Overview

overview

10

Static

static

8

gescanntes...nt.zip

windows7-x64

1

gescanntes...nt.zip

windows10-2004-x64

1

gescanntes...nt.doc

windows7-x64

10

gescanntes...nt.doc

windows10-2004-x64

10

Resubmissions

17-03-2023 10:17

230317-mbr8pshf9x 10

16-03-2023 13:49

230316-q42vdsba75 10

16-03-2023 13:38

230316-qxl6csdc9w 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MDE_File_Sample_cf9e4c7534e0116cae7f8714e3284061ce058ff6.zip

  • Size

    658KB

  • Sample

    230316-qxl6csdc9w

  • MD5

    64255eb2063a52f65970fdf1cb0c85df

  • SHA1

    00f06987ac2bf9a79138dbe0837d76afe63b5088

  • SHA256

    4e943075967fb249b56a16f3f7c9d647e98d6d85af2b162aa623ee7fc33dc331

  • SHA512

    85f718dda27ff9d89910aa9d2c19e695c9770e88e0f4144f9e2ab8022972767c788699d40a2f9b3f3142a3ca30f4beda2627e574ae4f6ddbc1cd46474160415b

  • SSDEEP

    12288:PyXIqz8+7UpplLvc+sB/imDYQnpVglo08YprdZlA0LIhCHotWZ/j/IG0Do:q4m8fxvi/iGtMlLZi0THUM

Score
10/10
emotetepoch4bankermacromacro_on_actionpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080
eck1.plain
ecs1.plain

Targets

    • Target

      gescanntes-Dokument.zip

    • Size

      1.2MB

    • MD5

      6d9cbb363088b30514e5f6d2fb720578

    • SHA1

      cf9e4c7534e0116cae7f8714e3284061ce058ff6

    • SHA256

      399d678e20c83ded5fc09691b409286ff278787f1e9406cda316110518f285c4

    • SHA512

      5556dffeef24c9fd2b976019e54123984bc907eb1c8f08bb81299d2975098e6a4ec07ee3327da95045005d136ccd2b335d3b79d64d121f78916e83a6f3718f9d

    • SSDEEP

      12288:7hY6fxW+B96/KYREga72L2X0lMNPZqv5Uiu3stsRkT/mCadF5qs:7hXfxl91UOqufVZkTOdv7

    Score
    1/10
    behavioral1behavioral2

    • Target

      gescanntes-Dokument.doc

    • Size

      535.8MB

    • MD5

      10b71d7f695ac3f1a6267d132c825db6

    • SHA1

      02a7b36c21a416b9a2b094a0a3b6eed005673985

    • SHA256

      3695ed0ba836d615bbadea21eefaf5c0b565a4af6aff8c09aba17b3e3dbd2ada

    • SHA512

      6686b2d0f608151b8268991c39e7f39acf1a8f13abc421b8679e1c32e4bd5c96b77e1a7a8ac2e58b011a0bebf5ee187b022bdaeebfa143bc1016ba75eca10303

    • SSDEEP

      12288:XxYDQ8EW+Ba+qKYR08a72L2X0dMzPPqvBUEu3uNsRAPYwT4q3MJ/d:2DPElaSUqqafj9Q4ZJ/d

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks