emotet

General

Target

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls
Size

73KB
Sample

220521-wtfgasaee4
MD5

40d72d3f670414dd1674d1a7fe3a18a0
SHA1

b48ca999e422c42954a315487920d4cbeb71afde
SHA256

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8
SHA512

f97688624d3261ca567e07ed38ee0e63e6ce189c79f07cdee4828ad5e9757caf3a5a8fb2fbdab270d6f4d0ddac9e7886d5d4c08b14224edc1d8e65e02a7e908b

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://hullsite.com/0a61/nm6lxocqt/

xlm40.dropper

https://bencevendeghaz.hu/wp-includes/cLrqBIwf8C/

xlm40.dropper

https://ppiabanyuwangi.or.id/wp-admin/3Se7giNXt7ZCHG/

xlm40.dropper

http://3dstudioa.com.br/cgi-bin/yWpon1Nd03l/

xlm40.dropper

http://anat-bar.co.il/wp-admin/kZarrjJN148onRnRi/

xlm40.dropper

http://claudioavelar.adv.br/Revista/JljahSR26i5k/

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://hullsite.com/0a61/nm6lxocqt/

xlm40.dropper

https://bencevendeghaz.hu/wp-includes/cLrqBIwf8C/

Extracted

Family

emotet

Botnet

Epoch4

C2

51.254.140.238:7080

103.70.28.102:8080

5.9.116.246:8080

1.234.2.232:8080

209.250.246.206:443

58.227.42.236:80

72.15.201.15:8080

159.65.88.10:8080

189.126.111.200:7080

173.212.193.249:8080

188.44.20.25:443

134.122.66.193:8080

172.104.251.154:8080

103.75.201.2:443

150.95.66.124:8080

153.126.146.25:7080

103.43.75.120:443

203.114.109.124:443

27.54.89.58:8080

1.234.21.73:7080

eck1.plain

Targets

- Target
  
  c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls
- Size
  
  73KB
- MD5
  
  40d72d3f670414dd1674d1a7fe3a18a0
- SHA1
  
  b48ca999e422c42954a315487920d4cbeb71afde
- SHA256
  
  c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8
- SHA512
  
  f97688624d3261ca567e07ed38ee0e63e6ce189c79f07cdee4828ad5e9757caf3a5a8fb2fbdab270d6f4d0ddac9e7886d5d4c08b14224edc1d8e65e02a7e908b
Score

10^/10

emotet epoch4 banker suricata trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE W32/Emotet CnC Beacon 3
  suricata: ET MALWARE W32/Emotet CnC Beacon 3
  suricata
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2