Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/11/2022, 21:07

221103-zyn6safbg6 10

03/11/2022, 21:01

221103-ztzfyshccm 10

03/11/2022, 15:09

221103-sjnhdabfg4 10

General

  • Target

    8280932809.zip

  • Size

    168KB

  • Sample

    221103-ztzfyshccm

  • MD5

    609e0025a34515d53fc5321f7ab54e71

  • SHA1

    6188bc7fed87c33e51f678560472869b64d1165e

  • SHA256

    0a712277286bdb83dee39bd389e1ad65e079bdb53b9255fa4b26283b30c9da72

  • SHA512

    e0cd9e11c8bd5928684f480869325c1ca69356598984ac6e7430faf7ecc0008f2339fec229a78a40215f708025d6560a9132f71e8276d04e7dd33c2092ba9900

  • SSDEEP

    3072:CUmLeFoCdtaHXhPF71tCKNc6iBVRXkZ9IuImo8bpU6j5Vkw3+BFUchg:CUmLANIh977/NIy9PImoKVNicchg

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://audioselec.com/about/dDw5ggtyMojggTqhc/

xlm40.dropper

https://geringer-muehle.de/wp-admin/G/

xlm40.dropper

http://intolove.co.uk/wp-admin/FbGhiWtrEzrQ/

xlm40.dropper

http://isc.net.ua/themes/3rU/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain
ecs1.plain

Targets

    • Target

      ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c

    • Size

      216KB

    • MD5

      2486374800299563ab8934122234242a

    • SHA1

      47bfe94aa96ef43231890f04ccd286b0888e10c8

    • SHA256

      ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c

    • SHA512

      74e52e1e1317908447340cbba32949321ed435f17a524224af80236ecdf67187c83908cca514e82a49b9abe9495125ba741e01ed8f30663124c13fce339c63e5

    • SSDEEP

      6144:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgAyY+TAQXTHGUMEyP5p6f5jQmK:GbGUMVWlbK

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks