Overview

overview

10

Static

static

8

MAIL_06072022.xls

windows7_x64

10

MAIL_06072022.xls

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MAIL_06072022.zip

  • Size

    38KB

  • Sample

    220707-dr3jyaeef2

  • MD5

    15426eb90163ef2679ba2232e95c04b6

  • SHA1

    9071a216a207a78487109be6be7ee04f488a484d

  • SHA256

    17415037bc53d4ee07d078bfdaa2172ba31c3f2ee7008a0e96d2e353c38a4e23

  • SHA512

    8f008fa3fc985620dd85d42880af2a70521ec4c305d0dd19eddecf4d704eca9dd5388029993616bb97f692d4cb618021122ae69ca38b35ae29c13e758b5abc69

Score
10/10
emotetepoch5bankermacrosuricatatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://francite.net/images/XI7zS0X1nY/
xlm40.dropper

https://cointrade.world/receipts/Sa6fYJpecEVqiRf05/
xlm40.dropper

http://gedebey-tvradio.info/wp-includes/nOmdPyUpDB/
xlm40.dropper

http://haircutbar.com/cgi-bin/SpJT9OKPmUpJfkGqv/

Extracted

Family

emotet

Botnet

Epoch5

C2

103.71.99.57:8080

103.224.241.74:8080

157.245.111.0:8080

37.44.244.177:8080

103.41.204.169:8080

64.227.55.231:8080

103.254.12.236:7080

103.85.95.4:8080

157.230.99.206:8080

165.22.254.236:8080

85.214.67.203:8080

54.37.228.122:443

195.77.239.39:8080

128.199.217.206:443

190.145.8.4:443

165.232.185.110:8080

188.165.79.151:443

178.62.112.199:8080

54.37.106.167:8080

104.244.79.94:443
eck1.plain
ecs1.plain

Extracted

Family

emotet

C2

198.27.67.35:8080

190.107.19.180:8080

58.96.74.42:443

116.125.120.88:443

180.250.21.2:443

165.227.153.100:8080

62.141.45.103:443

134.209.164.181:8080

212.98.224.97:8080

159.65.163.220:443

128.199.93.156:7080

198.211.118.165:443

203.217.140.239:8080

Targets

    • Target

      MAIL_06072022.xls

    • Size

      95KB

    • MD5

      7972a1bdad0a36a1f0c22bef9b4bb14a

    • SHA1

      b9b1e26bd106de667a143c680ca5add7c4d818b0

    • SHA256

      8d1ac63a1ba57a2dbd07a31585669eea9eb1edddee008bd577822b37a987b04e

    • SHA512

      8a0a1811410534c84e3f6a66a05c4811265c675e89cc04fd8e4d17df12489c925e87399c3b00280a2eb13461069b316072ef07d6a856780e0feffba0d514de8e

    Score
    10/10
    emotetepoch5bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks