emotet | 5e885180e31c3690ed6761b181919f985140bd173e35a444ea67450ce587dc15 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

8

0311.xls

windows7-x64

0311.xls

windows10-2004-x64

Sharing

General

Target

0311.xls
Size

217KB
Sample

221103-qzlydadahl
MD5

f6895e2267fc5ef1a31fd5dd4495fd5b
SHA1

ea86e973131a134c64150bb2a61440926f6e32a8
SHA256

5e885180e31c3690ed6761b181919f985140bd173e35a444ea67450ce587dc15
SHA512

97fd3bd4dfb31f75a5c4dfdc28dfcb7ed394d1b653153a69f0f73c50aec4aa866721ad48425665081c2cbde28be7014d6619a1ab360db8362545dcedfe153dcf
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmL:bbGUMVWlbL

Score

10^/10

emotet banker macro persistence trojan xlm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0311.xls

Resource

win7-20220901-en

emotet banker trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

0311.xls

Resource

win10v2004-20220812-en

emotet banker persistence trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Targets

- Target
  
  0311.xls
- Size
  
  217KB
- MD5
  
  f6895e2267fc5ef1a31fd5dd4495fd5b
- SHA1
  
  ea86e973131a134c64150bb2a61440926f6e32a8
- SHA256
  
  5e885180e31c3690ed6761b181919f985140bd173e35a444ea67450ce587dc15
- SHA512
  
  97fd3bd4dfb31f75a5c4dfdc28dfcb7ed394d1b653153a69f0f73c50aec4aa866721ad48425665081c2cbde28be7014d6619a1ab360db8362545dcedfe153dcf
- SSDEEP
  
  6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmL:bbGUMVWlbL
Score

10^/10

emotet banker trojan persistence
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

emotetbankertrojan

behavioral2

emotetbankerpersistencetrojan

© 2018-2025

Terms | Privacy