Overview

overview

10

Static

static

8

199a2e0e1b...c0.xls

windows7-x64

10

199a2e0e1b...c0.xls

windows10-2004-x64

10

1c5f2ca983...ac.xls

windows7-x64

10

1c5f2ca983...ac.xls

windows10-2004-x64

10

27a65553a3...ac.xls

windows7-x64

10

27a65553a3...ac.xls

windows10-2004-x64

1

403e70970c...52.xls

windows7-x64

10

403e70970c...52.xls

windows10-2004-x64

10

470c6543c2...ac.xls

windows7-x64

10

470c6543c2...ac.xls

windows10-2004-x64

10

5a63ab6f7e...6e.xls

windows7-x64

10

5a63ab6f7e...6e.xls

windows10-2004-x64

10

61e7a5bc6d...61.xls

windows7-x64

10

61e7a5bc6d...61.xls

windows10-2004-x64

10

7f68771114...a7.xls

windows7-x64

10

7f68771114...a7.xls

windows10-2004-x64

10

7ffe4ba808...d6.xls

windows7-x64

10

7ffe4ba808...d6.xls

windows10-2004-x64

10

8c3cfdd7e1...ed.xls

windows7-x64

10

8c3cfdd7e1...ed.xls

windows10-2004-x64

10

a821b7d549...16.xls

windows7-x64

10

a821b7d549...16.xls

windows10-2004-x64

10

b0fb5f6486...01.xls

windows7-x64

10

b0fb5f6486...01.xls

windows10-2004-x64

10

bd310a2a64...a2.xls

windows7-x64

10

bd310a2a64...a2.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8667948243.zip

  • Size

    2.4MB

  • Sample

    230103-dzfedacg9s

  • MD5

    f071018b9ed0d80dde523ebfd185383a

  • SHA1

    88bfac1b0697283e49a0068f33d952aa3c2a5d59

  • SHA256

    50f5316c84df540350104b16bed310b39f26ea082114e95c47f042619ddebb40

  • SHA512

    7b94a52cb36aaa0dd174caca04a21abb0875e746698877b3e8e8ac0d0c1b4c6fac250ce6fda5812cdf5571180b429ef796c3bc2c1dfe0176dc1dd4a61b15768a

  • SSDEEP

    49152:q6526QAA2+ysoUkVlK+/q3Wq298iXDuC8XnakdEuC8Xn45hmuC8Xnr:h5gg3KWq3Xe8iSC83akHC834rC83r

Score
10/10
emotetepoch4bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://blacksebo.de/sharedassets/fA/
xlm40.dropper

https://bikkviz.com/wp-admin/NyT44HkVg/
xlm40.dropper

http://chist.com/dir-/HH/
xlm40.dropper

http://coadymarine.com/Admin/ekamS7WWDkLwS44q/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080
eck1.plain
ecs1.plain

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://cpcwiki.de/images/rirOpdztUEfG7WJ/
xlm40.dropper

https://www.conceptagency.net/css/zXC/
xlm40.dropper

http://a.angel-tn.idv.tw/web_images/aa7fEDOPvT2F1i/
xlm40.dropper

http://www.atashelement.ir/qds-seo-url-autofill/tmSetsq0wxsmXdA/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://files.encendercomunicacion.com/jardinesdelpilar/7tTka2RzzAH/
xlm40.dropper

http://argojeans.com/FxCredit/tGNivisLKJet7a/
xlm40.dropper

http://blacksmithbooks.com/blog/yinA3nT/
xlm40.dropper

https://annunziato.com.br/swf/5FJ0eeAsKYPctsq/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://baetrade.com/45s/WsT3CvPcb35cc/
xlm40.dropper

https://boleo.nl/assets/NMRA4nGe92AZv/
xlm40.dropper

http://mecaprog.com/menusystemmodel005/zI4Vdv894mr/
xlm40.dropper

http://lysarbopaysage.fr/headers/ZZrBWaHoT0k/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://baetrade.com/45s/WsT3CvPcb35cc/
xlm40.dropper

https://boleo.nl/assets/NMRA4nGe92AZv/
xlm40.dropper

http://mecaprog.com/menusystemmodel005/zI4Vdv894mr/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://navylin.com/autopoisonous/yT4y0aa/
xlm40.dropper

http://www.3d-stickers.com/cache/ULfOeC4z7U/
xlm40.dropper

http://talles.atwebpages.com/sistemas/2WReqC3w1bZsCp/
xlm40.dropper

http://coinkub.com/wp-content/NL7Ddclhm/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://aldina.jp/wp-admin/YvD46yh/
xlm40.dropper

https://www.alliance-habitat.com/cache/lE8/
xlm40.dropper

http://anguklaw.com/microsoft-clearscript/oVgMlzJ61/
xlm40.dropper

https://andorsat.com/css/5xdvDtgW0H4SrZokxM/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.spinbalence.com/admin3693/Z6WQpmNRNj6041fU2zpt/
xlm40.dropper

http://kabaruntukrakyat.com/wp-content/ES/
xlm40.dropper

https://chobemaster.com/INFECTED/LEdXM4gdwN4mgnlC/
xlm40.dropper

http://cngst.com/data/fXWpDbJ3KwAybE/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/
xlm40.dropper

http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/
xlm40.dropper

http://armannahalpersian.ir/3H5qqUOB/
xlm40.dropper

http://alagi.ge/application/irnz5Rs8qWvQrf/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://cs.com.sg/Backup/Bk778kXNKMiH5vH/
xlm40.dropper

https://j2ccamionmagasin.fr/css/1Mp8y/
xlm40.dropper

http://atici.net/old/PkZI74DD/
xlm40.dropper

http://clanbaker.org/css/khhl7kT2n69n/

Targets

    • Target

      199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0

    • Size

      255KB

    • MD5

      6493581b246b731e4937fbee64a68803

    • SHA1

      a6e306f8841ff6fbd50188c738469143a6934df0

    • SHA256

      199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0

    • SHA512

      d4089c3cf61a73c1469e01ba2892f4c3e91b7aa3e020deba399581d4212da5ed8c1d4eec29531312643faa838d34bd38de33065373aa72b7cbb782ea5b8b5f60

    • SSDEEP

      6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSu:ANbDjP9XH5XIqZLnSu

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      1c5f2ca9839078742383b207721ce92fdfa70ac50e5d7b73c2488d47f7e5ebac

    • Size

      255KB

    • MD5

      893f9b10a48073fc3fa0d5c8867f7200

    • SHA1

      875d63ddc7467890f8f72aa787298ca4b2051e3e

    • SHA256

      1c5f2ca9839078742383b207721ce92fdfa70ac50e5d7b73c2488d47f7e5ebac

    • SHA512

      8c65c4f8c89d5b6e973f2108cb4267cf3f6703609d84be6d4fda7b92770d462344c957e6fbc7a00e24076bbe2dc51bfe68ed80e5685ff985a01772edca5de632

    • SSDEEP

      6144:6Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgVNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcST:5NbDjP9XH5XIqZLnST

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral3behavioral4

    • Target

      27a65553a3560c4e36589cc0da79c8713db4ab009ce4e687b51b302c9d5480ac

    • Size

      255KB

    • MD5

      0d1ea34c0423845842d2411dd5084ae5

    • SHA1

      731d92101270c9dbff7b622f0c70eed56a7ddab5

    • SHA256

      27a65553a3560c4e36589cc0da79c8713db4ab009ce4e687b51b302c9d5480ac

    • SHA512

      8b9d2554a8b445412e55f3234688f6c81c92ed874b0fdf65b8c6c55e451144b2c84f4526309bd43b3f939bb118f5e242f6f3fbc673de84477696febfc2914047

    • SSDEEP

      6144:JKpb8rGYrMPe3q7Q0XV5xtuEsi8/dggNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSq:nNbDjP9XH5XIqZLnSq

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral5behavioral6

    • Target

      403e70970c9b6f4669f5446607042721caaa2235ebd610c31e1a5f7fc917d752

    • Size

      255KB

    • MD5

      ce3280f3e64768ff5a8b68c29bdf6fc7

    • SHA1

      a4d3d2107acab77c677054f428ad7c714bebb2fe

    • SHA256

      403e70970c9b6f4669f5446607042721caaa2235ebd610c31e1a5f7fc917d752

    • SHA512

      1c558bda07e64e84f56b1f8799602fe91f0d65a71f650993e6c41c0a3ef1c0d404f4e1f415aeb47033cb9ddd9afbea84c21f1bfade642c8ea1e1350ac9321175

    • SSDEEP

      6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dguNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSi:1NbDjP9XH5XIqZLnSi

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral7behavioral8

    • Target

      470c6543c277decdbc2ad9f4d825b32e22b6a1ab37fcc337645371a5a3819aac

    • Size

      255KB

    • MD5

      73570b8824b20e00377b31b25ab5dbf8

    • SHA1

      5715020cc77af8eb4b91debed43d0ba69dc669be

    • SHA256

      470c6543c277decdbc2ad9f4d825b32e22b6a1ab37fcc337645371a5a3819aac

    • SHA512

      fe84a0129cf65bb29c0b8afe4c5ced3b8b2255082f20489ff7f431f52a234d41a0e0b2750f737c3b886bc953ef4f49862652d2ef1e0ebd23620995522e78b228

    • SSDEEP

      6144:JKpb8rGYrMPe3q7Q0XV5xtuEsi8/dggNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSf:nNbDjP9XH5XIqZLnSf

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral10behavioral9

    • Target

      5a63ab6f7ef4d61c6d67fddff5883778b3235ef83b36bfced892d6dbc1a7416e

    • Size

      255KB

    • MD5

      c53b62a9af12cf189afd7f48d36041d5

    • SHA1

      3cc43c03d5b634409b9cd28d4eeec6e7f8a19584

    • SHA256

      5a63ab6f7ef4d61c6d67fddff5883778b3235ef83b36bfced892d6dbc1a7416e

    • SHA512

      bf68da6412d80607151832b5aecd96f55ef1555daf1718e82f70560d7210e753e1339a34a81b503e79f7de595f14be1c36e10d292080d94f03705b6321c53941

    • SSDEEP

      6144:6Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgRNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSz:FNbDjP9XH5XIqZLnSz

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral11behavioral12

    • Target

      61e7a5bc6dda4cdf7d6c21edbabc61b22a616014d8648a8d43a83d03f5d75d61

    • Size

      73KB

    • MD5

      d8f46c46975e458f2019c27e8406911c

    • SHA1

      a88aa9a6b6ad91bd37d78d9341f49ad632b31ef0

    • SHA256

      61e7a5bc6dda4cdf7d6c21edbabc61b22a616014d8648a8d43a83d03f5d75d61

    • SHA512

      6332d7d8aa02ef6ac472de59d191d1a55788781fb5c665afa61ed77b6b37cc44c8fee2184b44428891ee37341e6e9aa285a97c24d05d78944519fec3cac610ba

    • SSDEEP

      1536:DMXKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgxBAezwrMCtvJecvRtbM5v:KKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgX

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral13behavioral14

    • Target

      7f687711143b9895361fc01c72b0c1090eef0fdb250a1dfa17e35901212cc1a7

    • Size

      255KB

    • MD5

      32afcf9ce9f18c52f840007536626336

    • SHA1

      33a41f02d4e310fb8e1a40726a1bd5ab8839cd6d

    • SHA256

      7f687711143b9895361fc01c72b0c1090eef0fdb250a1dfa17e35901212cc1a7

    • SHA512

      f684a9edac45d0c206824ca53bb701b124d3def2de5425cf25c2776694d741820747161e8b7e5314bd0d4b34b44589e9c808d2adf72b7dd2242edf6c2bdbbe39

    • SSDEEP

      6144:2Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dguNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSj:eNbDjP9XH5XIqZLnSj

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral15behavioral16

    • Target

      7ffe4ba8088b1e11c2d9579c721467862b9f7bb8d2bc4515be23dcd15036ebd6

    • Size

      217KB

    • MD5

      e1705d47f44d32c2822642aaea5e9131

    • SHA1

      baebb9c662f5122a98e2df309a6f288db802ff61

    • SHA256

      7ffe4ba8088b1e11c2d9579c721467862b9f7bb8d2bc4515be23dcd15036ebd6

    • SHA512

      ba18e73e6cc05996a275e0e72fc777c46f014e7d91493501edb3a75094d26360af394bfbb094e533668b25f8e0b261355eb728346b248fea0d14f091da4e39da

    • SSDEEP

      6144:SKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmvn:XbGUMVWlbvn

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral17behavioral18

    • Target

      8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed

    • Size

      255KB

    • MD5

      18252d898a785e916760be3e63c29a78

    • SHA1

      769301632d80a6c5996e7f9514786e79d044db17

    • SHA256

      8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed

    • SHA512

      86507a8d28982194e8cca9e95da98d17fde400393997eeb6df980e1da6549c8cb869ad347a0792423be75c8dcaaeb73df8d6e512bc363140cc06be834d60c775

    • SSDEEP

      6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg9Niwrfx9rNFMMrttRzV5Dz3UxqC8LUcSw:mNbDjP9XH5XIqZLnSw

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral19behavioral20

    • Target

      a821b7d549ed8c03d8824bad80e2da2c7d212a096a43c82a1cbc3a9308256916

    • Size

      255KB

    • MD5

      2d32da58b535b67699209af9b4506a05

    • SHA1

      f65a977eb348add12ea8136e1dd63bd5041ce348

    • SHA256

      a821b7d549ed8c03d8824bad80e2da2c7d212a096a43c82a1cbc3a9308256916

    • SHA512

      ffc90596060b379626e7b0b2ff565407c7a9340cfeca1d0f6df4d91023403d286f30db8b85f542ebb9e4f63a6c513be047c05ab2aa658e61564e9be896be2405

    • SSDEEP

      6144:JKpb8rGYrMPe3q7Q0XV5xtuEsi8/dggNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcS6:nNbDjP9XH5XIqZLnS6

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral21behavioral22

    • Target

      b0fb5f6486f17bf63a316d7f3eb85002d6fb74a96cdeb3a9e43f555c73f74d01

    • Size

      255KB

    • MD5

      b9a02c001e5c71d0156ab58e28f3470e

    • SHA1

      5bfd33906db74259368009303305247e5b43d6fa

    • SHA256

      b0fb5f6486f17bf63a316d7f3eb85002d6fb74a96cdeb3a9e43f555c73f74d01

    • SHA512

      588641932731204652372efcbf7f955642e81168a9cb1aac5a5a74175fe0c18a5c4da1c4e4716b779bd1e1392e9862b22194b9a245dc3d8a9168b482ec788041

    • SSDEEP

      6144:6Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dggNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcST:8NbDjP9XH5XIqZLnST

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral23behavioral24

    • Target

      bd310a2a64e17c99fb956a72c31807a7a6120cb0719c203a3dab22ae47bdd8a2

    • Size

      217KB

    • MD5

      bc3affabc827c9ebbe52dc136760e056

    • SHA1

      132b7a932aa3cc66beefa39d282257125a08f17c

    • SHA256

      bd310a2a64e17c99fb956a72c31807a7a6120cb0719c203a3dab22ae47bdd8a2

    • SHA512

      e5b77000f5d1797e8f58ca550d7c0a6adbb90dc814b10334e35f5c129a795aa8fa284f0666129d86ba973e18184bacafc600ed6609b30dff6a45078718ff3c8b

    • SSDEEP

      6144:SKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQm1:QbGUMVWlb1

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral25behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

13
T1112

Credential Access

Discovery

Query Registry

26
T1012

System Information Discovery

26
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks