emotet

General

Target

8972952545.zip
Size

168KB
Sample

230202-w277aabd74
MD5

0d4090b11f98adca793547a749213a64
SHA1

c0cff8665970d3892400f60aaab5b825ce6d0456
SHA256

7a21e3d14c5bae2e57469c344e234503bf5a5b0dea090039d881415989a7d81e
SHA512

b11ed58c8755b7369a653fd4fea35162c522df00b4e079fa35432e9305ff87d4c457c4f4f4f577d4f2fee1571dd80f5efddf0ab0f6e0891ea33c455f034f1451
SSDEEP

3072:6h4x/3je9YLhD0AxB/u8vuS40/vX+W4Eq/YOcMJwcEBYhAsDW0r/:6ix/zDpjxBH4W5q/YOcNcyKBbr/

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://sourceintership.com/vendor/rZnJL9pPUjA9pU/

xlm40.dropper

http://www.thebeginningstore.in/0202498070/m2x8inU7TSiuO3px/

xlm40.dropper

http://www.angloextrema.com.br/assets/mQVRrHu7o0eJXxTFu/

xlm40.dropper

http://alvaovillagecamping.pt/wp-content/Ra9iwOPb6uLf/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  7e8bc31fde2acc45f23d277c2e9ea931aec4bb3048571ee1244856b3b8607f48
- Size
  
  217KB
- MD5
  
  e8a4b008fd8e7e6806fb00d295c513a1
- SHA1
  
  4462a0f303d66d5d98e8c461023c129d82672c27
- SHA256
  
  7e8bc31fde2acc45f23d277c2e9ea931aec4bb3048571ee1244856b3b8607f48
- SHA512
  
  6c5be307096e174108f941bcc984c8bef9ea08275123f5bb7842aafbc0abb75bf1aa6ae26369cbb45a8f886baea1c4e9f50036479d15a2c3c27a572f055e7cab
- SSDEEP
  
  6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgLyY+TAQXTHGUMEyP5p6f5jQmS:nbGUMVWlbS
Score

10^/10

emotet epoch4 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Downloads MZ/PE file

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2