Overview

overview

10

Static

static

8

Deluxe.ocn...rm.xls

windows7_x64

10

Deluxe.ocn...rm.xls

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Deluxe.ocn.ne_Form.xls

  • Size

    78KB

  • Sample

    220514-ray23scedl

  • MD5

    8b0f18f7322946e3bde962f9455f286d

  • SHA1

    fb4405f35e590913373a53258192e7092ac8ec2a

  • SHA256

    e2df8d7975b89087c78c4457e83679006b68eca7e1fb313cdafac74c5651792e

  • SHA512

    f337821a6bdfb2d3331c5499570eccf50370ea5b6d3e42573803a0984f2258cd7045a9843492321fa85ebc248c43b9fdb86ab0548674a522b8da8791936dc3d6

Score
10/10
emotetbankermacrosuricatatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.flash-inc.com/group/igirl/css/QqoV/

Targets

    • Target

      Deluxe.ocn.ne_Form.xls

    • Size

      78KB

    • MD5

      8b0f18f7322946e3bde962f9455f286d

    • SHA1

      fb4405f35e590913373a53258192e7092ac8ec2a

    • SHA256

      e2df8d7975b89087c78c4457e83679006b68eca7e1fb313cdafac74c5651792e

    • SHA512

      f337821a6bdfb2d3331c5499570eccf50370ea5b6d3e42573803a0984f2258cd7045a9843492321fa85ebc248c43b9fdb86ab0548674a522b8da8791936dc3d6

    Score
    10/10
    emotetbankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks