General

  • Target

    BF829517A6DAC2F780968DF6DB5B212A01EC269A353376EAA1B7D6EB306DCC9F

  • Size

    91KB

  • Sample

    221123-r2xy4adb6z

  • MD5

    c44facac840cd5d8286c0a771dc0df4d

  • SHA1

    bea1524c9dcbdeb63ab6073dae60ad071ad5db2c

  • SHA256

    bf829517a6dac2f780968df6db5b212a01ec269a353376eaa1b7d6eb306dcc9f

  • SHA512

    8e6f752450612fbe4d555e4f4e0372f62778311bf77740a8d0352a5b3861dc334e6d0c1ab953f2e82456884f8f6a498eabf3f17d540aa0a1acef4320d5a71ae5

  • SSDEEP

    1536:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHbCXuZH4gb4CEn9J4ZPX5:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgl

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://datie-tw.com/img/O8G0RDZj7MYCuJyPoP/

xlm40.dropper

http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/

xlm40.dropper

https://copunupo.ac.zm/cgi-bin/WFFcGx/

xlm40.dropper

http://ly.yjlianyi.top/wp-admin/4cChao/

Extracted

Family

emotet

Botnet

Epoch4

C2

185.4.135.165:8080

159.89.202.34:443

82.223.21.224:8080

187.63.160.88:80

188.44.20.25:443

91.187.140.35:8080

110.232.117.186:8080

197.242.150.244:8080

119.59.103.152:8080

182.162.143.56:443

72.15.201.15:8080

173.255.211.88:443

206.189.28.199:8080

94.23.45.86:4143

45.63.99.23:7080

153.126.146.25:7080

45.118.115.99:8080

115.68.227.76:8080

163.44.196.120:8080

159.65.140.115:443

ecs1.plain
eck1.plain

Targets

    • Target

      BF829517A6DAC2F780968DF6DB5B212A01EC269A353376EAA1B7D6EB306DCC9F

    • Size

      91KB

    • MD5

      c44facac840cd5d8286c0a771dc0df4d

    • SHA1

      bea1524c9dcbdeb63ab6073dae60ad071ad5db2c

    • SHA256

      bf829517a6dac2f780968df6db5b212a01ec269a353376eaa1b7d6eb306dcc9f

    • SHA512

      8e6f752450612fbe4d555e4f4e0372f62778311bf77740a8d0352a5b3861dc334e6d0c1ab953f2e82456884f8f6a498eabf3f17d540aa0a1acef4320d5a71ae5

    • SSDEEP

      1536:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHbCXuZH4gb4CEn9J4ZPX5:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgl

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Tasks