Overview

overview

10

Static

static

8

INVOICE 589 03_23.doc

windows7-x64

10

INVOICE 589 03_23.doc

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    51f1fdf15170d27b6c36e52407bc57e614400179e93fb406eb8e8d6a1d3ecfa7.zip

  • Size

    124KB

  • Sample

    230308-mfrgzaeh6v

  • MD5

    2d4d6693ca9cacab861a63cacbfd8d20

  • SHA1

    8bd0a5b91d253db7e1e2313c0ab44280bd4a609b

  • SHA256

    748ec7754ce328e4b22e34eee3611cde2b51d77bd17c9fe22569e3efa19e151a

  • SHA512

    0609d627fc27c7efae9662ea929922eff172b5e131a6dcc9f90680bb2f6d3f77ca63e4ce7d5bbb69d945681a3f4068207a9fc3e744f5e8200eead3fbd1ef53e6

  • SSDEEP

    3072:P9t14ChKyaJC2UyLUFNPtiVpBKKFlzy5cJdiAf0odlomv5lz:J4CMC/dFF+/zJdimldFz

Score
10/10
emotetepoch4bankermacromacro_on_actionpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Targets

    • Target

      INVOICE 589 03_23.doc

    • Size

      526.2MB

    • MD5

      b59808aba76dd0095aa06133382de9ed

    • SHA1

      59aed06213b305d2877031e8ef489064ef74ca74

    • SHA256

      2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b

    • SHA512

      134c7c9929c277a3ec0403c2246214059d107c78c0056f8190218e0d16ded3cfaa7a4682d695f9e6212c66220cb222589c8fcd19f6ea70a00994eb06eec6566b

    • SSDEEP

      3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks