General

  • Target

    106.zip

  • Size

    42KB

  • Sample

    221109-2yj8yachb6

  • MD5

    26741e7545261921b7b3b25ea146abf1

  • SHA1

    1989d665a9afd8c9527b21348cd08bcb40c51c7a

  • SHA256

    d82811f25dc0988f0d445cc1c99a8c96d4a2602ce80ce1a52a40cf7adc55c4c2

  • SHA512

    0ba306c01f06c15162aa73e09be69548b0292685e80391858543525b46b7a7cc29ccd6d1eda4ccd7cf491b4f20414b93b092d94a8102035213cc5ff4b688efd6

  • SSDEEP

    768:pcBr/czYKnk/fF56tB2DPO08utf3Gxaz2Cp8ghLIoqORuap1YdOv:pcBoUZd5SELO0BfGxGpfqa11YO

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://fixoutlet.com/logs/OGlRuU/

xlm40.dropper

http://www.cesasin.com.ar/administrator/viA95RR/

xlm40.dropper

http://blacktequila.com.br/2fb62HWWoKi5nfEq2D/XB5VOAXZkhVhSKveYUV/

xlm40.dropper

http://case.co.il/_js/dooigYa/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Targets

    • Target

      106.xls

    • Size

      91KB

    • MD5

      23f51f65c070fa82d15215b42c581e66

    • SHA1

      65e058c799d5f0548e0b711d729a65e5b0579ddc

    • SHA256

      54bf698576f1e4c5e733e05e4dd7335deb621851f0b6a5c4bc2ec8ec8b6ed0e2

    • SHA512

      e6e919c408d7c686604f5a78dd6aedf810bc4008f04240c0d43bab354b5cc17302191cb65a4ee6f725388558ddb9c72c2b77d7bb820a7d18c0f676cc1a788b24

    • SSDEEP

      1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgIbCXuZH4gb4CEn9J4ZJhQvj:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgt

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks