emotet

Resubmissions

16/03/2023, 12:34

230316-prx51aag73 10

16/03/2023, 01:47

230316-b71zyaaf7x 1

15/03/2023, 21:39

230315-1h3jxahf6v 4

15/03/2023, 21:33

230315-1d62jafd62 4

Sharing

Copy URL

Twitter E-mail

General

Target

DOCUMENT_0316.one
Size

117KB
Sample

230316-prx51aag73
MD5

c7bc51b068bcc5f983fc44b2acdf7944
SHA1

de0be1048b12dcaa49c295e72bb659ca14b45eab
SHA256

b75681c1f99c4caf541478cc417ee9e8fba48f9b902c45d8bda0158a61ba1a2f
SHA512

797fce6a6fe8fa29875dcfe05695c357daf23cec55a63ffe61418219997df65c2fec49b24985d79a0a16b000ffbdee5979dca1258482e2606101e7231cdcaf7f
SSDEEP

1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXvv:1BoC+tCYvSMVnte8ZP1Y6Jfv

Score

10^/10

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  DOCUMENT_0316.one
- Size
  
  117KB
- MD5
  
  c7bc51b068bcc5f983fc44b2acdf7944
- SHA1
  
  de0be1048b12dcaa49c295e72bb659ca14b45eab
- SHA256
  
  b75681c1f99c4caf541478cc417ee9e8fba48f9b902c45d8bda0158a61ba1a2f
- SHA512
  
  797fce6a6fe8fa29875dcfe05695c357daf23cec55a63ffe61418219997df65c2fec49b24985d79a0a16b000ffbdee5979dca1258482e2606101e7231cdcaf7f
- SSDEEP
  
  1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXvv:1BoC+tCYvSMVnte8ZP1Y6Jfv
Score

10^/10

emotet epoch4 banker trojan persistence
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2