emotet | 15e9869fff87b5456e40358c52007c9e3f7dbfbe9096aea8c2712e65deb65a5b

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ISmm7Q94U.dll
Size

822KB
MD5

4a659a5e48556eb45b4f05ecede16671
SHA1

135d7bf7ca4d37887892a0c272ca549602cc5145
SHA256

15e9869fff87b5456e40358c52007c9e3f7dbfbe9096aea8c2712e65deb65a5b
SHA512

0e5c1e3055071de09031021688492133f9928462a5a5cc8d8793ee3b542e774399dbac6dd8c81eaf307ca8ce30260537d8eb7bceb824fab29a75d797ac131864
SSDEEP

6144:v7rc6Wk6SYnaKOai5uWLwrd0jSjc0vNPqBVzLFW5WUPV2m7hzS7583Tg7A+++ncE:vXcFk6SYna2Frd0jSjcc9SnmBZX0TMh

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

149.56.131.28:8080

72.15.201.15:8080

207.148.79.14:8080

82.165.152.127:8080

46.55.222.11:443

213.241.20.155:443

163.44.196.120:8080

51.254.140.238:7080

107.170.39.149:8080

188.44.20.25:443

82.223.21.224:8080

172.104.251.154:8080

164.68.99.3:8080

101.50.0.91:8080

129.232.188.93:443

173.212.193.249:8080

103.132.242.26:8080

186.194.240.217:443

37.187.115.122:8080

91.207.28.33:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2420	regsvr32.exe
1324	regsvr32.exe
1324	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2420	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1324	2420	regsvr32.exe	28
PID 2420 wrote to memory of 1324	2420	regsvr32.exe	28
PID 2420 wrote to memory of 1324	2420	regsvr32.exe	28
PID 2420 wrote to memory of 1324	2420	regsvr32.exe	28
PID 2420 wrote to memory of 1324	2420	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ISmm7Q94U.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QxNzVJqkv\xWLyPTs.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-8-0x0000000065280000-0x0000000065357000-memory.dmp

Filesize
860KB

Download
memory/2420-0-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download
memory/2420-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2420-4-0x0000000065280000-0x0000000065357000-memory.dmp

Filesize
860KB

Download