emotet

General

Target

64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766
Size

46KB
Sample

220331-zvg83aheh8
MD5

363495acb4327435709de91edaef8338
SHA1

11ea485cddc9de2db0397f02f00a564a9468f032
SHA256

64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766
SHA512

1502abfa4494c69541cbaf3f00b176f04a45802b35a0818f0a46cd229a99dd675a7b8746efa946ea37efd7305c18a00eaba4a48c251d19d084fcbf4e575cf10e

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/

xlm40.dropper

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

xlm40.dropper

https://txpcrescue.com/cgi-bin/5tSO8/

xlm40.dropper

http://hadramout21.com/jetpack-temp/Py/

xlm40.dropper

http://haribuilders.com/zoombox-master/4HYGX/

xlm40.dropper

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080

eck1.plain

ecs1.plain

Targets

- Target
  
  64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766
- Size
  
  46KB
- MD5
  
  363495acb4327435709de91edaef8338
- SHA1
  
  11ea485cddc9de2db0397f02f00a564a9468f032
- SHA256
  
  64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766
- SHA512
  
  1502abfa4494c69541cbaf3f00b176f04a45802b35a0818f0a46cd229a99dd675a7b8746efa946ea37efd7305c18a00eaba4a48c251d19d084fcbf4e575cf10e
Score

10^/10

emotet epoch4 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Downloads MZ/PE file

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2