Overview

overview

10

Static

static

8

886f121d57...11.xls

windows7_x64

10

886f121d57...11.xls

windows10-2004_x64

10

bca774464f...a1.xls

windows7_x64

10

bca774464f...a1.xls

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet.zip

  • Size

    75KB

  • Sample

    220630-vy912adhak

  • MD5

    5c67df7745df065415e065edb42ab5a5

  • SHA1

    fc299ce1118316421892b4685ac56e9764afffaa

  • SHA256

    3c173f4be9dde0d5ecfe7e1ea7b4e964b2431091fb83c769cb93e54a9fd8adb0

  • SHA512

    d658e3a60ce6c0341b138dedf458e490764d3d41bef9f5122b16208299394ef72d28aad15c86bd374da010b6d69bc52559033c6e9d95294cdd1f5176ccaa68c2

Score
10/10
emotetepoch4epoch5bankermacrosuricatatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://bamassociates.net/admin/cDRv5kGpHxun9RP/
xlm40.dropper

https://bencevendeghaz.hu/wp-includes/zWV5RmHTSn8eaP/
xlm40.dropper

http://cs14productions.com/nav2/Om8zPGbo1ryK0hym/
xlm40.dropper

http://www.charmingsoftech.com/AMMAN/lq7ihucFtWWFliuiuK/

Extracted

Family

emotet

Botnet

Epoch5

C2

103.71.99.57:8080

103.224.241.74:8080

157.245.111.0:8080

37.44.244.177:8080

103.41.204.169:8080

64.227.55.231:8080

103.254.12.236:7080

103.85.95.4:8080

157.230.99.206:8080

165.22.254.236:8080

85.214.67.203:8080

54.37.228.122:443

195.77.239.39:8080

128.199.217.206:443

190.145.8.4:443

165.232.185.110:8080

188.165.79.151:443

178.62.112.199:8080

54.37.106.167:8080

104.244.79.94:443
eck1.plain
ecs1.plain

Extracted

Family

emotet

C2

198.27.67.35:8080

180.250.21.2:443

62.141.45.103:443

116.125.120.88:443

159.65.163.220:443

165.227.153.100:8080

58.96.74.42:443

203.217.140.239:443

212.98.224.97:8080

198.211.118.165:443

128.199.93.156:7080

134.209.164.181:8080

190.107.19.180:8080

104.236.40.81:443

34.80.191.247:8080

201.73.143.120:7080

165.227.166.238:8080

103.224.242.13:8080

131.100.24.199:4143

162.243.103.246:8080

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.mobiles-photostudio.com/MPS/uYUKsZhII1qQ1/
xlm40.dropper

https://www.zablimconsultancy.co.ke/musagala/pmOVrwAwG/
xlm40.dropper

http://www.kspintidana.com/wp-admin/jjiOcQAL/
xlm40.dropper

http://www.garantihaliyikama.com/wp-admin/CcxWGjZEjriZ9zMdsP/

Extracted

Family

emotet

Botnet

Epoch4

C2

172.104.251.154:8080

51.161.73.194:443

101.50.0.91:8080

91.207.28.33:8080

119.193.124.41:7080

150.95.66.124:8080

103.132.242.26:8080

37.187.115.122:8080

172.105.226.75:8080

131.100.24.231:80

196.218.30.83:443

79.137.35.198:8080

103.75.201.2:443

82.223.21.224:8080

153.126.146.25:7080

146.59.226.45:443

209.97.163.214:443

186.194.240.217:443

197.242.150.244:8080

45.118.115.99:8080
eck1.plain
ecs1.plain

Targets

    • Target

      886f121d571b7dab4f403e9ffa6a2011.xls

    • Size

      94KB

    • MD5

      886f121d571b7dab4f403e9ffa6a2011

    • SHA1

      a6008067a34afcccca0fe20f23cb245b5862cd1a

    • SHA256

      6b6c45fa2f17c74d2e97de41faac0482163ef5d8f5b44cbd0038c1cae9e426c6

    • SHA512

      b828030becea344e7bb0c8ed874af5e7a044de74ecff7d20fb1d600d54b24357a140671277a7cfea3680dea12694b04d5f961793f15b920dad55fca0d906b7f1

    Score
    10/10
    emotetepoch5bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      bca774464f52e484a93f3841124758a1.xls

    • Size

      94KB

    • MD5

      bca774464f52e484a93f3841124758a1

    • SHA1

      1bf6b435f6389af53744e960dac2e643eaac4192

    • SHA256

      c45bf0bf43d9595be252f2646198e686ee50df78f2eafd8fd58f5fda324db8b5

    • SHA512

      21c3b41f831ff41d1a81d926c85fcdec6be37699d02665d8db2826a7c360646cc338a7e4ac30871420528ae1cf4819a911c38129ef7c70b3c83221763390c257

    Score
    10/10
    emotetepoch4bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks