Overview

overview

10

Static

static

8

68d69ba748...3e.xls

windows10-2004-x64

10

Resubmissions

03-11-2022 20:54

221103-zpvbfahbgn 10

03-11-2022 20:50

221103-zmj3pafad9 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68d69ba748e4e5ce6ec1b3673b5d0346c1feed9320ec574b589291945d76313e.xls

  • Size

    217KB

  • Sample

    221103-zpvbfahbgn

  • MD5

    17ee0eee985488668d4cd89f892c3121

  • SHA1

    0d0255f1a259cc50d9c190abce23c39c688b54ea

  • SHA256

    68d69ba748e4e5ce6ec1b3673b5d0346c1feed9320ec574b589291945d76313e

  • SHA512

    4888f4c9307b8d060a1ac1261bf5a17a3c4cd158aeba03526fc122bf351ed25410ff3daedd5ab2249dd0c00503d944f9bfe73cb50ea6455b6601febb84e55619

  • SSDEEP

    6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmr:bbGUMVWlbr

Score
10/10
azorultblacknetcryptbotdarkcometemotetmodiloaderraccoon5b5d6fecfbf716a915d7a5ecf88d7c76epoch5guest16bankercollectiondiscoveryevasioninfostealermacropersistenceratspywarestealertrojanupxxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://aprendeconmireia.com/images/wBu/
xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/
xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/
xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080
ecs1.plain
eck1.plain

Extracted

Family

cryptbot

C2

http://towgqo410.top/gate.php

Extracted

Family

raccoon

Botnet

5b5d6fecfbf716a915d7a5ecf88d7c76

C2

http://94.131.98.21/

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      68d69ba748e4e5ce6ec1b3673b5d0346c1feed9320ec574b589291945d76313e.xls

    • Size

      217KB

    • MD5

      17ee0eee985488668d4cd89f892c3121

    • SHA1

      0d0255f1a259cc50d9c190abce23c39c688b54ea

    • SHA256

      68d69ba748e4e5ce6ec1b3673b5d0346c1feed9320ec574b589291945d76313e

    • SHA512

      4888f4c9307b8d060a1ac1261bf5a17a3c4cd158aeba03526fc122bf351ed25410ff3daedd5ab2249dd0c00503d944f9bfe73cb50ea6455b6601febb84e55619

    • SSDEEP

      6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmr:bbGUMVWlbr

    Score
    10/10
    azorultblacknetcryptbotdarkcometemotetmodiloaderraccoon5b5d6fecfbf716a915d7a5ecf88d7c76epoch5guest16bankercollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojanupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • ModiLoader Second Stage

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

7
T1012

System Information Discovery

8
T1082

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks