emotet | fb7ec650e35e5df2b91422942730d0d31c288d06669c00bddf989d1d149bf0e1

General

Target

Fakturierung.doc
Size

534.3MB
MD5

bf16595909993047ef58203821614b7c
SHA1

cc3715547c98a950ad61842026045de915f6ab98
SHA256

45fb8507138935dda07ec1fb243b61e18954f44691f383e48e32301a4dd5d61c
SHA512

b56d9c99ca78b503ff426536407447a7e750a01af5af9f3ab4f12dc872b8b3a798d83eb2f9867869ee29daefc947fd5b82d953e72d3529e3291e1a5370d3a9b0
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4208	2768	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	176	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2768 WINWORD.EXE
2768 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

2768 WINWORD.EXE
2768 WINWORD.EXE
2768 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

2768 WINWORD.EXE
2768 WINWORD.EXE
2768 WINWORD.EXE
2768 WINWORD.EXE

pid	process
2768	WINWORD.EXE
2768	WINWORD.EXE

pid	process
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE

pid	process
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2768 wrote to memory of 4208	2768	WINWORD.EXE	regsvr32.exe
PID 2768 wrote to memory of 4208	2768	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Fakturierung.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132230.tmp"
2⤵
- Process spawned unexpected child process
PID:4208

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TODAlRp\pPkENyYgwsrqQ.dll"
3⤵
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\030658.zip
Filesize
847KB

MD5
8a90eab3b0543c3e548e9efef331c7de

SHA1
15b83e08112dffc5248322f9e5b385c20015d3fd

SHA256
9d79513a2e651d16175c7c627cf87372ddd8bf535b8e33d9f32572b00aa59140

SHA512
cf98252701c7e75f00d1381d1096b1651e9a84352359b5347be6b74fec32cb52726bb1e482668db59a56510de29ac0d0bcca309643ee9ef4880c046ed2cc1c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\132230.tmp
Filesize
541.5MB

MD5
3a03282ee2db20a8f0ff75a634a98b58

SHA1
942e52cfc63ebec0d59afce4c57cc2e267eff19d

SHA256
45038ad922e388ef15efa7fdbbf22c989911e648acfe6f61f55ce0c5c6953fcb

SHA512
899c88e068ec9c5e0b25f0afe1a82ab8cd95c1d8787d1275dd16ca7994bb9446037e35484d2afcf4c6be3ee17ea41135097953fca6157d8c94faf52797d87786

Download Submit
C:\Users\Admin\AppData\Local\Temp\132230.tmp
Filesize
495.1MB

MD5
b1c67dcce71599434d71b6d8741ab607

SHA1
e7dd921456f9a498cc42ead5962b79d05484ce37

SHA256
90f18f05c7497703ad7cf7a1699ec133b4e14ebd426f24c1b1a0797370ba74dc

SHA512
b04f4aaaa1457b781a27ad9851ea04e4ec7e07f74af6e2c10febffe9f0aa1ec889aaac4e9ef062b1a6d848bc0321092173de8bf193ae3b541a93200764c885ff

Download Submit
C:\Windows\System32\TODAlRp\pPkENyYgwsrqQ.dll
Filesize
518.5MB

MD5
a7b2831bf1b26255b8e5a2f87e17a8fc

SHA1
5e4a0980bdbadbc9302ac664f6281cf1da411239

SHA256
9c4a478fbab31215a2fe08e5520f4e53ba0cc7370aad0f66cfffe7b80188cf77

SHA512
6b744f54b1f74ed5e6c196307053cbcc99f1dc5ea2a146bbfbb57aeddfd72acb312eabe2eb129675d4888717cc74ddb243abcb3527b5180f4bf3846630d5f3b0

Download Submit
memory/2768-134-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-138-0x00007FFB8D670000-0x00007FFB8D680000-memory.dmp

Filesize
64KB

Download
memory/2768-139-0x00007FFB8D670000-0x00007FFB8D680000-memory.dmp

Filesize
64KB

Download
memory/2768-136-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-135-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-137-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-133-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-202-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-201-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-203-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-204-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/4208-176-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4208-179-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads