.exe	83
PID 2368 wrote to memory of 1096	2368	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5adb5c8a3d2d6e2d0ab59ac6edfbcd09835aa5f27c5e7a98603cf0b62e86f79d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\5adb5c8a3d2d6e2d0ab59ac6edfbcd09835aa5f27c5e7a98603cf0b62e86f79d.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\5adb5c8a3d2d6e2d0ab59ac6edfbcd09835aa5f27c5e7a98603cf0b62e86f79d.dll",DllRegisterServer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2368-0-0x0000000001190000-0x00000000011B5000-memory.dmp

Filesize
148KB

Download