Resubmissions

05-11-2024 13:32

241105-qtel4ssaja 10

12-03-2022 09:58

220312-lzmgpabcd2 10

General

  • Target

    9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm

  • Size

    56KB

  • Sample

    220312-lzmgpabcd2

  • MD5

    85cd152bb0ff67e1645c1dc9d6ddf576

  • SHA1

    a7223037d9832b2d735660578dc9b117d44229c6

  • SHA256

    9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a

  • SHA512

    0c6c187731343a3912d45552145ea06b926d9d5e8e214d37ce7223990b7d286a76ef1e37e9a71e7558e2d6f98df70463dcb1ba112adbc692941116f96419c3bc

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://blog.centerking.top/wp-admin/Ag4ORi0VN7riBwCSvvZ/

xlm40.dropper

https://lucrecomconforto.com.br/zkxr/Wx1iq9PLeB5jBgb/

xlm40.dropper

http://academiasuccesului.ro/parteneri/VbtNt/

xlm40.dropper

http://melekler.atspace.cc/tests/JZm4UmD/

xlm40.dropper

http://acerestoration.co.za/wp-admin/QKDLZ/

xlm40.dropper

http://loko-architecten.nl/8606935E6826FD13AB6F770AA9FB41A6/HYTBhMFhi3bJ7/

xlm40.dropper

https://sorteiovipbrasil.com.br/mkii-drum/gud2j4vtiyIC/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://blog.centerking.top/wp-admin/Ag4ORi0VN7riBwCSvvZ/

Extracted

Family

emotet

Botnet

Epoch5

C2

51.75.33.122:443

186.250.48.5:80

168.119.39.118:443

207.148.81.119:8080

194.9.172.107:8080

139.196.72.155:8080

78.47.204.80:443

159.69.237.188:443

45.71.195.104:8080

54.37.106.167:8080

185.168.130.138:443

37.44.244.177:8080

185.184.25.78:8080

185.148.168.15:8080

128.199.192.135:8080

37.59.209.141:8080

103.41.204.169:8080

185.148.168.220:8080

103.42.58.120:7080

78.46.73.125:443

eck1.plain
ecs1.plain

Targets

    • Target

      9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm

    • Size

      56KB

    • MD5

      85cd152bb0ff67e1645c1dc9d6ddf576

    • SHA1

      a7223037d9832b2d735660578dc9b117d44229c6

    • SHA256

      9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a

    • SHA512

      0c6c187731343a3912d45552145ea06b926d9d5e8e214d37ce7223990b7d286a76ef1e37e9a71e7558e2d6f98df70463dcb1ba112adbc692941116f96419c3bc

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks