Overview

overview

10

Static

static

Electronic...SA.lnk

windows10-2004_x64

10

Resubmissions

26-04-2022 20:07

220426-ywbl8saabq 10

26-04-2022 19:59

220426-yqv4paebd5 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Electronic form 04.26.2022, USA.lnk

  • Size

    2KB

  • Sample

    220426-ywbl8saabq

  • MD5

    e87c1ae2b8c7e85b6431d420310df80e

  • SHA1

    683ab8df53a58982807ef65f3b68bb2bbab6fc6e

  • SHA256

    cde9b766bf2966ed7f0396fee7e23fdb7246b534affd58f6d4caf50237ff110b

  • SHA512

    c7959fed580f4e6096c345973fd2c19b049cf3e8539f391321a61fd4ff18fd4d7683cfb5534c38cf9ad9cc26cd99eb3a8f142b13b2430b761f78272b937e0c45

Score
10/10
emotetvidar1281epoch4bankerdiscoveryevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

138.201.142.73:8080

138.197.147.101:443

134.195.212.50:7080

104.168.154.79:8080

149.56.131.28:8080

129.232.188.93:443

212.24.98.99:8080

119.193.124.41:7080

45.118.115.99:8080

188.44.20.25:443

103.132.242.26:8080

201.94.166.162:443

1.234.21.73:7080

206.189.28.199:8080

185.8.212.130:7080

82.165.152.127:8080

176.104.106.96:8080

173.212.193.249:8080

167.99.115.35:8080

209.126.98.206:8080
eck1.plain
ecs1.plain

Extracted

Family

vidar

Version

51.9

Botnet

1281

C2

https://koyu.space/@ronxik123

Attributes
  • profile_id

    1281

Targets

    • Target

      Electronic form 04.26.2022, USA.lnk

    • Size

      2KB

    • MD5

      e87c1ae2b8c7e85b6431d420310df80e

    • SHA1

      683ab8df53a58982807ef65f3b68bb2bbab6fc6e

    • SHA256

      cde9b766bf2966ed7f0396fee7e23fdb7246b534affd58f6d4caf50237ff110b

    • SHA512

      c7959fed580f4e6096c345973fd2c19b049cf3e8539f391321a61fd4ff18fd4d7683cfb5534c38cf9ad9cc26cd99eb3a8f142b13b2430b761f78272b937e0c45

    Score
    10/10
    emotetvidar1281epoch4bankerdiscoveryevasionspywarestealersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

7
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks