emotet

General

Target

c1991922f16591d906546a6926fe301adb9fc66062b1dbd56e400a7cef59014e.xls
Size

106KB
Sample

220330-pbphxsgbdn
MD5

c45d183d92c76327654823f385f7ce37
SHA1

14b49cae34a09672364f1bc03bbdfbc6b49c7a93
SHA256

c1991922f16591d906546a6926fe301adb9fc66062b1dbd56e400a7cef59014e
SHA512

5c26e46c221687d4ddadb5e3ac05d033940730b592fc9f75416829ae2c5e650d950737edfed37ec597cf10b1a1e43bda2e3bb70fda66bf20dca161ac19e7702f

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://www.gessersh.com/wp-includes/ZwQLepW/

xlm40.dropper

http://www.garantihaliyikama.com/wp-admin/FjgB6I/

xlm40.dropper

https://www.fantasticmotion.jp/_cnskin/qfWEQrrwBg/

xlm40.dropper

http://dmcontabilidade.com/correspondentecaixa/TrS/

xlm40.dropper

https://fcelik.nl/rittenregistratie/web/css/B3ILfU8Xk2SsEmT/

xlm40.dropper

http://fanfield.co.uk/cgi-bin/7pp6DjWFNJXY8/

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://www.gessersh.com/wp-includes/ZwQLepW/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.176.232.125:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

189.232.46.161:443

103.70.28.102:8080

134.122.66.193:8080

151.106.112.196:8080

160.16.142.56:8080

212.24.98.99:8080

188.44.20.25:443

197.242.150.244:8080

206.189.28.199:8080

172.104.251.154:8080

103.43.46.182:443

203.114.109.124:443

103.75.201.2:443

58.227.42.236:80

201.94.166.162:443

189.126.111.200:7080

eck1.plain

ecs1.plain

Targets

- Target
  
  c1991922f16591d906546a6926fe301adb9fc66062b1dbd56e400a7cef59014e.xls
- Size
  
  106KB
- MD5
  
  c45d183d92c76327654823f385f7ce37
- SHA1
  
  14b49cae34a09672364f1bc03bbdfbc6b49c7a93
- SHA256
  
  c1991922f16591d906546a6926fe301adb9fc66062b1dbd56e400a7cef59014e
- SHA512
  
  5c26e46c221687d4ddadb5e3ac05d033940730b592fc9f75416829ae2c5e650d950737edfed37ec597cf10b1a1e43bda2e3bb70fda66bf20dca161ac19e7702f
Score

10^/10

emotet epoch4 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2