Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b5182104502adb4db536519eec2aeccf023a4a085724b971f60dffd20c1c4ade.xls

  • Size

    106KB

  • Sample

    220330-mh5glsbfe6

  • MD5

    56abfc5153c5b5cf99bc25f81ee4608b

  • SHA1

    548bc745c49445520b233e42969c8368b4426cde

  • SHA256

    b5182104502adb4db536519eec2aeccf023a4a085724b971f60dffd20c1c4ade

  • SHA512

    64c1905a4bf08d9632938cfe4a7cd538dc65f65b49f8366411ae12917d90fce48b3709729e8d2ed9597d297823f50c39e1b16c949323092927282051ca863034

Score
10/10
emotetepoch4bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.gessersh.com/wp-includes/ZwQLepW/
xlm40.dropper

http://www.garantihaliyikama.com/wp-admin/FjgB6I/
xlm40.dropper

https://www.fantasticmotion.jp/_cnskin/qfWEQrrwBg/
xlm40.dropper

http://dmcontabilidade.com/correspondentecaixa/TrS/
xlm40.dropper

https://fcelik.nl/rittenregistratie/web/css/B3ILfU8Xk2SsEmT/
xlm40.dropper

http://fanfield.co.uk/cgi-bin/7pp6DjWFNJXY8/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.gessersh.com/wp-includes/ZwQLepW/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.176.232.125:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

189.232.46.161:443

103.70.28.102:8080

134.122.66.193:8080

151.106.112.196:8080

160.16.142.56:8080

212.24.98.99:8080

188.44.20.25:443

197.242.150.244:8080

206.189.28.199:8080

172.104.251.154:8080

103.43.46.182:443

203.114.109.124:443

103.75.201.2:443

58.227.42.236:80

201.94.166.162:443

189.126.111.200:7080
eck1.plain
ecs1.plain

Targets

    • Target

      b5182104502adb4db536519eec2aeccf023a4a085724b971f60dffd20c1c4ade.xls

    • Size

      106KB

    • MD5

      56abfc5153c5b5cf99bc25f81ee4608b

    • SHA1

      548bc745c49445520b233e42969c8368b4426cde

    • SHA256

      b5182104502adb4db536519eec2aeccf023a4a085724b971f60dffd20c1c4ade

    • SHA512

      64c1905a4bf08d9632938cfe4a7cd538dc65f65b49f8366411ae12917d90fce48b3709729e8d2ed9597d297823f50c39e1b16c949323092927282051ca863034

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks