Overview

overview

10

Static

static

8

8137ec71fc...e3.xls

windows7-x64

10

8137ec71fc...e3.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8137ec71fc0aeab0be48d885d1334de3

  • Size

    121KB

  • Sample

    230125-j2kd1aha8y

  • MD5

    8137ec71fc0aeab0be48d885d1334de3

  • SHA1

    e88e7cb7c1d78aecf48b226d1c8e4c1089ed7204

  • SHA256

    b270f1dc0e9a1979ad04d277031b351fd46e4edcc244404db32226259f89ccb2

  • SHA512

    bd9247f2c2cc45a9f9eedbc8ba499f615d19ee30c0f76748e12135426522251b089fb4b7758fad45c5880e9cd87c67a8b0bc221ec41db59862735cdfb8c80e5f

  • SSDEEP

    3072:ucKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:ucKoSsxzNDZLDZjlbR868O8KlVH37keI

Score
10/10
emotetepoch4bankermacromacro_on_actiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://youlanda.org/eln-images/n8DPZISf/
exe.dropper

http://rosevideo.net/eln-images/EjdCoMlY8Gy/
exe.dropper

http://vbaint.com/eln-images/H2pPGte8XzENC/
exe.dropper

https://framemakers.us/eln-images/U5W2IGE9m8i9h9r/
exe.dropper

http://niplaw.com/asolidfoundation/yCE9/
exe.dropper

http://robertmchilespe.com/cgi/3f/
exe.dropper

http://vocoptions.net/cgi/ifM9R5ylbVpM8hfR/
exe.dropper

http://missionnyc.org/fonts/JO5/
exe.dropper

http://robertflood.us/eln-images/DGI2YOkSc99XPO/
exe.dropper

http://mpmcomputing.com/fonts/fJJrjqpIY3Bt3Q/
exe.dropper

http://dadsgetinthegame.com/eln-images/tAAUG/
exe.dropper

http://smbservices.net/cgi/JO01ckuwd/
exe.dropper

http://stkpointers.com/eln-images/D/
exe.dropper

http://rosewoodcraft.com/Merchant2/5.00/PGqX/

Extracted

Family

emotet

Botnet

Epoch4

C2

185.248.140.40:443

8.9.11.48:443

200.17.134.35:7080

207.38.84.195:8080

79.172.212.216:8080

45.176.232.124:443

45.118.135.203:7080

162.243.175.63:443

110.232.117.186:8080

103.75.201.4:443

195.154.133.20:443

160.16.102.168:80

164.68.99.3:8080

131.100.24.231:80

216.158.226.206:443

159.89.230.105:443

178.79.147.66:8080

178.128.83.165:80

212.237.5.209:443

82.165.152.127:8080
eck1.plain
ecs1.plain

Targets

    • Target

      8137ec71fc0aeab0be48d885d1334de3

    • Size

      121KB

    • MD5

      8137ec71fc0aeab0be48d885d1334de3

    • SHA1

      e88e7cb7c1d78aecf48b226d1c8e4c1089ed7204

    • SHA256

      b270f1dc0e9a1979ad04d277031b351fd46e4edcc244404db32226259f89ccb2

    • SHA512

      bd9247f2c2cc45a9f9eedbc8ba499f615d19ee30c0f76748e12135426522251b089fb4b7758fad45c5880e9cd87c67a8b0bc221ec41db59862735cdfb8c80e5f

    • SSDEEP

      3072:ucKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:ucKoSsxzNDZLDZjlbR868O8KlVH37keI

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks