General

  • Target

    e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690

  • Size

    83KB

  • Sample

    220115-btl9macbdl

  • MD5

    8a33badcc1ed80af8d3ba0f02b85a8e7

  • SHA1

    a1374206e356e9ad4ae461511c76b543d969b6f0

  • SHA256

    e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690

  • SHA512

    f45ee0f0cdece0cace1e4ad150e2602f79b26ddbadec6b85c4f7085627abab4604e315174500eaea9c8cca09fbc04343636b5255515459de7fbb06706e55fc8e

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/

xlm40.dropper

https://wordpress.baishuweb.com/wp-includes/10q0ice6/

xlm40.dropper

http://monorailegypt.com/wp-admin/6uBf9CCfZRMh/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/

Targets

    • Target

      e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690

    • Size

      83KB

    • MD5

      8a33badcc1ed80af8d3ba0f02b85a8e7

    • SHA1

      a1374206e356e9ad4ae461511c76b543d969b6f0

    • SHA256

      e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690

    • SHA512

      f45ee0f0cdece0cace1e4ad150e2602f79b26ddbadec6b85c4f7085627abab4604e315174500eaea9c8cca09fbc04343636b5255515459de7fbb06706e55fc8e

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks