Overview

overview

10

Static

static

8

form.doc

windows7-x64

10

form.doc

windows10-2004-x64

10

Resubmissions

09-03-2023 11:31

230309-nmvnmscb23 8

09-03-2023 11:26

230309-nj43xaba6x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    form.zip

  • Size

    763KB

  • Sample

    230309-nj43xaba6x

  • MD5

    0fd03cce596e7c904d7596f863a17606

  • SHA1

    bc6e0464f6592bf8697dad31b47439260498a000

  • SHA256

    a26710aa82733dff77167bcf0238483001ecad7ee9a8b727aa4328850e2b150a

  • SHA512

    46d86a7e93d67eb7964c571c7f289bf5fdaeb35e5b99dbea1cf63a6ee66fb4ad2bce785e78e9eaa85a1b0b43de96bade9ae13d46c403e27b95e38e262d799669

  • SSDEEP

    6144:vkjM/ZrZPtRQhpuTec+hFF1NGJsCCmIivTF2f8bKm6zBA7FjAvxtR9Nu:cMZr1YpblFHpCCmRBbKm6l02bbNu

Score
10/10
emotetepoch4bankermacromacro_on_actionpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Targets

    • Target

      form.doc

    • Size

      517.4MB

    • MD5

      4e607710b49e7af26a7af785b3ec8469

    • SHA1

      037609b372c246ef59fbc8943e38dad8ba2edda9

    • SHA256

      5ad62d5acf965029c502414f255ef06b4ef3d7ba8f650ad209d12fb0e7e6888b

    • SHA512

      ea7120f36dcc8a46818b65546de080d0bd07b813a950d238df97f6c01119d1b5a16f46d01f0ee0c99ca153b941abbcf8659f51e96900522a9761a552995f4dd1

    • SSDEEP

      6144:ogJI9kbGiyDlVYoD2qe2qBgYZDyc+1Jg+CHf8biy/xllXQQgI2V:suyvDlGoUXZDyc0HCHf2Jxpg

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks