General
-
Target
Invoice.xls
-
Size
90KB
-
Sample
220131-qeyrfahge2
-
MD5
2e888b596658d08f6b8e359e50a20e61
-
SHA1
669079e396121100a96bdf9e30f7d066addb0659
-
SHA256
4d9c7d5c3e2bf07235f2da568f7ed9046b8743187801c67aac984c2513cd345d
-
SHA512
ed187b4b9eed888b6f46bd9142b76b09587530dc736589bfd8cdc35a4ae27e0f8d2a1a080c7a04679277d76d1e1541d813093d3b4a4cdbd536b0173e399995fb
Behavioral task
behavioral1
Sample
Invoice.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Invoice.xls
Resource
win10v2004-en-20220112
Malware Config
Extracted
http://91.240.118.172/cc/vv/fe.html
Extracted
http://91.240.118.172/cc/vv/fe.png
Extracted
emotet
Epoch4
160.16.102.168:80
131.100.24.231:80
200.17.134.35:7080
207.38.84.195:8080
212.237.56.116:7080
58.227.42.236:80
104.251.214.46:8080
158.69.222.101:443
192.254.71.210:443
46.55.222.11:443
45.118.135.203:7080
107.182.225.142:8080
103.75.201.2:443
104.168.155.129:8080
195.154.133.20:443
159.8.59.82:8080
110.232.117.186:8080
45.142.114.231:8080
41.76.108.46:8080
203.114.109.124:443
50.116.54.215:443
209.59.138.75:7080
185.157.82.211:8080
164.68.99.3:8080
162.214.50.39:7080
138.185.72.26:8080
178.63.25.185:443
51.15.4.22:443
81.0.236.90:443
216.158.226.206:443
45.176.232.124:443
162.243.175.63:443
212.237.17.99:8080
45.118.115.99:8080
129.232.188.93:443
173.214.173.220:8080
178.79.147.66:8080
176.104.106.96:8080
51.38.71.0:443
173.212.193.249:8080
217.182.143.207:443
212.24.98.99:8080
159.89.230.105:443
79.172.212.216:8080
212.237.5.209:443
Targets
-
-
Target
Invoice.xls
-
Size
90KB
-
MD5
2e888b596658d08f6b8e359e50a20e61
-
SHA1
669079e396121100a96bdf9e30f7d066addb0659
-
SHA256
4d9c7d5c3e2bf07235f2da568f7ed9046b8743187801c67aac984c2513cd345d
-
SHA512
ed187b4b9eed888b6f46bd9142b76b09587530dc736589bfd8cdc35a4ae27e0f8d2a1a080c7a04679277d76d1e1541d813093d3b4a4cdbd536b0173e399995fb
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Guloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-