emotet | 58dd9b1c70ba3f48d36715ba38b5bbe0fa7e917a9e6ee035045178c253420ddf | Triage

Sharing

General

Target

invoce DGTOP910 14 Mar 23.zip
Size

669KB
Sample

230314-p2wd6afd46
MD5

949765392fce5a81b575354a8ee86d74
SHA1

3589f78e63412c790f49dba556f83a4c0cb798e2
SHA256

58dd9b1c70ba3f48d36715ba38b5bbe0fa7e917a9e6ee035045178c253420ddf
SHA512

5ccc90f277920b85d12226254f4479c5280003aae5c24b6a39c8b33a56c34022c248021a07f68dcf4a4bfd808b8367a834654654bff47f8871d3c5b33cc115bf
SSDEEP

3072:2IFb4Wmkqke+cEeqH9vH+i2s1Vj8JxuLVpMs75XLKZvM:2Oykqk6Lw+i2s1Vjkxuxp/QvM

Score

10^/10

emotet epoch4 banker macro macro_on_action persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  invoce N 2207 14 Mar 23.doc
- Size
  
  514.3MB
- MD5
  
  6ffb44c5822c23d3364ae40fc53ad4c0
- SHA1
  
  29be88e8244945ccdab161bc8856a6c58ff46a71
- SHA256
  
  2998a06d6c86a72d6c9179b20eabd972576af6a0538de6e26f439fab48dc1630
- SHA512
  
  11280bd31611b14a48ea81cb8e5e5e02a2994328b37d0d14bd3a763edb4fac3de3d7342f4e1ee22b3a15c023e639d43166453d0f317e0387490459f983beca52
- SSDEEP
  
  6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Score

10^/10

emotet epoch4 banker persistence trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

emotetepoch4bankerpersistencetrojan