General

  • Target

    DOCUMENT_61.zip

  • Size

    42KB

  • Sample

    221109-v6fr6aagg8

  • MD5

    1b0c2f9fe9db8a5b640ef208cdeae003

  • SHA1

    95002150cd6d0da178aad86d3078cf8509d2e30b

  • SHA256

    795277af201b985e77cc9cc41586e491f6736c2f9bb476a8e307725937ca1fb5

  • SHA512

    0ffeb9883b9cc2357f8107a57bc2b54afa097d6acda74576633dfc2dd5a44addac68e41d8d33fb451eb1bc1d155bf004b665241d84cd6b90f36d73baa0fa4831

  • SSDEEP

    768:sf9GvPqsv3ITcgZhRukWRUxiyeSkQR6OZ+frkKIpnhBtCV94s52XvN1VkGW:aGvZv3ITc49ICxeSvD8Dkblnto4s52vG

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://yesdeko.com/app/mydLAE/

xlm40.dropper

http://demo.cansunoto.com/lYqTuQ0qe5r2Y/JM1VqkOTTwt7Bvsu/

xlm40.dropper

http://cultura.educad.pe/wp-content/Vy5ft0Rw/

xlm40.dropper

http://nlasandbox3.com/backup/iCxLdPuH6tfxDQR2/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Targets

    • Target

      DOCUMENT_61.xls

    • Size

      91KB

    • MD5

      c4a673c9512d203146d1fa215100ca9c

    • SHA1

      4a4ab01a4ac4a7c83da4f264265c89beff881f95

    • SHA256

      23e5c64fa6e92469a1965fa064aa9a913fb7992b49daedd7c1a9d46eeb9ce8ce

    • SHA512

      195d758522e55e2ee1133c75d5a3692c6bd1ecf3ef2ef1337f367e94180880848f717980926d0f6d5932b4a078d64bc909ab53fad2d1d20aaef385844d242b4a

    • SSDEEP

      1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dggbCXuZH4gb4CEn9J4ZsHM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks