General
-
Target
Electronic form.xls
-
Size
47KB
-
Sample
220128-a1ebxsdff2
-
MD5
22705643f9d87c2e5cae9ecd290580d4
-
SHA1
0b5d34f421759a40b9e431704167d69bf3ca0c5e
-
SHA256
710ea5dddb84bb64f7ab8b90c028da8d6ff072944c33731ee35fe89924861a3b
-
SHA512
be9e557f629dd5666a89b3547c382bd65dce1719e4d5a2eaf2f2900139259dd4351207ca932987b78161a0adef5c199e6865d2a2692aac5dd9cb9f0da7357762
Behavioral task
behavioral1
Sample
Electronic form.xls
Resource
win7-en-20211208
Malware Config
Extracted
http://91.240.118.168/vvv/ppp/fe.html
Extracted
http://91.240.118.168/vvv/ppp/fe.png
Extracted
emotet
Epoch4
51.15.4.22:443
173.214.173.220:8080
212.237.5.209:443
192.254.71.210:443
216.158.226.206:443
162.243.175.63:443
212.24.98.99:8080
58.227.42.236:80
45.118.115.99:8080
104.251.214.46:8080
185.157.82.209:8080
46.55.222.11:443
188.40.137.206:8080
81.0.236.90:443
103.75.201.2:443
129.232.188.93:443
195.154.133.20:443
159.8.59.82:8080
79.172.212.216:8080
138.185.72.26:8080
200.17.134.35:7080
185.157.82.211:8080
209.59.138.75:7080
178.63.25.185:443
45.176.232.124:443
45.118.135.203:7080
164.68.99.3:8080
203.114.109.124:443
212.237.17.99:8080
50.116.54.215:443
131.100.24.231:80
212.237.56.116:7080
45.142.114.231:8080
162.214.50.39:7080
51.38.71.0:443
104.168.155.129:8080
107.182.225.142:8080
217.182.143.207:443
158.69.222.101:443
176.104.106.96:8080
207.38.84.195:8080
41.76.108.46:8080
110.232.117.186:8080
178.79.147.66:8080
173.212.193.249:8080
Targets
-
-
Target
Electronic form.xls
-
Size
47KB
-
MD5
22705643f9d87c2e5cae9ecd290580d4
-
SHA1
0b5d34f421759a40b9e431704167d69bf3ca0c5e
-
SHA256
710ea5dddb84bb64f7ab8b90c028da8d6ff072944c33731ee35fe89924861a3b
-
SHA512
be9e557f629dd5666a89b3547c382bd65dce1719e4d5a2eaf2f2900139259dd4351207ca932987b78161a0adef5c199e6865d2a2692aac5dd9cb9f0da7357762
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Drops file in System32 directory
-