General
-
Target
a38d57030d9d4339b1444ffd33d1173a
-
Size
121KB
-
Sample
230125-j2ll3afd33
-
MD5
a38d57030d9d4339b1444ffd33d1173a
-
SHA1
fccecfd2d68b53662da0888a6f3528406f3d605a
-
SHA256
48b83265c6f8ee8d4820a14de2b6bf2ddd3fecf3ba34e8173ff9f2d99249bbc4
-
SHA512
a20d9870359a4f7ec43859ac4920dfe4f80428e8db534c11bce2f76c672d4f1d53792324bd74abb8a63dc1409f0e289301bc787a65cd375dd0e4640af006705e
-
SSDEEP
3072:IcKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:IcKoSsxzNDZLDZjlbR868O8KlVH37keI
Behavioral task
behavioral1
Sample
a38d57030d9d4339b1444ffd33d1173a.xls
Resource
win7-20220812-en
Malware Config
Extracted
https://youlanda.org/eln-images/n8DPZISf/
http://rosevideo.net/eln-images/EjdCoMlY8Gy/
http://vbaint.com/eln-images/H2pPGte8XzENC/
https://framemakers.us/eln-images/U5W2IGE9m8i9h9r/
http://niplaw.com/asolidfoundation/yCE9/
http://robertmchilespe.com/cgi/3f/
http://vocoptions.net/cgi/ifM9R5ylbVpM8hfR/
http://missionnyc.org/fonts/JO5/
http://robertflood.us/eln-images/DGI2YOkSc99XPO/
http://mpmcomputing.com/fonts/fJJrjqpIY3Bt3Q/
http://dadsgetinthegame.com/eln-images/tAAUG/
http://smbservices.net/cgi/JO01ckuwd/
http://stkpointers.com/eln-images/D/
http://rosewoodcraft.com/Merchant2/5.00/PGqX/
Extracted
emotet
Epoch4
185.248.140.40:443
8.9.11.48:443
200.17.134.35:7080
207.38.84.195:8080
79.172.212.216:8080
45.176.232.124:443
45.118.135.203:7080
162.243.175.63:443
110.232.117.186:8080
103.75.201.4:443
195.154.133.20:443
160.16.102.168:80
164.68.99.3:8080
131.100.24.231:80
216.158.226.206:443
159.89.230.105:443
178.79.147.66:8080
178.128.83.165:80
212.237.5.209:443
82.165.152.127:8080
50.116.54.215:443
58.227.42.236:80
119.235.255.201:8080
144.76.186.49:8080
138.185.72.26:8080
162.214.50.39:7080
81.0.236.90:443
176.104.106.96:8080
144.76.186.55:7080
129.232.188.93:443
212.24.98.99:8080
203.114.109.124:443
103.75.201.2:443
173.212.193.249:8080
41.76.108.46:8080
45.118.115.99:8080
158.69.222.101:443
107.182.225.142:8080
212.237.17.99:8080
212.237.56.116:7080
159.8.59.82:8080
46.55.222.11:443
104.251.214.46:8080
31.24.158.56:8080
153.126.203.229:8080
51.254.140.238:7080
185.157.82.211:8080
217.182.143.207:443
45.142.114.231:8080
Targets
-
-
Target
a38d57030d9d4339b1444ffd33d1173a
-
Size
121KB
-
MD5
a38d57030d9d4339b1444ffd33d1173a
-
SHA1
fccecfd2d68b53662da0888a6f3528406f3d605a
-
SHA256
48b83265c6f8ee8d4820a14de2b6bf2ddd3fecf3ba34e8173ff9f2d99249bbc4
-
SHA512
a20d9870359a4f7ec43859ac4920dfe4f80428e8db534c11bce2f76c672d4f1d53792324bd74abb8a63dc1409f0e289301bc787a65cd375dd0e4640af006705e
-
SSDEEP
3072:IcKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:IcKoSsxzNDZLDZjlbR868O8KlVH37keI
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-