3 1403.zip

General
Target

3 1403.zip

Size

43KB

Sample

220315-qe56hsbec2

Score
10 /10
MD5

a5da4097171986e5a71d9b4aca5625f9

SHA1

64027f074354a3654d73f153664e36754a2afb6c

SHA256

089509dec049cb29e3f80ca3ae0fe1bb1221b7daa58024a1af34fbfd1bbcaa01

SHA512

ec6b566eca204676a9a4f7941c422490a374ba4367be61485dd366a31a6ade8a67d069a10a0dcd6fc38c02151054cf267209abf23a9f452c9c618dcf323d90f1

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://www.arkpp.com/ARIS-BSU/9K1/

Extracted

Family emotet
Botnet Epoch4
C2

217.182.143.248:8080

185.4.135.27:8080

192.99.251.50:443

146.59.226.45:443

162.214.118.104:8080

195.154.133.20:443

103.75.201.2:443

5.9.116.246:8080

177.87.70.10:8080

31.24.158.56:8080

103.75.201.4:443

158.69.222.101:443

185.157.82.211:8080

185.8.212.130:7080

186.250.48.117:7080

110.232.117.186:8080

46.55.222.11:443

196.218.30.83:443

51.91.7.5:8080

176.56.128.118:443

207.38.84.195:8080

173.212.193.249:8080

45.118.135.203:7080

164.68.99.3:8080

209.126.98.206:8080

212.24.98.99:8080

151.106.112.196:8080

45.176.232.124:443

153.126.146.25:7080

212.237.17.99:8080

45.142.114.231:8080

107.182.225.142:8080

45.118.115.99:8080

79.172.212.216:8080

50.30.40.196:8080

82.165.152.127:8080

50.116.54.215:443

1.234.2.232:8080

58.227.42.236:80

216.158.226.206:443

159.8.59.82:8080

129.232.188.93:443

189.126.111.200:7080

138.185.72.26:8080

159.65.88.10:8080

103.221.221.247:8080

188.44.20.25:443

203.114.109.124:443

197.242.150.244:8080

51.254.140.238:7080

eck1.plain
ecs1.plain
Targets
Target

3 1403.xlsm

MD5

1655267f2eef17c7bea81ee6cf65fbf9

Filesize

48KB

Score
10/10
SHA1

dd062a715bd8eee2b8b4d30e6786e5b108b63c1a

SHA256

8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578

SHA512

3b0f05743a81756ef75e8da15e393f40365c71d7e986141bfb467acd8a232581cc5bd01953ed61b6129652ebd9517b1282f01fbbe2e808aa70dc3c906bbb726d

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file

  • Loads dropped DLL

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10