c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls

General
Target

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls

Size

73KB

Sample

220521-wtfgasaee4

Score
10 /10
MD5

40d72d3f670414dd1674d1a7fe3a18a0

SHA1

b48ca999e422c42954a315487920d4cbeb71afde

SHA256

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8

SHA512

f97688624d3261ca567e07ed38ee0e63e6ce189c79f07cdee4828ad5e9757caf3a5a8fb2fbdab270d6f4d0ddac9e7886d5d4c08b14224edc1d8e65e02a7e908b

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://hullsite.com/0a61/nm6lxocqt/

xlm40.dropper

https://bencevendeghaz.hu/wp-includes/cLrqBIwf8C/

xlm40.dropper

https://ppiabanyuwangi.or.id/wp-admin/3Se7giNXt7ZCHG/

xlm40.dropper

http://3dstudioa.com.br/cgi-bin/yWpon1Nd03l/

xlm40.dropper

http://anat-bar.co.il/wp-admin/kZarrjJN148onRnRi/

xlm40.dropper

http://claudioavelar.adv.br/Revista/JljahSR26i5k/

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://hullsite.com/0a61/nm6lxocqt/

xlm40.dropper

https://bencevendeghaz.hu/wp-includes/cLrqBIwf8C/

Extracted

Family emotet
Botnet Epoch4
C2

51.254.140.238:7080

103.70.28.102:8080

5.9.116.246:8080

1.234.2.232:8080

209.250.246.206:443

58.227.42.236:80

72.15.201.15:8080

159.65.88.10:8080

189.126.111.200:7080

173.212.193.249:8080

188.44.20.25:443

134.122.66.193:8080

172.104.251.154:8080

103.75.201.2:443

150.95.66.124:8080

153.126.146.25:7080

103.43.75.120:443

203.114.109.124:443

27.54.89.58:8080

1.234.21.73:7080

146.59.226.45:443

185.8.212.130:7080

159.65.140.115:443

167.172.253.162:8080

45.235.8.30:8080

213.241.20.155:443

163.44.196.120:8080

45.118.115.99:8080

102.222.215.74:443

209.126.98.206:8080

77.81.247.144:8080

46.55.222.11:443

110.232.117.186:8080

212.237.17.99:8080

45.176.232.124:443

183.111.227.137:8080

101.50.0.91:8080

173.239.37.178:8080

206.189.28.199:8080

103.132.242.26:8080

201.94.166.162:443

158.69.222.101:443

82.165.152.127:8080

164.68.99.3:8080

209.97.163.214:443

172.105.70.96:443

185.4.135.165:8080

212.24.98.99:8080

149.56.131.28:8080

129.232.188.93:443

eck1.plain
eck1.plain
Targets
Target

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls

MD5

40d72d3f670414dd1674d1a7fe3a18a0

Filesize

73KB

Score
10/10
SHA1

b48ca999e422c42954a315487920d4cbeb71afde

SHA256

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8

SHA512

f97688624d3261ca567e07ed38ee0e63e6ce189c79f07cdee4828ad5e9757caf3a5a8fb2fbdab270d6f4d0ddac9e7886d5d4c08b14224edc1d8e65e02a7e908b

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Loads dropped DLL

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        8/10

                        behavioral1

                        10/10