General

  • Target

    96afe1c2-c772-4f3a-bca4-80606734c6ce.eml

  • Size

    966KB

  • Sample

    230308-knnpyaee3z

  • MD5

    211da14de1113059da90257de399eb2f

  • SHA1

    ad0cb19d2169d3dfd565f3ed20686c1e91fc5f03

  • SHA256

    c976e44ad0a5fab2c23a5f238eede96c3532f36deaf2646837869415d6ea014b

  • SHA512

    d9052531eed7c2f63b4009544e98b0c4e895898f607f7709b219610ee43f45a03f0c08af9aa9737d4849e60442b1c9cc97e038dca491b14e725521a4f88275f5

  • SSDEEP

    6144:bK7mQNHmLZxAey6wQSl5feaXBOjaS7/wIF4tfXq/uIiVsjjkjW:bK7zHm4eKQSPGaXBdSLF4Rq/ubmYjW

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain
ecs1.plain

Targets

    • Target

      96afe1c2-c772-4f3a-bca4-80606734c6ce.eml

    • Size

      966KB

    • MD5

      211da14de1113059da90257de399eb2f

    • SHA1

      ad0cb19d2169d3dfd565f3ed20686c1e91fc5f03

    • SHA256

      c976e44ad0a5fab2c23a5f238eede96c3532f36deaf2646837869415d6ea014b

    • SHA512

      d9052531eed7c2f63b4009544e98b0c4e895898f607f7709b219610ee43f45a03f0c08af9aa9737d4849e60442b1c9cc97e038dca491b14e725521a4f88275f5

    • SSDEEP

      6144:bK7mQNHmLZxAey6wQSl5feaXBOjaS7/wIF4tfXq/uIiVsjjkjW:bK7zHm4eKQSPGaXBdSLF4Rq/ubmYjW

    Score
    6/10
    • Accesses Microsoft Outlook profiles

    • Drops file in System32 directory

    • Target

      Rep_97915979.zip

    • Size

      684KB

    • MD5

      4c5d8f345ce7a37b93c9f41e51e60a19

    • SHA1

      807bf7d9cf17de07494ae17007a14d39c76b9a90

    • SHA256

      6c7ed93b07a863f7b5c25b03449d00a2556ecef07f95b419fbe2c9cf17559d1d

    • SHA512

      bc40d6af96d9723ffc422efa1c0dba25d03042783ff7835b54d242213204ecb9e4a0f14f4252294fc5bc8637712f67ce1c2d92af13936509d860b996be20946c

    • SSDEEP

      6144:FJNbwmfcuHom8Hz2f//ywiWT8xVTI5wqH:ZbPHom8TYyCT8x5I5wA

    Score
    1/10
    • Target

      Rep_97915979.doc

    • Size

      534.3MB

    • MD5

      e7483391a9b507ecbdfa411553650531

    • SHA1

      fdb26fdd782b2ac4dd26bb4e038730c2defb3918

    • SHA256

      a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248

    • SHA512

      e40f21a2919036fca9f54bc7f2926777cb7890195ac22f789bddab0bf9e08403f69fcb493c3214dd9ffdaa65c0812885fd75d119dcd32a59133a3dccc85e1e1d

    • SSDEEP

      6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Target

      email-html-1.txt

    • Size

      7KB

    • MD5

      b571305d4066b0a0af515016ab53fe5c

    • SHA1

      894f5d8fde9bea13ba2751e61f77b55b526da2f1

    • SHA256

      7ea5ced2ea813b1a4e99e59dca9cd41d4982c3cd2037c5aa45c74006f2dbc547

    • SHA512

      cef7c2c3970c0f33febbe5d77e4ffda7e200ff1ca001d811d00b13eabc870eedd506b48c8c6891a846fc6595331ed4e98e19dba4d146ffd7668bb87ab69a02b0

    • SSDEEP

      96:/v32fQFMSsSGSdSeS/tSItSgMiS/UBSeS6wGMSrSmHiSCTqH1cM+UqH6SMheofk/:332fQeXNyvoPVquvRIQjCTI3+UmScFZ

    Score
    1/10
    • Target

      image001.png

    • Size

      6KB

    • MD5

      93328012727d7dd99dfffabf0c38f1be

    • SHA1

      9bceb41c873ed8cd1ec8df89b9ba96a04f9143d1

    • SHA256

      27a694d87cba73ef5b422cba1505064ac77118285cd79b8139de389ee0cd88b9

    • SHA512

      6f73acf078a5f71c03feda89f4376d1f863b790a19731987c8b4f6a8c601e40518bff6056d73b13a147186cf479fd36a7292b0f463727882db04e787f54d9fd0

    • SSDEEP

      192:XvNg5Whf3QdTGFq7ty/bWuduP7WVo/YZa33P:Vg5Whf3QhvtybdO7WCQYP

    Score
    3/10

MITRE ATT&CK Enterprise v6

Tasks