emotet | ea380b88bb481273850d30994f25e19668ceb2567542d9af2cb4c939f630bf12

Analysis

max time kernel
143s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea380b88bb481273850d30994f25e19668ceb2567542d9af2cb4c939f630bf12.dll
Size

423KB
MD5

70a4b2f8eabf1b365caafb20035314e7
SHA1

cc4082d36b5f3e41d83ea469204111c0aa2df360
SHA256

ea380b88bb481273850d30994f25e19668ceb2567542d9af2cb4c939f630bf12
SHA512

67f9bf43b056993416c8bce7167f7f6c1e5338a9e551a66fc4dec89f3d46cb5a0e1d83926323811967bcf36fdbffbc2a025b17a980515e211d372beb022bc491
SSDEEP

12288:jTZfxSuI5OORAL3Onl/+HuVPxskfcg3gA:jT6uI57Q+nd+Kxsk

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

104.248.225.227:8080

62.171.178.147:8080

165.22.254.236:8080

128.199.242.164:8080

188.165.79.151:443

202.29.239.162:443

37.187.114.15:8080

175.126.176.79:8080

103.56.149.105:8080

103.126.216.86:443

188.225.32.231:4143

43.129.209.178:443

93.104.209.107:8080

118.98.72.86:443

78.47.204.80:443

128.199.217.206:443

157.230.99.206:8080

87.106.97.83:7080

83.229.80.93:8080

88.217.172.165:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2868 regsvr32.exe
2756 regsvr32.exe
2756 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2868 regsvr32.exe

pid	process
2868	regsvr32.exe
2756	regsvr32.exe
2756	regsvr32.exe

pid	process
2868	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2868 wrote to memory of 2756	2868	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 2756	2868	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 2756	2868	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 2756	2868	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 2756	2868	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ea380b88bb481273850d30994f25e19668ceb2567542d9af2cb4c939f630bf12.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JwiaGyzGczV\Tayu.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-10-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2756-11-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2756-13-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2756-18-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2756-19-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2756-37-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2756-38-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download
memory/2868-0-0x0000000001E00000-0x0000000001E53000-memory.dmp

Filesize
332KB

Download
memory/2868-4-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x0000000180000000-0x000000018006F000-memory.dmp

Filesize
444KB

Download