emotet

General

Target

QHB_677187.xlsm
Size

112KB
Sample

220118-1qzszsdegn
MD5

2f00a54638c5af4aa67c03f1d7ec12d0
SHA1

23994a8656707b655417077ca79294dd5a82cf36
SHA256

a0cc02185b718d8a8caec87fdee0f6aae676b61e1c69915cbd8d8e2600263b12
SHA512

c50ae050b50fb210c640cdd014a211f1eae5b35ba25d2728f9bb6e726ca81b459e0d593a75bf7e20d5717c008d3b004da83f63a59e0ce1cdad4a826c59070220

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://92.255.57.195/ru/ru.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://92.255.57.195/ru/ru.png

Extracted

Family

emotet

Botnet

Epoch5

C2

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  QHB_677187.xlsm
- Size
  
  112KB
- MD5
  
  2f00a54638c5af4aa67c03f1d7ec12d0
- SHA1
  
  23994a8656707b655417077ca79294dd5a82cf36
- SHA256
  
  a0cc02185b718d8a8caec87fdee0f6aae676b61e1c69915cbd8d8e2600263b12
- SHA512
  
  c50ae050b50fb210c640cdd014a211f1eae5b35ba25d2728f9bb6e726ca81b459e0d593a75bf7e20d5717c008d3b004da83f63a59e0ce1cdad4a826c59070220
Score

10^/10

emotet epoch5 banker suricata trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE W32/Emotet CnC Beacon 3
  suricata: ET MALWARE W32/Emotet CnC Beacon 3
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2