Overview

overview

10

Static

static

8

D74A4C4C1C...27.xls

windows7-x64

10

D74A4C4C1C...27.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    D74A4C4C1C1AA212CC9DD3A19A1777839D4EE4CFAE06A1194033CFA8A3C16B27

  • Size

    91KB

  • Sample

    221213-2q63qsbd91

  • MD5

    b941f45a2504e56ac8a8543929a89b8d

  • SHA1

    4ea5193e1d1e5827d098e14ada37fa789a752069

  • SHA256

    d74a4c4c1c1aa212cc9dd3a19a1777839d4ee4cfae06a1194033cfa8a3c16b27

  • SHA512

    d7a17e00e3f1562c197c8ce0342ca68a56b0c7df78a9b993a01837b2453c47208671666a591d8e4f3a2882bd7b1ffd410fc8d68051b395ea356997cb3d4cc1e7

  • SSDEEP

    1536:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHbCXuZH4gb4CEn9J4ZnX5:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg9

Score
10/10
emotetepoch4bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://datie-tw.com/img/O8G0RDZj7MYCuJyPoP/
xlm40.dropper

http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/
xlm40.dropper

https://copunupo.ac.zm/cgi-bin/WFFcGx/
xlm40.dropper

http://ly.yjlianyi.top/wp-admin/4cChao/

Extracted

Family

emotet

Botnet

Epoch4

C2

185.4.135.165:8080

159.89.202.34:443

82.223.21.224:8080

187.63.160.88:80

188.44.20.25:443

91.187.140.35:8080

110.232.117.186:8080

197.242.150.244:8080

119.59.103.152:8080

182.162.143.56:443

72.15.201.15:8080

173.255.211.88:443

206.189.28.199:8080

94.23.45.86:4143

45.63.99.23:7080

153.126.146.25:7080

45.118.115.99:8080

115.68.227.76:8080

163.44.196.120:8080

159.65.140.115:443
ecs1.plain
eck1.plain

Targets

    • Target

      D74A4C4C1C1AA212CC9DD3A19A1777839D4EE4CFAE06A1194033CFA8A3C16B27

    • Size

      91KB

    • MD5

      b941f45a2504e56ac8a8543929a89b8d

    • SHA1

      4ea5193e1d1e5827d098e14ada37fa789a752069

    • SHA256

      d74a4c4c1c1aa212cc9dd3a19a1777839d4ee4cfae06a1194033cfa8a3c16b27

    • SHA512

      d7a17e00e3f1562c197c8ce0342ca68a56b0c7df78a9b993a01837b2453c47208671666a591d8e4f3a2882bd7b1ffd410fc8d68051b395ea356997cb3d4cc1e7

    • SSDEEP

      1536:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHbCXuZH4gb4CEn9J4ZnX5:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg9

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks