Overview

overview

10

Static

static

8

SCAN-14032023.doc

windows7-x64

10

SCAN-14032023.doc

windows10-2004-x64

10

Resubmissions

14-03-2023 10:32

230314-mk8l2sgh5s 8

14-03-2023 10:27

230314-mhhmvagh3w 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SCAN-14032023.zip

  • Size

    739KB

  • Sample

    230314-mhhmvagh3w

  • MD5

    d33bc156c84e222419aff3815d5946f2

  • SHA1

    8e2fdb102f47602c6beeb250cd5cc400e50fd2b6

  • SHA256

    e02bb757e6ed2c531fc97cf30099aec744f6a4c910b0962b660542baf87b6353

  • SHA512

    a25a419b0db1fae97804f02dd6cc6c96349654e8d39c4a98a98b66dac20ac3280128d5aa7f9ab26f450b78c47971f9ed0d7ec915a4dc2287062d7e382b08cb05

  • SSDEEP

    6144:5wZnDlMy6O3qKmCRUe1B5uLqcHfVDNUV3nJGM+BTv:GtDlb6IqXCRUe1BTcH8VIM+Vv

Score
10/10
emotetepoch5bankermacromacro_on_actiontrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080
ecs1.plain
eck1.plain

Targets

    • Target

      SCAN-14032023.doc

    • Size

      536.4MB

    • MD5

      0414d3a2420f1a8bed6648457232d6c3

    • SHA1

      044bc64da88a7f8c5fab58a16f03b7207edc37d7

    • SHA256

      a81f976050152bc57609b467fe5cfa0b7b341776fb948a2fa2577c95fd984fa9

    • SHA512

      876018471fbaca599580ab1368d6a12327e734e1ae26a8675d8d7f19281335f11a42f783e21058d456da90b10dabe787833ecae785fac3671ab498850fe97363

    • SSDEEP

      6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

    Score
    10/10
    emotetepoch5bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks