emotet

General

Target

Invoice.xls
Size

90KB
Sample

220131-qeyrfahge2
MD5

2e888b596658d08f6b8e359e50a20e61
SHA1

669079e396121100a96bdf9e30f7d066addb0659
SHA256

4d9c7d5c3e2bf07235f2da568f7ed9046b8743187801c67aac984c2513cd345d
SHA512

ed187b4b9eed888b6f46bd9142b76b09587530dc736589bfd8cdc35a4ae27e0f8d2a1a080c7a04679277d76d1e1541d813093d3b4a4cdbd536b0173e399995fb

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://91.240.118.172/cc/vv/fe.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.240.118.172/cc/vv/fe.png

Extracted

Family

emotet

Botnet

Epoch4

C2

160.16.102.168:80

131.100.24.231:80

200.17.134.35:7080

207.38.84.195:8080

212.237.56.116:7080

58.227.42.236:80

104.251.214.46:8080

158.69.222.101:443

192.254.71.210:443

46.55.222.11:443

45.118.135.203:7080

107.182.225.142:8080

103.75.201.2:443

104.168.155.129:8080

195.154.133.20:443

159.8.59.82:8080

110.232.117.186:8080

45.142.114.231:8080

41.76.108.46:8080

203.114.109.124:443

eck1.plain

ecs1.plain

Targets

- Target
  
  Invoice.xls
- Size
  
  90KB
- MD5
  
  2e888b596658d08f6b8e359e50a20e61
- SHA1
  
  669079e396121100a96bdf9e30f7d066addb0659
- SHA256
  
  4d9c7d5c3e2bf07235f2da568f7ed9046b8743187801c67aac984c2513cd345d
- SHA512
  
  ed187b4b9eed888b6f46bd9142b76b09587530dc736589bfd8cdc35a4ae27e0f8d2a1a080c7a04679277d76d1e1541d813093d3b4a4cdbd536b0173e399995fb
Score

10^/10

emotet epoch4 banker trojan guloader downloader guloader persistence
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateProcessExOtherParentProcess
- Guloader Payload
  guloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Guloader,Cloudeye

Process spawned unexpected child process

Suspicious use of NtCreateProcessExOtherParentProcess

Guloader Payload

Blocklisted process makes network request

Downloads MZ/PE file

Sets service image path in registry

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2