Resubmissions

25-11-2022 04:51

221125-fhbe7scd25 10

24-11-2022 15:34

221124-szrvqsgc7y 10

General

  • Target

    K-1 form.xls

  • Size

    255KB

  • Sample

    221124-szrvqsgc7y

  • MD5

    18252d898a785e916760be3e63c29a78

  • SHA1

    769301632d80a6c5996e7f9514786e79d044db17

  • SHA256

    8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed

  • SHA512

    86507a8d28982194e8cca9e95da98d17fde400393997eeb6df980e1da6549c8cb869ad347a0792423be75c8dcaaeb73df8d6e512bc363140cc06be834d60c775

  • SSDEEP

    6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg9Niwrfx9rNFMMrttRzV5Dz3UxqC8LUcSw:mNbDjP9XH5XIqZLnSw

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.spinbalence.com/admin3693/Z6WQpmNRNj6041fU2zpt/

xlm40.dropper

http://kabaruntukrakyat.com/wp-content/ES/

xlm40.dropper

https://chobemaster.com/INFECTED/LEdXM4gdwN4mgnlC/

xlm40.dropper

http://cngst.com/data/fXWpDbJ3KwAybE/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain
ecs1.plain

Targets

    • Target

      K-1 form.xls

    • Size

      255KB

    • MD5

      18252d898a785e916760be3e63c29a78

    • SHA1

      769301632d80a6c5996e7f9514786e79d044db17

    • SHA256

      8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed

    • SHA512

      86507a8d28982194e8cca9e95da98d17fde400393997eeb6df980e1da6549c8cb869ad347a0792423be75c8dcaaeb73df8d6e512bc363140cc06be834d60c775

    • SSDEEP

      6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg9Niwrfx9rNFMMrttRzV5Dz3UxqC8LUcSw:mNbDjP9XH5XIqZLnSw

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks