Overview

overview

10

Static

static

8

a38d57030d...3a.xls

windows7-x64

10

a38d57030d...3a.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a38d57030d9d4339b1444ffd33d1173a

  • Size

    121KB

  • Sample

    230125-j2ll3afd33

  • MD5

    a38d57030d9d4339b1444ffd33d1173a

  • SHA1

    fccecfd2d68b53662da0888a6f3528406f3d605a

  • SHA256

    48b83265c6f8ee8d4820a14de2b6bf2ddd3fecf3ba34e8173ff9f2d99249bbc4

  • SHA512

    a20d9870359a4f7ec43859ac4920dfe4f80428e8db534c11bce2f76c672d4f1d53792324bd74abb8a63dc1409f0e289301bc787a65cd375dd0e4640af006705e

  • SSDEEP

    3072:IcKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:IcKoSsxzNDZLDZjlbR868O8KlVH37keI

Score
10/10
emotetepoch4bankermacromacro_on_actiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://youlanda.org/eln-images/n8DPZISf/
exe.dropper

http://rosevideo.net/eln-images/EjdCoMlY8Gy/
exe.dropper

http://vbaint.com/eln-images/H2pPGte8XzENC/
exe.dropper

https://framemakers.us/eln-images/U5W2IGE9m8i9h9r/
exe.dropper

http://niplaw.com/asolidfoundation/yCE9/
exe.dropper

http://robertmchilespe.com/cgi/3f/
exe.dropper

http://vocoptions.net/cgi/ifM9R5ylbVpM8hfR/
exe.dropper

http://missionnyc.org/fonts/JO5/
exe.dropper

http://robertflood.us/eln-images/DGI2YOkSc99XPO/
exe.dropper

http://mpmcomputing.com/fonts/fJJrjqpIY3Bt3Q/
exe.dropper

http://dadsgetinthegame.com/eln-images/tAAUG/
exe.dropper

http://smbservices.net/cgi/JO01ckuwd/
exe.dropper

http://stkpointers.com/eln-images/D/
exe.dropper

http://rosewoodcraft.com/Merchant2/5.00/PGqX/

Extracted

Family

emotet

Botnet

Epoch4

C2

185.248.140.40:443

8.9.11.48:443

200.17.134.35:7080

207.38.84.195:8080

79.172.212.216:8080

45.176.232.124:443

45.118.135.203:7080

162.243.175.63:443

110.232.117.186:8080

103.75.201.4:443

195.154.133.20:443

160.16.102.168:80

164.68.99.3:8080

131.100.24.231:80

216.158.226.206:443

159.89.230.105:443

178.79.147.66:8080

178.128.83.165:80

212.237.5.209:443

82.165.152.127:8080
eck1.plain
ecs1.plain

Targets

    • Target

      a38d57030d9d4339b1444ffd33d1173a

    • Size

      121KB

    • MD5

      a38d57030d9d4339b1444ffd33d1173a

    • SHA1

      fccecfd2d68b53662da0888a6f3528406f3d605a

    • SHA256

      48b83265c6f8ee8d4820a14de2b6bf2ddd3fecf3ba34e8173ff9f2d99249bbc4

    • SHA512

      a20d9870359a4f7ec43859ac4920dfe4f80428e8db534c11bce2f76c672d4f1d53792324bd74abb8a63dc1409f0e289301bc787a65cd375dd0e4640af006705e

    • SSDEEP

      3072:IcKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:IcKoSsxzNDZLDZjlbR868O8KlVH37keI

    Score
    10/10
    emotetepoch4bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks