Overview

overview

10

Static

static

8

Electronic form.doc

windows7-x64

10

Electronic form.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3150384944662459307.zip

  • Size

    672KB

  • Sample

    230315-kwahaaed21

  • MD5

    cd4f382ac68704b2ecb06500850150f6

  • SHA1

    512717c375e462191702c2dfcb832d6bdc5ddf01

  • SHA256

    3ebccded14f510e67decdf3eac7fa864ad87e8054ad88da862c7c926e95ca887

  • SHA512

    1690c0d5ebd58369f302263667a701794182fa906d08c3f901fdd66fa1c6c521c31046b2f9c3522748d128923c4032e5b26febe7021439b6955903ed9f30bbff

  • SSDEEP

    3072:jIFb4Wmkqke+cEeqH9vH+i2s1Vj8JxuLVpMs75XLKZvS:jOykqk6Lw+i2s1Vjkxuxp/QvS

Score
10/10
emotetepoch4bankermacromacro_on_actionpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080
eck1.plain
ecs1.plain

Targets

    • Target

      Electronic form.doc

    • Size

      517.3MB

    • MD5

      40ac024d3b10c4496f47f9adfb80962b

    • SHA1

      e000a44c935d53b2dc99ceef3cd4d28ffe90c1bb

    • SHA256

      bc1694b34546b4fa07862b44651d11686f92ccfa9ef7069499c191794daef0db

    • SHA512

      cb0d139b73833398a39caadb57b48379adf9300e6bbcf1b1bb6d5b8c18a53978f2ba89b786f8d1b0733b565d67e1e5f63da2c9cdf412bc283db05d27e350d3a3

    • SSDEEP

      6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks